"SQL injection" simple implementation two injection

"SQL injection" simple implementation two injection

This article turns from:I spring and autumn community

Test Code 1: Content Details page

[PHP]Plain Text view copy code

0102030405060708091011121314151617181920212223

<?php    include(‘./connect.php‘); //引入数据库配置文件    $id=$_GET[‘id‘];     $select_sql="SELECT * FROM article WHERE title=‘$id‘";    echo $select_sql;    mysql_query(‘set names utf8‘);    $select_sql_result=mysql_query($select_sql);    $date=mysql_fetch_assoc($select_sql_result); ?> <!DOCTYPE html>         <meta charset="utf-8">     <title><?php echo $date[‘title‘]."啦啦啦啦啦啦"?></title>      <body>      echo $date[‘title‘] ?>      <?php echo $date[‘author‘] ?><br/>      时间：<?php echo date("Y-m-d H:i:s",$date[‘dateline‘])?><br />      概述: <?php echo $date[‘description‘]; ?><br />      正文: <?php echo $date[‘content‘] ?>   </body>

Test Code 2: Content Add page

[PHP]Plain Text view copy code

010203040506070809101112131415

<?php   include(‘../connect.php‘);   $title=addslashes($_POST[‘title‘]);  //addslashes 将预定义字符串转义   $author=addslashes($_POST[‘author‘]);   $description=addslashes($_POST[‘description‘]);   $content=addslashes($_POST[‘content‘]);   $dataline=time();   $insert="INSERT INTO article(title,author,description,content,dateline) VALUES(‘$title‘,‘$author‘,‘$description‘,‘$content‘,‘$dataline‘)";   echo $insert;   mysql_query("set names utf8"); //设置编码   if($result=mysql_query($insert)){     $num=mysql_affected_rows($con);     echo $num;     } ?>

First, we analyze these two pieces of code briefly.
Test code 1 is a content Display page, through the incoming title in the database query, and then in the page call output, we can see that the passed parameter ID is not filtered, can become a typical string get injection, but we are talking about two injections today, for the time being not considered this injection.
Test Code 2 is an add page, through the form POST Data Execution INSERT statement inserts the data, the successful return database affects the number of rows, and here each parameter is escaped with the Addslashes function.
Two pieces of code together, we can find a typical two injection point, although the article added page filter is very strict, but Addslashes has a feature is that although the parameter after filtering will add "\" to escape, but "\" is not inserted into the database, The query in the Content Display page is queried by title, so we can use this construct to inject two times.
First we insert an injection statement


We can see that our single quotes have been escaped, but we finally returned a "1" to prove that our data was inserted successfully, we go to the database to see


You can see that the escaped "\" is not inserted into the database, but our single quotation marks are still successfully inserted. We come to the main page.


See the data we just inserted, note the bottom left corner of the link, you can see the ID of the parameter is our injection statement. Open connection


found that the user () database () was successfully returned.
Simple analysis, when we open the connection
http://127.0.0.1/CMS/article.show.php?id=1111 ' Union%20select%20null,null,null,user (), database (), null '
The ID in the URL is in our test code 1 $id =$_get[' id ']; The SQL statement query that was obtained and brought into the final execution of the SQL statement is
SELECT * FROM article WHERE title= ' 1111 ' Union select Null,null,null,user (), database (), null '
------------------------------------------------------------
Fixed method: The most basic is to determine whether the escaped character exists "\" before the insert is executed if there is no insert.
Second, when getting the parameter in $id=get[' ID '], filter for example $id=addslashes ($_get[' id '), which will be escaped in the obtained parameter.

This article source:http://bbs.ichunqiu.com/thread-11561-1-1.html

"SQL injection" simple implementation two injection