[root@kvm3 ~]# cat /var/www/html/injection1.php
<?php
$dbhost = 'localhost:3306';
$dbuser = 'root';
$dbpass = '123qwe';
$conn = mysqli_connect($dbhost, $dbuser, $dbpass)
or die(mysqli_connect_error().PHP_EOL);
mysqli_select_db( $conn, 'mysql' )
or die('Error: '.mysqli_error($conn).PHP_EOL);
if (preg_match("/^\w{4,20}$/", $_GET['user'], $matches)){
$sql = "SELECT host,user FROM user WHERE user='{$matches[0]}'";
$retval = mysqli_query( $conn,$sql );
while($row = mysqli_fetch_array($retval, MYSQLI_NUM)) {
echo "HOST: {$row[0]}<br>User: {$row[1]}<br>".
"--------------------------------<br>";
}
mysqli_free_result($retval);
echo "Fetched data successfully\n";
} else {
echo "user not accepted\n";
}
mysqli_close($conn);
?>
?user=abc,回應 "user not accepted"。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=abc" user not accepted
?user='a' or 1,因輸入可能 sql injection 的字元 ,mysqli_query 回應錯誤要求。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user='a' or 1" <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> </body></html>
?user=root,查詢結果列出 host 及 user。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=root" | sed 's/<br> */\n/g' HOST: 127.0.0.1 User: root -------------------------------- HOST: ::1 User: root -------------------------------- HOST: kvm3.deyu.wang User: root -------------------------------- HOST: localhost User: root -------------------------------- Fetched data successfully
?user=1234567890,字串符合要求,但資料庫中無此紀錄。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=1234567890" Fetched data successfully
?user=12345678901234567890AA,字串超過 20 個字,回應 "user not accepted"。
[root@kvm3 ~]# curl -s http://kvm3.deyu.wang/injection1.php?"user=12345678901234567890AA" user not accepted