PHP/MySQL注入示例 [英] PHP/MySQL Injection example

问题描述

这是此问题的后续内容:是PHP的addlashes容易受到sql注入攻击的威胁?(感谢在那儿回答的每个人).

This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).

相同的情况，但是我有此代码(在另一页中):

Same scenario, but I have this code (in another page):

             $ID = $_GET['id'];
             $sql = "SELECT * FROM blog WHERE id='$ID'";
             $result = mysql_query($sql);

这应该很容易被利用，对吧?

This should be easy enough to exploit, right?

如果我没记错的话，我无法在mysql_query()内运行第二个查询，但是我应该能够做一些其他恶意的事情，对吗?很想能够将用户插入到管理表中或更改密码或其他内容，但是我想除了触摸博客表之外我无能为力.那是对的吗?关于如何玩转和调整某些东西以证明存在担忧的任何建议?

If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?

推荐答案

它称为UNION，允许您使用第二个查询从额外的表中提取数据.

It's called UNION and allows you to pull from extra tables by using a second query.

我猜想像1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1这样的东西会起作用. (从users表中提取，并将用户名和密码值映射到其blog等效项").

I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1 would work. (pulls from the users table and maps the username and password values to their blog "equivalents").

这篇关于PHP/MySQL注入示例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！