[root@kvm3 ~]# cat /var/www/html/injection1.php <?php $dbhost = 'localhost:3306'; $dbuser = 'root'; $dbpass = '123qwe'; $conn = mysqli_connect($dbhost, $dbuser, $dbpass) or die(mysqli_connect_error().PHP_EOL); mysqli_select_db( $conn, 'mysql' ) or die('Error: '.mysqli_error($conn).PHP_EOL); if (preg_match("/^\w{4,20}$/", $_GET['user'], $matches)){ $sql = "SELECT host,user FROM user WHERE user='{$matches[0]}'"; $retval = mysqli_query( $conn,$sql ); while($row = mysqli_fetch_array($retval, MYSQLI_NUM)) { echo "HOST: {$row[0]}<br>User: {$row[1]}<br>". "--------------------------------<br>"; } mysqli_free_result($retval); echo "Fetched data successfully\n"; } else { echo "user not accepted\n"; } mysqli_close($conn); ?>
?user=abc
,回應 "user not accepted"。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=abc" user not accepted
?user='a' or 1
,因輸入可能 sql injection 的字元 ,mysqli_query
回應錯誤要求。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user='a' or 1" <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> </body></html>
?user=root
,查詢結果列出 host 及 user。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=root" | sed 's/<br> */\n/g' HOST: 127.0.0.1 User: root -------------------------------- HOST: ::1 User: root -------------------------------- HOST: kvm3.deyu.wang User: root -------------------------------- HOST: localhost User: root -------------------------------- Fetched data successfully
?user=1234567890
,字串符合要求,但資料庫中無此紀錄。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=1234567890" Fetched data successfully
?user=12345678901234567890AA
,字串超過 20 個字,回應 "user not accepted"。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=12345678901234567890AA" user not accepted