[英]SQL injection login bypass
I am preparing SQL injection vulnerable page to test skills, here is my code:我正在准备SQL注入漏洞页面来测试技巧,下面是我的代码:
<?php
echo "<center><h1>Login Bypass</h1></center>";
include 'config.php';
mysql_connect($host, $user, $password) or die(mysql_error());
mysql_select_db($database) or die(mysql_error());
$name = $_REQUEST['name'];
$passwd = $_REQUEST['passwd'];
$query_string = "SELECT * FROM users WHERE username = '$name' AND password = '$passwd'";
echo "<center>".$query_string."</center><br/>";
$query = mysql_query($query_string) or die(mysql_error());
$row = mysql_fetch_array($query);
if(mysql_num_rows($query)>0)
echo "<center>SUCCESS</center><br/>";
else echo "<center>ACCESS DENIED</center><br/>";
echo "<center>".$row['email']."</center><br/>";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Login Bypass</title>
<meta http-equiv="content-type" content="text/html;charset=utf-8" />
<meta name="generator" content="Geany 0.19.1" />
</head>
<body>
<center>
<form action="login_bypass.php" method="get">
Login: <input name="name">
Password: <input name="passwd" >
<input type="submit" value="CHECK">
</form>
</center>
</body>
</html>
I have also table users where I have username='agajan' and password='12345' email='torayeff@gmail.com'.我还有用户名='agajan'和密码='12345'电子邮件='torayeff@gmail.com'的表用户。 I know that this query is vulnerable:
我知道这个查询很容易受到攻击:
$query_string = "SELECT * FROM users WHERE username = '$name' AND password = '$passwd'";
But when I insert instead of username the following "agajan' /*" and leave password field empty I get:但是,当我插入以下“agajan'/ *”而不是用户名并将密码字段留空时,我得到:
SELECT * FROM users WHERE username = 'agajan' /* ' AND password = ' '
...but It gives me mysql error. ...但它给了我 mysql 错误。 Can anyone explain me why I can not inject sql?
谁能解释一下为什么我不能注入 sql?
you don't close your comment.你没有关闭你的评论。 Try
尝试
"agajan'; --" “阿加詹”;——”
SELECT *
FROM users
WHERE username = 'agajan'; -- ' AND password = ' '
Probably you did not close your C-style comment cleanly, so you have managed a syntax error in your comment.可能您没有干净地关闭您的 C 样式注释,因此您在注释中处理了语法错误。 Use a double-dash
--
comment.使用双破折号
--
注释。
This is not a valid comment because you use the inline comment which requires a closing */
as well..这不是一个有效的注释,因为您使用的内联注释也需要关闭
*/
..
Use --
or #
comments instead, so you need to pass agajan' --
or agajan' #
.请改用
--
或#
注释,因此您需要传递agajan' --
或agajan' #
。
MySql comment syntax: http://dev.mysql.com/doc/refman/5.1/en/comments.html MySql 注释语法: http://dev.mysql.com/doc/refman/5.1/en/comments.ZAFC35FDC70D22FC796
Because the SQL statement itself is not valid.因为 SQL 语句本身无效。 It doesn't pass the test of proper formatting.
它没有通过正确格式的测试。
SELECT *
FROM users
WHERE username = 'agajan' /* ' AND password = ' '
Consider input like "agajan'; SELECT 1 FROM users WHERE user = 'agajan'"考虑像“agajan”这样的输入;SELECT 1 FROM users WHERE user = 'agajan'”
UPDATE users
SET priv = 'superuser'
WHERE username = 'agajan'; SELECT * FROM users WHERE user = 'agajan' AND password = ' '
You forgot ";"你忘了 ”;” before $username
$用户名之前
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.