如何演示二阶SQL注入? [英] How do I demonstrate a Second Order SQL Injection?

问题描述

因此，我一直在尝试复制二阶SQL注入.这是我准备的两个基于PHP的站点的示例模板.让我们称其为选民登记表.用户可以注册，然后您可以检查您是否是注册选民.

So I've been trying to replicate a second order SQL Injection. Here's an example template of two php based sites that I've prepared. Let's just call it a voter registration form. A user can register and then you can check if you're a registered voter or not.

insert.php

insert.php

<?php

$db_selected = mysql_select_db('canada',$conn);
if (!db_selected)
    die("can't use mysql: ". mysql_error());

$sql_statement = "INSERT into canada (UserID,FirstName,LastName,Age,State,Town)
                    values ('".mysql_real_escape_string($_REQUEST["UserID"])."',
                    '".mysql_real_escape_string($_REQUEST["FirstName"])."',
                    '".mysql_real_escape_string($_REQUEST["LastName"])."',
                    ".intval($_REQUEST["Age"]).",
                    '".mysql_real_escape_string($_REQUEST["State"])."',
                    '".mysql_real_escape_string($_REQUEST["Town"])."')";

echo "You ran the sql query=".$sql_statement."<br/>";
$qry = mysql_query($sql_statement,$conn) || die (mysql_error());
mysql_close($conn);
Echo "Data inserted successfully";
}
?>

select.php

select.php

<?php


$db_selected = mysql_select_db('canada', $conn);
if(!db_selected)
    die('Can\'t use mysql:' . mysql_error());
$sql = "SELECT * FROM canada WHERE UserID='".addslashes($_POST["UserID"])."'";
echo "You ran the sql query=".$sql."<br/>";
$result = mysql_query($sql,$conn);
$row=mysql_fetch_row($result);

$sql1 = "SELECT * FROM canada WHERE FirstName = '".$row[1]."'";
echo "The web application ran the sql query internally=" .$sql1. "<br/>";
$result1 = mysql_query($sql1, $conn);
$row1 = mysql_fetch_row($result1);

mysql_close($conn);
echo "<br><b><center>Database Output</center></b><br><br>";

echo "<br>$row1[1] $row1[2] , you are a voter! <br>";

echo "<b>VoterID: $row[0]</b><br>First Name: $row[1]<br>Last Name: $row[2]
    <br>Age: $row[3]<br>Town: $row[4]<br>State: $row[5]<br><hr><br>";
}
?>

因此，我故意使此漏洞易于显示二阶SQL Injection的工作原理，用户可以在名字"部分中键入代码(我目前被困在那里，我已经尝试了许多不同的方法，但似乎可以没办法做任何事情). 然后，当一个人想要激活他在名字"部分中插入的代码时，他所要做的只是输入userID，然后代码就会被插入.

So I purposely made this vulnerable to show how second order SQL Injection works, a user can type in a code into the first name section (where I am currently stuck, I've tried many different ways but it seems that I can't get it to do anything). Then when a person wants to activate the code that he has inserted in the first name section, all he needs to do is just type in the userID and the code will be inserted.

例如: 我将输入insert.php页面为: 用户ID = 17

For example: I will type into the insert.php page as: userid = 17

firstname =(我需要在这里注入一些东西)

firstname = (I need to inject something here)

lastname = ..

lastname = ..

age = ..

town = ..

town = ..

state = ..

state = ..

然后，当我检查我的详细信息并输入17时，将激活注入的SQL脚本. 我可以从中举例说明哪些类型的漏洞可以显示出来?

Then when I check for my details, and type in 17, the SQL script injected will be activated. Can I get few examples on what sort of vulnerabilities I can show through this?

推荐答案

使用的姓氏:

' OR 1 OR '

这将在第二个SQL中产生一个where子句

This will produce a where clause in the second SQL of

WHERE FirstName =''OR 1 OR''

WHERE FirstName = '' OR 1 OR ''

因此结果将是表中的第一条记录.

Therefore the result will be the first record in the table.

通过添加LIMIT子句，您可以使用以下方法从表中提取所有行:

By adding a LIMIT clause, you can extract all rows from the table with:

'或1个按用户ID ASC LIMIT排序0、1-

' OR 1 ORDER BY UserID ASC LIMIT 0, 1 --

很显然，一次只能提取1行，因此您需要重复该行并在LIMIT中增加0.本示例使用注释--终止其余的SQL，否则将导致查询失败，因为它将在LIMIT之后添加单引号.

Obviously it will only extract 1 row at a time, so you would need to repeat that and increment the 0 in the LIMIT. This example uses a comment -- to terminate the remaining SQL which would otherwise cause the query to fail because it would add a single quote after your LIMIT.

上面是一个简单的示例，更复杂的攻击是使用UNION SELECT，这将使您可以通过使用information_schema来访问整个数据库.

The above is a simple example, a more complex attack would be to use a UNION SELECT which would give you access to the entire DB through the use of information_schema.

您也在其中一个查询中使用addslashes().这样的安全性不如mysql_real_escape_string()，反过来:两者中的引号转义都不如使用准备好的语句或参数化查询(例如在PDO或MySQLi中)那样安全.

Also you are using addslashes() in one of your queries. That is not as secure as mysql_real_escape_string() and in turn: escaping quotes with either is not as secure as using prepared statements or parameterised queries for example in PDO or MySQLi.

这篇关于如何演示二阶SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！