SQL 注入测试 - mysql_query [英] SQL injection test - mysql_query
问题描述
我正在为我的同学创建一个测试项目,以展示带有未检查变量的 php 代码是多么危险.我正在使用已弃用的 mysql_*
函数和一个带有 2 个表的简单数据库:
I'm creating a test project for my classmates to show how php code with unchecked variables is dangerous.
I'm using the deprecated mysql_*
function and a simple database with 2 tables:
users
data
在用户中我只有管理员用户.
and in the users I have just the admin user.
我创建了一个简单的 html 表单:
I have created a simple html form:
<form action="login" method="POST">
username: <input type="text" name="username">
password: <input type="text" name="password">
<input type="submit" value="login">
</form>
和 login.php 页面简单地获取帖子数据并像这样构建查询:
and the login.php page simply get the post data and build the query like this:
$uname = strtolower(trim($_POST['username']));
$passw = strtolower(trim($_POST['password']));
$result = mysql_query("
SELECT *
FROM users
WHERE username='".$uname."' and password=MD5('".$passw."')"
);
if(mysql_num_rows($result) != 1){
echo "Non valid";
}else{
echo "Logged in";
}
这是我在用户名字段中的输入:
and this is my input on username field:
' or 1=1 -- 
应该产生如下查询:
SELECT * FROM users WHERE username='' or 1=1 -- ' and password=MD5('')
如果我在 SequelPro 或 PhpMyAdmin 上运行这个查询,查询会给我表的第一行,所以它可以工作.但是如果我提交表单,结果是 Not valid
.
if I run this query on SequelPro or PhpMyAdmin the query give me the first row of the table so it works.
But if I submit the form the result is Not valid
.
我也尝试在此输入中使用密码字段:
I tried also to use the password field with this input:
') or 1=1 -- 
这是生成的查询:
SELECT * FROM users WHERE username='' and password=MD5('') or 1=1 -- ')
但结果是一样的,它适用于 SequelPro,但不适用于表单.
but the result is the same, it works on SequelPro but not in the form.
我认为 mysql_query 函数不会识别 --
注释.我说得对吗?
我做错了什么?
I think that the mysql_query function will not recognize the --
comment. Am I right?
What I'm doing wrong?
推荐答案
在用户名字段试试这个:
try this in username field :
' or 1=1 or '
并输入您想要的密码.不要忘记 '
之后的空格.它把你的代码变成这样:
and enter password whatever you want.
don't forget about space after '
s.
it turns your code like that:
mysql_query("select * from users where username='' or 1=1 or '' and
password=".md5('$pass'))
它总是返回真.
它必须工作,如果没有,这样做:
it MUST work, if it doesnt, do this :
echo "
SELECT *
FROM users
WHERE username='".$uname."' and password=MD5('".$passw."')";
并将结果作为评论发布给我,也许我可以帮助您
and post the result as comment for me , maybe I could help you
这篇关于SQL 注入测试 - mysql_query的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!