我试图证明我的客户对我的客户来说,这个系统对 Mysql 注射没有安全感。 我想得到一些证据,证明给我看一个完整的用户列表(从...中选择 ), 或者在系统中输入一个新的用户/成人, 这样我就可以在系统之后登录。
这是简化我所构建的系统:
PHP 登录网站 :
$user = $_POST["user"];
$pwd = $_POST["pwd"];
$query1 = "INSERT INTO user_log (username, password,ip) VALUES ( $user , $pwd , 127.1.1.1 )";
$result1 = mysql_query($query1) or die("Query failed: " . mysql_error());
$query2 = "select * from login where name = $user and pass = $pwd limit 1";
$result2 = mysql_query($query2) or die("Query failed: " . mysql_error());
这几张桌子是这样的:
CREATE TABLE `user_log` (
`idadmin` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(45) DEFAULT NULL,
`password` varchar(45) DEFAULT NULL,
`ip` varchar(45) DEFAULT NULL,
PRIMARY KEY (`idadmin`)
)
CREATE TABLE `login` (
`idlogin` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(45) DEFAULT NULL,
`pass` varchar(45) DEFAULT NULL,
PRIMARY KEY (`idlogin`)
)
我发现很难注射这个 尽管我可以看到它完全不安全。
- The first thing I tried was injecting on the INSERT-query, but it was hard to get some decent results out of it other than spamming the user_log table.
- I tried to make a query that went through the first query1 and injected at query2 instead. But this was quite complicated because of the quoting.
是否有任何想法或其他方法在这种特定情况下进行注射?