請問能執行個體一個基於PHP MYSQL類的注入攻擊嗎?
PHP VERSION 5.6.3
在嘗試進行類比注入攻擊時失敗。列印了SQL語句,直接複製指令碼到Mysql Workbench是可以成功DROP掉資料庫的,但是在本地啟動並執行時候始終報語法錯誤,求問錯誤在哪裡,如何執行個體化這樣一次的攻擊。
error_reporting(E_ALL^E_NOTICE^E_WARNING^E_DEPRECATED);$data = $_GET['sql'];$data2 = mysql_real_escape_string($data);$sql = "INSERT INTO test (test) VALUES ('$data');";$sqlx = "INSERT INTO test (test) VALUES ('$data2');";echo $sql.'
';echo $sqlx.'
';mysql_query($sql);echo mysql_error();上面連結部分略,
訪問的URL為 test.php?sql=values%27);%20DROP%20DATABASE%20test;%20--%20
輸出為
INSERT INTO test (test) VALUES ('values'); DROP DATABASE test; -- ');
INSERT INTO test (test) VALUES ('values\'); DROP DATABASE test; -- ');
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP DATABASE test; -- ')' at line 1
第二行做過防注入處理的是可以執行的,但是一個沒做處理,依然報錯了
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
