SQL注入登录绕过

时间:2011-06-02 14:45:40

标签: php mysql sql

我准备SQL注入易受攻击的页面来测试技能,这里是我的代码:

<?php
    echo "<center><h1>Login Bypass</h1></center>";
    include 'config.php';
    mysql_connect($host, $user, $password) or die(mysql_error());
    mysql_select_db($database) or die(mysql_error());

    $name = $_REQUEST['name'];
    $passwd = $_REQUEST['passwd'];
    $query_string = "SELECT * FROM users WHERE username = '$name' AND password = '$passwd'";
    echo "<center>".$query_string."</center><br/>";
    $query = mysql_query($query_string) or die(mysql_error());
    $row = mysql_fetch_array($query);
    if(mysql_num_rows($query)>0)
        echo "<center>SUCCESS</center><br/>";
    else echo "<center>ACCESS DENIED</center><br/>";
    echo "<center>".$row['email']."</center><br/>";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
    <title>Login Bypass</title>
    <meta http-equiv="content-type" content="text/html;charset=utf-8" />
    <meta name="generator" content="Geany 0.19.1" />
</head>

<body>
    <center>
    <form action="login_bypass.php" method="get">
        Login: <input name="name">
        Password: <input name="passwd" >
        <input type="submit" value="CHECK">
    </form>
    </center>
</body>

</html>

我还有表用户,我有username ='agajan'和密码='12345'email='torayeff@gmail.com'。 我知道这个查询容易受到攻击:

$query_string = "SELECT * FROM users WHERE username = '$name' AND password = '$passwd'";  

但是当我插入而不是用户名下面的“agajan'/ *”并将密码字段留空时我得到:

SELECT * FROM users WHERE username = 'agajan' /* ' AND password = ' ' 

...但是它给了我mysql错误。谁能解释一下为什么我不能注入sql?

5 个答案:

答案 0 :(得分:4)

你没有关闭你的评论。试试

“agajan'; - ”

SELECT * 
  FROM users 
 WHERE username = 'agajan'; --  ' AND password = ' ' 

答案 1 :(得分:2)

可能您没有干净地关闭C风格的评论,因此您在评论中设置了语法错误。使用双击--评论。

答案 2 :(得分:1)

这不是有效的评论,因为您使用内联评论也需要关闭*/

请改为使用--#条评论,因此您需要传递agajan' --agajan' #

MySql评论语法:http://dev.mysql.com/doc/refman/5.1/en/comments.html

答案 3 :(得分:0)

因为SQL语句本身无效。它没有通过正确格式化的测试。

SELECT * 
  FROM users 
 WHERE username = 'agajan' /* ' AND password = ' '

考虑输入“agajan'; SELECT 1 FROM users WHERE user ='agajan'”

UPDATE users 
 SET priv = 'superuser'
 WHERE username = 'agajan'; SELECT * FROM users WHERE user = 'agajan' AND password = ' '

答案 4 :(得分:0)

你忘了“;”在$ username

之前