请输入用户名进行查找
如果记不住用户名,输入用户名的一部分搜索的试试看?
—————— 搜索型注入 加固
https://blog.csdn.net/weixin_43622525/article/details/123339432
搜索形注入:
其实对于初学SQL注入,并不需要区分注入类型。
但是要理解搜索形注入,首先需要理解SQL的搜索型语句,举个例子
我们希望从 "limo_666" 表中选取居住在包含 "limo" 的城市里的人:
我们可以使用下面的 SELECT 语句:
SELECT * FROM limo_666
WHERE City LIKE '%limo%'
通常来讲 SQL注入只是后台的 数据库查询语句不够严谨导致,
现在,再举个例字 :比如后台的查询语句为
select email from member where id like '%要查询的关键字%'
当我们输入的关键字为 ' or '%'=' 此时变成
select email from member where id like '%' or '%'='%'
select email from member where id like '%' or '%'='%'
可见后者or为永真
直接输入%进行查询,因为没有做过滤,%在数据库的查询中匹配任意字符
其实对于初学SQL注入,并不需要区分注入类型。
但是要理解搜索形注入,首先需要理解SQL的搜索型语句,举个例子
我们希望从 "limo_666" 表中选取居住在包含 "limo" 的城市里的人:
我们可以使用下面的 SELECT 语句:
SELECT * FROM limo_666
WHERE City LIKE '%limo%'
通常来讲 SQL注入只是后台的 数据库查询语句不够严谨导致,
现在,再举个例字 :比如后台的查询语句为
select email from member where id like '%要查询的关键字%'
当我们输入的关键字为 ' or '%'=' 此时变成
select email from member where id like '%' or '%'='%'
select email from member where id like '%' or '%'='%'
可见后者or为永真
直接输入%进行查询,因为没有做过滤,%在数据库的查询中匹配任意字符
源代码
1 <?php 2 /** 3 * Created by runner.han 4 * There is nothing new under the sun 5 */ 6 7 8 $SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1); 9 10 if ($SELF_PAGE = "sqli_search.php"){ 11 $ACTIVE = array('','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','active open','','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','',''); 12 } 13 14 $PIKA_ROOT_DIR = "../../"; 15 include_once $PIKA_ROOT_DIR . 'header.php'; 16 17 include_once $PIKA_ROOT_DIR."inc/config.inc.php"; 18 include_once $PIKA_ROOT_DIR."inc/function.php"; 19 include_once $PIKA_ROOT_DIR."inc/mysql.inc.php"; 20 21 $link=connect(); 22 $html1=''; 23 $html2=''; 24 if(isset($_GET['submit']) && $_GET['name']!=null){ 25 26 //这里没有做任何处理,直接拼到select里面去了 27 $name=$_GET['name']; 28 29 //这里的变量是模糊匹配,需要考虑闭合 30 $query="select username,id,email from member where username like '%$name%'"; 31 $result=execute($link, $query); 32 if(mysqli_num_rows($result)>=1){ 33 //彩蛋:这里还有个xss 34 $html2.="by limo点击查看 $query="select username,id,email from member where username like '%$name%'"; $query="select username,id,email from member where username like '%1' or '1'='1'#'";用户名中含有{$_GET['name']}的结果如下:
"; 35 while($data=mysqli_fetch_assoc($result)){ 36 $uname=$data['username']; 37 $id=$data['id']; 38 $email=$data['email']; 39 $html1.="username:{$uname}
"; 40 } 41 }else{ 42 43 $html1.="
uid:{$id}
email is: {$email}0o。..没有搜索到你输入的信息!
"; 44 } 45 } 46 47 48 49 ?> 50 51 52class="main-content"> 5386 87 88 89 90 91 <?php 92 include_once $PIKA_ROOT_DIR . 'footer.php'; 93 94 ?>class="main-content-inner"> 5485class="breadcrumbs ace-save-state" id="breadcrumbs"> 5569class="breadcrumb"> 56
62 63 64 data-content="%%"> 65 点一下提示~ 66 67 68- 57 class="ace-icon fa fa-home home-icon"> 58 sqli 59
60- class="active">搜索型注入
61class="page-content"> 70 71 72847380 81 82 83class="sqli_title">请输入用户名进行查找
74 78 <?php echo $html2;echo $html1;?> 79
如果记不住用户名,输入用户名的一部分搜索的试试看?
可以看见存在sql注入
下面开始修复
点击下面查看代码
<?php /** * Created by runner.han * There is nothing new under the sun */ $SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1); if ($SELF_PAGE = "sqli_search.php"){ $ACTIVE = array('','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','active open','','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','',''); } $PIKA_ROOT_DIR = "../../"; include_once $PIKA_ROOT_DIR . 'header.php'; include_once $PIKA_ROOT_DIR."inc/config.inc.php"; include_once $PIKA_ROOT_DIR."inc/function.php"; include_once $PIKA_ROOT_DIR."inc/mysql.inc.php"; $link=connect(); $html1=''; $html2=''; if(isset($_GET['submit']) && $_GET['name']!=null){ //这里没有做任何处理,直接拼到select里面去了 $name=addslashes($_GET['name']); //这里的变量是模糊匹配,需要考虑闭合 $query="select username,id,email from member where username like '%$name%'"; $result=execute($link, $query); if(mysqli_num_rows($result)>=1){ //彩蛋:这里还有个xss $html2.="用户名中含有{$_GET['name']}的结果如下:
"; while($data=mysqli_fetch_assoc($result)){ $uname=$data['username']; $id=$data['id']; $email=$data['email']; $html1.="username:{$uname}
"; } }else{ $html1.="
uid:{$id}
email is: {$email}0o。..没有搜索到你输入的信息!
"; } } ?><?php include_once $PIKA_ROOT_DIR . 'footer.php'; ?>
在27行修改成如下代码$name=addslashes($_GET['name']);继续测试
此时成功修复了sql注入