Django Raw Query SQL注入显示攻击
[英]Django Raw Query SQL injection display attack
问题描述
I am trying to write a website with Django that could display SQL injection for classroom purposes.However when i try to exploit the query nothing is getting returned. 
我正在尝试使用Django编写一个可以在课堂上显示SQL注入的网站。但是,当我尝试利用该查询时,没有任何返回结果。 I am using a MYSQL database 我正在使用MYSQL数据库
peopledata = people.objects.raw("select * from people where name = \"%s\" "%input
result = list(peopledata)
I tried using "; show tables; -- and "; -- 我尝试使用"; show tables; -- "; -- "; -- , in the input field and nothing showed up. "; -- ,在输入字段中没有任何显示。 Is there a way to display the exploited data? 有没有办法显示被利用的数据?
1 个解决方案
解决方案1
0 2013-06-14 17:06:57
Your input should be any_name OR'x'='x' or any_name OR name IS NOT NULL 您的输入应为any_name OR'x'='x'或any_name OR'x'='x'或any_name OR name IS NOT NULL
The first input would guarantee the clause to be true no matter what the first clause is. 无论第一个子句是什么,第一个输入都会保证该子句为真。
The second query will then return every record in the database, instead of returning the name you searched for. 然后,第二个查询将返回数据库中的每个记录,而不是返回您搜索的名称。 This is demonstrates a big security risk. 这表明存在很大的安全风险。 If the data being returned is confidential (id SSN) the user has now received access to data he/she should not be viewing. 如果返回的数据是机密(id SSN),则用户现在已经可以访问他/她不应该查看的数据。
Another example would be: 另一个示例是:
any_name; DROP TABLE people; --
And: 和:
any_name; INSERT INTO people('email','passwd','login_id','full_name')
VALUES ('steve@email.com','hello','steve','Steve LastName'); --
NOTE: Apply these queries appropriately to your DB. 注意:将这些查询适当地应用于您的数据库。 Using single/double quotes when necessary etc. 必要时使用单/双引号等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.