網絡安全自學篇-PHP代碼審計（三）

一個網絡安全小白在學習過程中記錄下的筆記，希望在CSDN能和大家一起成長，學習，分享，進步，下面分享的是代碼審計中SQL注入的案例，希望對入門網安的朋友們有所幫助，大神有興趣看看即可，勿噴感謝，同時也歡迎各位師傅私聊交流學習。文章有所參考，也感謝教授我網安知識的師父們，感謝出生在這個互聯網時代，知識觸手可及。

SQL注入

原理：用戶輸入的數據被當做SQL語句執行
案例：
MySQL建立數據庫admin，庫中有表user，四個字段，分別是id，username，password，email

插入三條記錄

構造登錄界面
login.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <form action="login.php" method="post">
        賬號：<input type="text" name="username"></br>
        密碼：<input type="password" name="password"></br>
        <input type="submit" value="點擊登錄" name="login">
    </form>
</body>
</html>

MySQL處理流程
login.php

<?php
if(!isset($_POST['login'])) {
    echo "login fail!";
}else{
    $username = $_POST['username'];
    $password = $_POST['password'];
    $conn = mysql_connect("localhost","root","root");
    mysql_select_db("admin",$conn);
    $sql = "SELECT * FROM user WHERE username='".$username."'";
    $result = mysql_query($sql) or die('執行SQL語句失敗'.mysql_error());
    while($row = mysql_fetch_array($result)) {
        $get_username = $row['username'];
        $get_password = $row['password'];
    }
    if($get_password == $password && $get_username == $username) {
        echo "login success!";
    }else{
        echo "please login!";
    }
}

讀者可自行嘗試驗證SQL注入漏洞，後面記錄下二次注入
一階注入（案例在上面）：
一階SQL注入發生在一次HTTP請求和響應中，即攻擊者發送惡意請求後服務器立即接收該請求並作出響應，例如在參數?id=1後面添加單引號可能有報錯提示。
二階注入（二次注入）：
二階注入會發生在兩次HTTP請求和響應中，攻擊者提交惡意數據並使其存儲在數據庫中，攻擊者利用web應用檢索存儲在數據庫中的惡意數據，造成二次注入。
構造註冊頁面
reg.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <form action="reg.php" method="post">
    id:<input type="text" name="id"><br >
    username:<input type="text" name="username"><br >
    password:<input type="password" name="password"><br >
    email:<input type="text" name="email"><br >
    <input type="submit" name="submit" value="點擊提交">
</form>
</body>
</html>

MySQL處理流程
reg.php

<?php
header("content-type:text/jtml;charset=utf-8");
if(!empty($_POST['submit'])) {
    $id = addslashes($_POST['id']);
    $username = addslashes($_POST['username']);
    $password = addslashes($_POST['password']);
    $email = addslashes($_POST['email']);
    $conn = mysql_connect("localhost","root","root");
    mysql_select_db("admin",$conn);
    $sql = "INSERT INTO USER (id,username,password,email) VALUES ('$id','$username','$password','$email');";
    $result = mysql_query($sql) or die('執行SQL語句失敗!'.mysql_error());
    if($result) {
        echo "註冊成功";
    }else{
        echo "註冊失敗";
    }
}else {
    echo "Please submit data!";
}

構造檢索界面
search.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<form action="search.php" method="post">
    search id:<input type="text" name="id"><br>
    <input type="submit" name="submit" value="點擊查詢">
</form>
</body>
</html>

MySQL處理流程

<?php
header("content-type:text/jtml;charset=utf-8");
if(!empty($_POST['submit'])){
    $id = $_POST['id'];
    $conn = mysql_connect("localhost","root","root");
    mysql_select_db("admin",$conn);
    $sql = "SELECT * FROM user WHERE id='$id'";
    $result = mysql_query($sql);
    while($row = mysql_fetch_array($result)) {
        $username = $row['username'];
        $sql = "SELECT * FROM user WHERE username='$username'";
        $result = mysql_query($sql);
        while($row = mysql_fetch_array($result)) {
            echo "ID：".$row['id']."\n";
            echo "USERNAME：".$row['username']."\n";
            echo "PASSWORD：".$row['password']."\n";
            echo "EMAIL：".$row['email']."\n";
        }
    }
}

二次注入驗證：
註冊一個賬號，使其用戶名爲’ union select * from 1,2,database(),4#

數據庫中存儲的惡意數據
檢索

拼接成SQL語句爲

select * from user where username='' union select 1,2,database(),4#'