基于时间的mysql注入渗透测试工具 - sleep()无效 [英] Time-based mysql injection penetration testing tool - sleep() not working
问题描述
你好,
我正在创建一个渗透测试工具来扫描各种sql注入漏洞。一个简单的起始示例我未能正常工作如下:
Hello,
I'm creating a penetration testing tool to scan for a variety of sql injection vulnerabilities. A simple starting example I'm failing to get working is the following;
http://xxx/update_comment.php?id=test';select case when (select substring(table_name, 1, 1) from information_schema.tables limit 1) = 'b' then 1 else sleep(3) end#
这是我测试的相关行导致问题的脚本;
This is the relevant line of my test script which is causing problems;
$conn->query('UPDATE test_table SET id = id WHERE id = \'' . $_GET['id'] . '\'');
当我执行将由脚本执行的命令时,在Adminer中,它可以工作。但是当脚本尝试它时,它立即返回,因此,没有时间可以从测试中收集。什么可能导致这种立即回报?
我尝试过:
更改睡眠时间
询问谷歌,无济于事
When I execute the command which would be executed by the script, in Adminer, it works. But when the script tries it, it returns immediately and as such, no timings can be gathered from the test. What could be causing this immediate return?
What I have tried:
Changing the sleep time
Asking google, to no avail
推荐答案
conn->查询(' UPDATE test_table SET id = id WHERE id = \''。
conn->query('UPDATE test_table SET id = id WHERE id = \'' .
_GET [< span class =code-string>' id']。' \'');
_GET['id'] . '\'');
当我执行将由脚本执行的命令时,在Adminer中,它可以正常工作。但是当脚本尝试它时,它立即返回,因此,没有时间可以从测试中收集。什么可能导致这种立即回报?
我尝试过:
更改睡眠时间
询问谷歌,无济于事
When I execute the command which would be executed by the script, in Adminer, it works. But when the script tries it, it returns immediately and as such, no timings can be gathered from the test. What could be causing this immediate return?
What I have tried:
Changing the sleep time
Asking google, to no avail
这篇关于基于时间的mysql注入渗透测试工具 - sleep()无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!