SQL注入之二次注入(sql-lab第24关)
生活随笔
收集整理的這篇文章主要介紹了
SQL注入之二次注入(sql-lab第24关)
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
什么是二次注入
二次注入可以理解為,攻擊者構(gòu)造的惡意數(shù)據(jù)存儲(chǔ)在數(shù)據(jù)庫后,惡意數(shù)據(jù)被讀取并進(jìn)入到SQL查詢語句所導(dǎo)致的注入。防御者可能在用戶 輸入惡意數(shù)據(jù)時(shí)對(duì)其中的特殊字符進(jìn)行了轉(zhuǎn)義處理,但在惡意數(shù)據(jù)插入到數(shù)據(jù)庫時(shí)被處理的數(shù)據(jù)又被還原并存儲(chǔ)在數(shù)據(jù)庫中,當(dāng)web程序調(diào)用存儲(chǔ)在數(shù)據(jù)庫中的惡意數(shù)據(jù)并執(zhí)行SQL查詢時(shí),就發(fā)生了SQL二次注入。
二次注入原理分為兩步
二次注入,可以概括為以下兩步:
第一步:插入惡意數(shù)據(jù)
進(jìn)行數(shù)據(jù)庫插入數(shù)據(jù)時(shí),對(duì)其中的特殊字符進(jìn)行了轉(zhuǎn)義處理,在寫入數(shù)據(jù)庫的時(shí)候又保留了原來的數(shù)據(jù)。
第二步:引用惡意數(shù)據(jù)
開發(fā)者默認(rèn)存入數(shù)據(jù)庫的數(shù)據(jù)都是安全的,在進(jìn)行查詢的時(shí)候,直接從數(shù)據(jù)庫中取出惡意數(shù)據(jù),沒有進(jìn)行進(jìn)一步的檢驗(yàn)的處理。
二次注入的過程
找到注入點(diǎn)
然后構(gòu)造注入語句
以sql-lab第24關(guān)為例:
可以看到一個(gè)輸入框——》注冊(cè)一個(gè)新用戶
可以看到有一個(gè)abcd用戶,密碼是abcd
username:abcd’#(單引號(hào)來閉合前面的單引號(hào),#注釋后面內(nèi)容)
password:1234
登錄:
username:abcd’#
password:1234
登錄后出現(xiàn)如下效果:you are logged in
查看一下
后臺(tái)代碼
new_user.php
<?php include '../sql-connections/sql-connect.php' ; ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <title><?php echo $feedback_title_ns; ?> </title> </head><body bgcolor="#000000"> <div align="right"> <a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a> </div> <font size="3" color="#FFFF00"> <div style="text-align:center"><form name="mylogin" method="POST" action="login_create.php"><h2 style="text-align:center;background-image:url('../images/Less-24-new-user.jpg');background-repeat:no-repeat;background-position:center center"> <div style="padding-top:300px;text-align:center;color:#FFFF00;"><?php echo $form_title_ns; ?></div> </h2><div align="center"> <table style="margin-top:50px;"> <tr> <td style="text-align:right"> <font size="3" color="#FFFF00"> <strong>Desired Username:</strong></font> </td><td style="text-align:left"><input name="username" id="username" type="text" value="" /> </td> </tr> <tr> <td style="text-align:right"> <font size="3" color="#FFFF00"><strong>Password:</strong> </font> </td> <td style="text-align:left"><input name="password" id="password" type="password" value="" /> </td> </tr><tr> <td style="text-align:right"> <font size="3" color="#FFFF00"> <strong>Retype Password:</strong> </font> </td> <td style="text-align:left"> <input name="re_password" id="re_password" type="password" value="" /> </td> </tr><tr> <td colspan="2" style="text-align:right"> <input name="submit" id="submit" type="submit" value="Register" /><br/><br/> </td> </tr></table> </div> </form> </div> </body> </html>index.php
<?PHP session_start(); if (isset($_SESSION['username']) && isset($_COOKIE['Auth'])) {header('Location: logged-in.php'); } ?> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <title>Less-24 - Second Degree Injections </title> </head> <body bgcolor="#000000"><div style="text-align:center"> <form name="login" method="POST" action="login.php"><h2 style="text-align:center;background-image:url('../images/Less-24.jpg');background-repeat:no-repeat;background-position:center center"> <div style="padding-top:300px;text-align:center;color:#FFFF00;"><?php echo $form_title_in; ?></div> </h2><div align="center"> <table style="margin-top:50px;"> <tr> <td style="text-align:right"> <font size="3" color="#FFFF00"> <strong>Username:</strong> </td> <td style="text-align:left"> <input name="login_user" id="login_user" type="text" value="" /> </td> </tr> <tr> <td style="text-align:right"> <font size="3" color="#FFFF00"> <strong>Password:</strong> </td> <td style="text-align:left"> <input name="login_password" id="login_password" type="password" value="" /> </td> </tr> <tr> <td colspan="2" style="text-align:right"> <input name="mysubmit" id="mysubmit" type="submit" value="Login" /><br/><br/><a style="font-size:.8em;color:#FFFF00" href="forgot_password.php">Forgot your password?</a><font size="3" color="#FFFF00"> ||</font> <a style="font-size:.8em;color:#FFFF00" href="new_user.php">New User click here?</a> </td> </tr></table> </div> </form> </div> </body> </html>login.php
<html> <head> </head> <body bgcolor="#000000"> <font size="3" color="#FFFF00"> <div align="right"> <a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a> </div> <?PHPsession_start(); //including the Mysql connect parameters. include("../sql-connections/sql-connect.php");function sqllogin(){$username = mysql_real_escape_string($_POST["login_user"]);$password = mysql_real_escape_string($_POST["login_password"]);$sql = "SELECT * FROM users WHERE username='$username' and password='$password'"; //$sql = "SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'";$res = mysql_query($sql) or die('You tried to be real smart, Try harder!!!! :( ');$row = mysql_fetch_row($res);//print_r($row) ;if ($row[1]) {return $row[1];} else {return 0;}}$login = sqllogin(); if (!$login== 0) {$_SESSION["username"] = $login;setcookie("Auth", 1, time()+3600); /* expire in 15 Minutes */header('Location: logged-in.php'); } else { ?> <tr><td colspan="2" style="text-align:center;"><br/><p style="color:#FF0000;"> <center> <img src="../images/slap1.jpg"> </center> </p></td></tr> <?PHP } ?></body> </html>pass_change.php
<html> <head> </head> <body bgcolor="#000000"> <?PHP session_start(); if (!isset($_COOKIE["Auth"])) {if (!isset($_SESSION["username"])) {header('Location: index.php');}header('Location: index.php'); } ?> <div align="right"> <a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a> </div> <?php//including the Mysql connect parameters. include("../sql-connections/sql-connect.php");if (isset($_POST['submit'])) {# Validating the user input........$username= $_SESSION["username"];$curr_pass= mysql_real_escape_string($_POST['current_password']);$pass= mysql_real_escape_string($_POST['password']);$re_pass= mysql_real_escape_string($_POST['re_password']);if($pass==$re_pass){ $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');$row = mysql_affected_rows();echo '<font size="3" color="#FFFF00">';echo '<center>';if($row==1){echo "Password successfully updated";}else{header('Location: failed.php');//echo 'You tried to be smart, Try harder!!!! :( ';}}else{echo '<font size="5" color="#FFFF00"><center>';echo "Make sure New Password and Retype Password fields have same value";header('refresh:2, url=index.php');} } ?> <?php if(isset($_POST['submit1'])) {session_destroy();setcookie('Auth', 1 , time()-3600);header ('Location: index.php'); } ?> </center> </body> </html> $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";abcd'#上面這條語句就會(huì)變成:
update users set password='aaaa' where username='abcd'# and password=xxxx#把后面語句全部注釋掉了
先插入數(shù)據(jù)——》再引用插入數(shù)據(jù)
防御:
過濾危險(xiǎn)字符
采用PDO編程
總結(jié)
以上是生活随笔為你收集整理的SQL注入之二次注入(sql-lab第24关)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 客座编辑:崔辰州(1976-),男,博士
- 下一篇: 基于边缘计算的森林火警监测系统