Mysqli查询注入,如何注入SQL查询字符串? [英] Mysqli query Injection , how to inject the SQL query string?
问题描述
让我考虑一下这行代码
$result = $mysqli->query("SELECT * from myTable where field='".$_GET['var']."');
恕我直言,这很容易受到SQL注入的攻击.</p>
因此,我想通过Get/URL发送一个"var"参数来证明它是可以尝试的,该参数将注入带有潜在恶意代码的查询.
我实际上尝试过:
var = "1'; TRUNCATE myTable; ";
我尝试在执行之前打印出SQL字符串查询,它实际上是2条SQL有效语句.
SELECT * from myTable where field='1'; TRUNCATE myTable;
第一个问题 但实际上似乎mysqli-> query不会一次执行2条语句.不是吗?
第二个问题 我看到注入查询的一种常见技术是先进行表单注入,然后添加注释字符以摆脱SQL的尾巴. 示例:
"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"
可以注入:
var = "1'; TRUNCATE myTable; # ";
但是这个问题出现了,我想办法摆脱它了
如果代码中的SQL字符串有新行,例如:
"SELECT * from myTable where field='".$_GET['var']."'
AND field2 IS NOT NULL"
如果我使用上面的"var",最终结果是
SELECT * from myTable where field='1'; TRUNCATE myTable; #
AND field2 IS NOT NULL
第二行不会被评论
如何对此进行注射测试?
非常感谢.
第一个问题,但实际上似乎
mysqli->query不会执行2 立即发表声明.不是吗?
是的,如果要执行多个语句,则需要使用 mysqli->multi_query .您可以在这里找到有关多条语句的很好的解释: http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php
但是这个问题出现了,我想办法摆脱它了
出现此问题是因为您正在使用多个语句,而mysqli->query不支持它们.
关于您的查询:
$result = $mysqli->query("SELECT * from myTable where field='".$_GET['var']."');
您可以使用例如1' OR 1=1注入它;会返回查询结果中myTable的所有条目.
"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"
在这里您可以使用1' OR 1=1 UNION ALL SELECT * FROM myTable WHERE '1'='1
如今,有一些工具可以自动为您检查SQL注入,请查看例如,SQL Inject Me (Firefox插件).
Let's consider i have this line of code
$result = $mysqli->query("SELECT * from myTable where field='".$_GET['var']."');
IMHO this is vulnerable to SQL injections.
So I'd like to prove it trying by sending via Get / URL a "var" param that will inject the query, with potential malicious code.
I actually tryed this:
var = "1'; TRUNCATE myTable; ";
I tryed to print out the SQL string query before executing it and it's actually 2 SQL valid statements.
SELECT * from myTable where field='1'; TRUNCATE myTable;
1st problem But actually itseems that mysqli->query will not execute 2 statements at once. Isn't it?
2nd problem I see that a common technique to Inject queries is to per form injection then add comment chars to get rid of the tail of the SQL. Example:
"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"
Can be injected with :
var = "1'; TRUNCATE myTable; # ";
But this problem arise and I'm missing the trick to get rid of it
if the SQL string in the code have new lines e.g. :
"SELECT * from myTable where field='".$_GET['var']."'
AND field2 IS NOT NULL"
If i use the above "var" the final result is
SELECT * from myTable where field='1'; TRUNCATE myTable; #
AND field2 IS NOT NULL
Second line won't be commented
How to test injection on this?
Many thanks.
1st problem But actually it seems that
mysqli->querywill not execute 2 statements at once. Isn't it?
That's right, if you want to execute multiple statements you need to use mysqli->multi_query. You can find a good explanation about multiple statements here: http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php
But this problem arise and I'm missing the trick to get rid of it
The problem arises because you are using multiple statements, and mysqli->query does not support them.
About your queries:
$result = $mysqli->query("SELECT * from myTable where field='".$_GET['var']."');
You can inject this using for example 1' OR 1=1; that would return all entries of myTable on the query result.
"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"
Here you could use 1' OR 1=1 UNION ALL SELECT * FROM myTable WHERE '1'='1
Nowadays there are tools that can automatically check SQL injection for you, take a look at SQL Inject Me (Firefox Addon) for example.
这篇关于Mysqli查询注入,如何注入SQL查询字符串?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
