如何测试我的 PHP MySQL 注入示例?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15758185/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I test my PHP MySQL injection example?
提问by Thanh Nguyen
I want to use PHP/Mysql injection with a login example, my code is below.
我想在登录示例中使用 PHP/Mysql 注入,我的代码如下。
I have tried with a username of anything' --and an empty password but it doesn't work and I couldn't log in.
我尝试使用用户名anything' --和空密码,但它不起作用,我无法登录。
Could anyone help me?
有人可以帮助我吗?
<?php
mysql_connect('localhost','root','root');
mysql_select_db('hp');
?>
<form action="" method="post">
<table width="50%">
<tr>
<td>User</td>
<td><input type="text" name="user"></td>
</tr>
<tr>
<td></td>
<td><input type="text" name="password"></td>
</tr>
</table>
<input type="submit" value="OK" name="s">
</form>
<?php
if($_POST['s']){
$user = $_POST['user'];
$pass = $_POST['password'];
$re = mysql_query("select * from zend_adminlist where user_name = '$user' and password = '$pass'");
if(mysql_num_rows($re) == 0){
echo '0';
}else{
echo '1';
}
}
?>
回答by Lemon Drop
One of the most common examples is this query:
最常见的示例之一是以下查询:
' or '1'='1
If you enter this as the username and password into some unsanitized login input the query changes like so:
如果您将此作为用户名和密码输入到一些未经处理的登录输入中,查询会更改如下:
Original: SELECT * FROM USERS WHERE USER='' AND PASS='';
Modified: SELECT * FROM USERS WHERE USER='' or '1'='1' AND PASS='' or '1'='1';
This causes each thing its looking for to be true, as 1 will always equal 1. Problem with this method is it does not allow the selection of a particular user. Doing so you need to make it ignore the AND statement by commenting it out as seen in other examples.
这会导致它寻找的每件事都是真的,因为 1 总是等于 1。这种方法的问题是它不允许选择特定用户。这样做,您需要通过注释掉 AND 语句使其忽略 AND 语句,如其他示例中所示。
回答by Kovge
If the value of username is:
如果用户名的值为:
$_POST['user'] = "1' OR 1 LIMIT 1; --";
Then the mysql query becomes:
然后mysql查询变成:
select *
from zend_adminlist
where user_name = '1' OR 1 LIMIT 1; --' and password = '$pass'
