Php is famous for its cross-platform superiority. Many websites are written in php. Because there are not as many intrusion tools as asp, many people do not pay much attention to the background of php.
I found many get methods to log on to the background, but most of them are not secure.
Let's look at a php login code (GET ):
$ Conn = mysql_connect ("ip", "name", "pass ");
// Connect to the database
$ Query = "select uid from admin where adminname = $ _ get [" adminname "]
"And password = $ _ get [" password "]";
// Determine whether get is correct
$ Result = mysql_query ($ query );
...
Copy code
Since it is GET, when our login name is nm, the password is pa, php Source:
Select uid from admin where adminname = nm
And password = pa;
Copy code
The address bar is:
Adminlogin. php? Adminname = nm & password = bar
If or1 = 1 is added to the address bar
The original address is:
Adminlogin. php? Adminname = nm & password = baror1 = 1
Let's look back at the source:
Select uid from admin where adminname = nm
And password = paor1 = 1;
Copy code
A perfect simple php injection is complete.
In fact, the xss attack ideology is very similar to this. I don't know if you understand SQL injection. Therefore, it is not recommended that you use get to receive background login verification information.
My blog uses the get method to display background login requests, but the get method is not used to obtain authentication information.
This is the content of my security activity:
Admin_login.php is the portal for background management. There are two forms on the page: Management name and password.
In the original code, the corresponding variables are $ admin_name and $ admin_pass. The logon verification code is:
Select * from administrator
Where adminname = $ _ GET [admin_name] and admin_pass = $ _ GET [admin_pass]
Copy code
In this case, fill in the following two forms:
Admin/* hacking by Juliet!
Japanese all are dogs */
As a result, I entered the management background. What is the reason?
Tip: the answer is divided into three main points: database, original page, and php program itself.
The standard answer:
The original form should have code similar to the following:
<Form action = "admin_login.php" METHOD = "get">
<Input type = "text" NAME = "admin_name" VALUE = ""> </INPUT>
<Input type = "password" NAME = "admin_pass" VALUE = ""> </INPUT>
......
Copy code
After the input form is submitted, "admin_login.php?" appears in the address bar of the browser? Admin_name = admin & admin_pass = password "(if admin and password are entered ). All of these indicate that the form is submitted in get mode.
Because admin_login.php does not filter sensitive characters, the variables are directly imported into the SQL statement for verification. As a result, the SQL injection vulnerability occurs. When "admin/* hacking by Juliet!" is submitted !" And "japanese all are dogs */", the SQL statement becomes
Select * from administrator
Where adminname = admin/* hacking by Juliet! And admin_pass = japanese all are dogs */
Copy code
Because "/*" indicates a comment in the SQL syntax, the password comparison section is commented out after the result. The actual executed SQL statement is:
Select * from administrator
Where adminname = admin
Copy code
As a result, as long as the administrator table in the database has the admin user name, you can directly enter the background. If you do not have this user name, you cannot enter the background.