SQL Injection
网页中随处可见的数据库操作
URL中附带的查询参数
SELECT * FROM users WHERE name=‘abc123’ 这样的一条语句对应的服务器端代码是什么呢
Server:. …. $name = _Get(name);. $sql = “SELECT. FROM users WHERE Server: … $name = _Get(name); $sql = “SELECT * FROM users WHERE name=‘” + $name + “’”; mysql_do_query($sql); … 拼接,引号
SELECT * FROM users WHERE name=‘abc123’ and passwd=‘123456’ 登陆所对应的语句
SELECT * FROM users WHERE name=‘’ and passwd=‘’ abc’ or ‘1=1 SELECT * FROM users WHERE name=‘’ and passwd=‘’ CONDITION COMPROMISED SELECT * FROM users WHERE name=‘abc’ or ‘1=1’ and passwd=‘XXXXXX’ 网页中,用户有很多操作实质上是与数据库打交道,用户可以输入任意字符,若未能良好的过滤,那么用户就可以执行网站维护者所不希望的数据库操作
SELECT * FROM users WHERE name=‘’ and passwd=‘’ abc’ or ‘1=1’ or ‘1=1 SELECT * FROM users WHERE name=‘’ and passwd=‘’ CONDITION ALWAYS TRUE SELECT * FROM users WHERE name=‘abc’ or ‘1=1’ or ‘1=1’ and passwd=‘XXXXXX’
Client Server Filter(request_data) Send(data) data = Receive() Filter(received_data) do_SQL_query(data) Handle(returned_data) Server
Client Server Filter(request_data) Send(data) data = Receive() Filter(received_data) do_SQL_query(data) Handle(returned_data) Server
http://202.38.79.49:8888/login.php
Bypass account authentication. Dump whole database.
Client Server Filter(request_data) Send(data) data = Receive() Filter(received_data) do_SQL_query(data) Handle(returned_data) Server