PHP/MySQL注入示例 [英] PHP/MySQL Injection example
问题描述
这是此问题的后续内容:是PHP的addlashes容易受到sql注入攻击的威胁?(感谢在那儿回答的每个人).
This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).
相同的情况,但是我有此代码(在另一页中):
Same scenario, but I have this code (in another page):
$ID = $_GET['id'];
$sql = "SELECT * FROM blog WHERE id='$ID'";
$result = mysql_query($sql);
这应该很容易被利用,对吧?
This should be easy enough to exploit, right?
如果我没记错的话,我无法在mysql_query()内运行第二个查询,但是我应该能够做一些其他恶意的事情,对吗?很想能够将用户插入到管理表中或更改密码或其他内容,但是我想除了触摸博客表之外我无能为力.那是对的吗?关于如何玩转和调整某些东西以证明存在担忧的任何建议?
If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?
推荐答案
它称为UNION
,允许您使用第二个查询从额外的表中提取数据.
It's called UNION
and allows you to pull from extra tables by using a second query.
我猜想像1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1
这样的东西会起作用. (从users
表中提取,并将用户名和密码值映射到其blog
等效项").
I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1
would work. (pulls from the users
table and maps the username and password values to their blog
"equivalents").
这篇关于PHP/MySQL注入示例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!