网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

Web Cookbook多个SQL注射 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-17 11:59 作者: 阅读:

[导读] 标题: Web Cookbook Multiple SQL Injection作者: Saadat Ullah , saadi_linux@rocketmail.com下载地址: http://sourceforge.net/projects/webcookbook/主页: http://security-geeks.blogspot.com/测......

标题: Web Cookbook Multiple SQL Injection
作者: Saadat Ullah , saadi_linux@rocketmail.com
下载地址: http://sourceforge.net/projects/webcookbook/
主页: http://security-geeks.blogspot.com/
测试系统: Server: Apache/2.2.15 (Centos) PHP/5.3.3
 
# SQL 注射
 
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://www.2cto.com /cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
 
 
http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
    initDB();
    echo "<div class=\"rdisplay\">\n";
    $query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
    $result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
    $title = $_GET['title'];
    $prefix = $_GET['prefix'];
    $preparation = $_GET['preparation'];
    $postfix = $_GET['postfix'];
    $tipp = $_GET['tipp'];
    $ingredient = $_GET['ingredient'];
    .
    .
    .
    if ($title != "") {
        $sstring = "a.title LIKE '%$title%' ";
    }
    .
    .
    searchRecipe($mode, $sstring);
    .
    .
    In Function SearchRecipe
                $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
 
 
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
测试利用:
$sstring = $_GET['sstring'];
        if ($sstring != "") {
            searchRecipe(0, $sstring);
.
.
.
    $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
 
 
一个简单的非持久 XSS
http://www.2cto.com /cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
 
 
#Independent Pakistani Security Researcher

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论