可以绕过php is_numeric（）函数吗？ [英] Bypass php is_numeric() function is possible?

问题描述

我目前正在寻找合格（非盲目）的高级类别的sql注入应用程序dvwa。

I am currently looking for a pass (not blind) high level of category sql injection application dvwa.

即使有一些想法也找不到解决方案，并且使生活更轻松的工具。

Can not find the solution even if there are some ideas and tools that make life easier.

爱好者的源代码如下：

if (isset($_GET['Submit'])) {
    // Retrieve data

    $id = $_GET['id'];     
    $id = stripslashes($id);      
    $id = mysql_real_escape_string($id);   

    if (is_numeric($id)){

        $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
        $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );

        $num = mysql_numrows($result);

        $i=0;

        while ($i < $num) {

            $first = mysql_result($result,$i,"first_name");
            $last = mysql_result($result,$i,"last_name");

            echo '<pre>';
            echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
            echo '</pre>';

            $i++;
        }
    }
}

---

执行任务并检索用户表dvwa db中具有以下结构的值：

---

and mission and retrieve the values ​​that are in the users table dvwa db which has this structure:

+------------+-------------+------+-----+---------+
| Field      | Type        | Null | Key | Default |
+------------+-------------+------+-----+---------+
| user_id    | int(6)      | NO   | PRI | 0       |
| first_name | varchar(15) | YES  |     | NULL    |
| last_name  | varchar(15) | YES  |     | NULL    |
| user       | varchar(15) | YES  |     | NULL    |
| password   | varchar(32) | YES  |     | NULL    |
| avatar     | varchar(70) | YES  |     | NULL    |
+------------+-------------+------+-----+---------+
6 rows in set (0.00 sec)

---

然后，您当然会说（就像我在网上看到的一样）是编码字符。据我了解，是的，我们有更多的字符集，可以以不同的方式写电子邮件（例如，多字节）。
但我什至找不到你。我理解上面的php形式代码是这样的：

---

Then of course you will say (as I have seen everywhere on the net) to be encoded characters. That I understand, yes, we have more character set, which can write emails differently (eg multi-byte). But I just can not even find you. I understand the php form code above like this:

已经首先必须绕过mysql_real_escape_string（），所以我的研究第一次集中在此。
使用游戏中的big5角色，例如，意味着我们绕过它……再次是的，也许我所看到的Tenai道路上的所有东西，但我尚未进行实际测试。为什么？

Already first have to bypass mysql_real_escape_string () so my research has focused to there first time. Using a game big5 character eg means we bypass it ... again yes maybe everything I saw Tenai the road but I have not actually tested. Why?

假设我绕过mysql_real_escape_string（），如果我们继续阅读php代码执行的下一步，我们可以阅读以下函数：

Suppose I bypass mysql_real_escape_string (), if we continue to read the next step performed by the php code, we can read the function:

if(is_numeric($id))...

检查变量的类型。 （此外，我不知道我是否使用确切的术语，但很好）。这意味着如果我想在此处插入引号，则必须使用强制数字.Donc大小取决于著名的php函数，我意识到我们可以输入相同的二进制或十六进制值（但在所有情况下都可以）转换输出后的功能，现在我真的不知道....）。所以我在
第一个想法中的输入是让0x27插入引号，但是当然这个值被解释为整数而不是字符串类型的输出，因此如何解释我的引号...我认为问题就在这边，但我很想...如果您除了跟踪之外什么都没有（除了告诉我要在google中看，我已经做了四天了^ ^），我很感兴趣。因此，男生（或女生）将被昵称为Sqli大师？
谢谢您的时间...（对不起，Google翻译）

checks the type of the variable. (and besides, I do not know if I use the exact term but good). This means that if I want to insert a quote here, it must be in forcemment numérique.Donc size I leaned on the famous php function and I realized that we could enter the same binary or hexadecimal values ​​(but in all cases it will function for converting the output after me and now I really do not know ....). So my input in the first idea was to get 0x27 to insert a quote, but of course this value is interpreted as integer and not string type output, so how to interpret my quote ... I think the issue is on this side but I largues dint of thinking ... If you have nothing but a track (except to tell me to look in google, something I've been doing for four days now ^ ^), I'm interested. So guys (or girls for that matter), that Will is nicknamed Master Sqli?? Thank you for your time ... (sorry for google translation)

推荐答案

为什么还要使用 mysql 库，何时不推荐使用？使用 mysqli 代替。

Why would you even use mysql library, when it is deprecated? Use mysqli instead.

第二，如果要消除SQL注入的任何危险，那就是 很多 易于使用，因此只需执行以下操作即可。

Secondly, if you want to get rid of any danger of sql injection, it would be much easier to use prepared statement, so something like the following is all that is needed.

$stmt = $mysqli->prepare("SELECT first_name, last_name FROM users WHERE user_id = ?")
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($res);
$stmt->fetch();
if($res)
    ...

顺便说一下， mysqli 可以以功能性（而非oop）方式使用，与 mysql 非常相似。

By the way, mysqli can be used in functional (not oop) style very similar to mysql.

这篇关于可以绕过php is_numeric（）函数吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！