一個網絡安全小白在學習過程中記錄下的筆記,希望在CSDN能和大家一起成長,學習,分享,進步,下面分享的是代碼審計中SQL注入的案例,希望對入門網安的朋友們有所幫助,大神有興趣看看即可,勿噴感謝,同時也歡迎各位師傅私聊交流學習。文章有所參考,也感謝教授我網安知識的師父們,感謝出生在這個互聯網時代,知識觸手可及。
SQL注入
原理:用戶輸入的數據被當做SQL語句執行
案例:
MySQL建立數據庫admin,庫中有表user,四個字段,分別是id,username,password,email
插入三條記錄
構造登錄界面
login.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="login.php" method="post">
賬號:<input type="text" name="username"></br>
密碼:<input type="password" name="password"></br>
<input type="submit" value="點擊登錄" name="login">
</form>
</body>
</html>
MySQL處理流程
login.php
<?php
if(!isset($_POST['login'])) {
echo "login fail!";
}else{
$username = $_POST['username'];
$password = $_POST['password'];
$conn = mysql_connect("localhost","root","root");
mysql_select_db("admin",$conn);
$sql = "SELECT * FROM user WHERE username='".$username."'";
$result = mysql_query($sql) or die('執行SQL語句失敗'.mysql_error());
while($row = mysql_fetch_array($result)) {
$get_username = $row['username'];
$get_password = $row['password'];
}
if($get_password == $password && $get_username == $username) {
echo "login success!";
}else{
echo "please login!";
}
}
讀者可自行嘗試驗證SQL注入漏洞,後面記錄下二次注入
一階注入(案例在上面):
一階SQL注入發生在一次HTTP請求和響應中,即攻擊者發送惡意請求後服務器立即接收該請求並作出響應,例如在參數?id=1後面添加單引號可能有報錯提示。
二階注入(二次注入):
二階注入會發生在兩次HTTP請求和響應中,攻擊者提交惡意數據並使其存儲在數據庫中,攻擊者利用web應用檢索存儲在數據庫中的惡意數據,造成二次注入。
構造註冊頁面
reg.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="reg.php" method="post">
id:<input type="text" name="id"><br >
username:<input type="text" name="username"><br >
password:<input type="password" name="password"><br >
email:<input type="text" name="email"><br >
<input type="submit" name="submit" value="點擊提交">
</form>
</body>
</html>
MySQL處理流程
reg.php
<?php
header("content-type:text/jtml;charset=utf-8");
if(!empty($_POST['submit'])) {
$id = addslashes($_POST['id']);
$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);
$email = addslashes($_POST['email']);
$conn = mysql_connect("localhost","root","root");
mysql_select_db("admin",$conn);
$sql = "INSERT INTO USER (id,username,password,email) VALUES ('$id','$username','$password','$email');";
$result = mysql_query($sql) or die('執行SQL語句失敗!'.mysql_error());
if($result) {
echo "註冊成功";
}else{
echo "註冊失敗";
}
}else {
echo "Please submit data!";
}
構造檢索界面
search.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="search.php" method="post">
search id:<input type="text" name="id"><br>
<input type="submit" name="submit" value="點擊查詢">
</form>
</body>
</html>
MySQL處理流程
<?php
header("content-type:text/jtml;charset=utf-8");
if(!empty($_POST['submit'])){
$id = $_POST['id'];
$conn = mysql_connect("localhost","root","root");
mysql_select_db("admin",$conn);
$sql = "SELECT * FROM user WHERE id='$id'";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
$username = $row['username'];
$sql = "SELECT * FROM user WHERE username='$username'";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
echo "ID:".$row['id']."\n";
echo "USERNAME:".$row['username']."\n";
echo "PASSWORD:".$row['password']."\n";
echo "EMAIL:".$row['email']."\n";
}
}
}
二次注入驗證:
註冊一個賬號,使其用戶名爲’ union select * from 1,2,database(),4#
數據庫中存儲的惡意數據
檢索
拼接成SQL語句爲
select * from user where username='' union select 1,2,database(),4#'