—————— 搜索型注入 加固

https://blog.csdn.net/weixin_43622525/article/details/123339432
 搜索形注入:
其实对于初学SQL注入,并不需要区分注入类型。
但是要理解搜索形注入,首先需要理解SQL的搜索型语句,举个例子
我们希望从 "limo_666" 表中选取居住在包含 "limo" 的城市里的人:
我们可以使用下面的 SELECT 语句:
    SELECT * FROM limo_666
    WHERE City LIKE '%limo%'
通常来讲  SQL注入只是后台的 数据库查询语句不够严谨导致,
现在,再举个例字   :比如后台的查询语句为
select email from member where id like '%要查询的关键字%'
当我们输入的关键字为  ' or '%'='    此时变成
select email from member where id like '%' or '%'='%'
select email from member where id like '%' or '%'='%'
可见后者or为永真

直接输入%进行查询,因为没有做过滤,%在数据库的查询中匹配任意字符

源代码

 1 <?php
 2 /**
 3  * Created by runner.han
 4  * There is nothing new under the sun
 5  */
 6 
 7 
 8 $SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1);
 9 
10 if ($SELF_PAGE = "sqli_search.php"){
11     $ACTIVE = array('','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','active open','','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','');
12 }
13 
14 $PIKA_ROOT_DIR =  "../../";
15 include_once $PIKA_ROOT_DIR . 'header.php';
16 
17 include_once $PIKA_ROOT_DIR."inc/config.inc.php";
18 include_once $PIKA_ROOT_DIR."inc/function.php";
19 include_once $PIKA_ROOT_DIR."inc/mysql.inc.php";
20 
21 $link=connect();
22 $html1='';
23 $html2='';
24 if(isset($_GET['submit']) && $_GET['name']!=null){
25 
26     //这里没有做任何处理,直接拼到select里面去了
27     $name=$_GET['name'];
28 
29     //这里的变量是模糊匹配,需要考虑闭合
30     $query="select username,id,email from member where username like '%$name%'";
31     $result=execute($link, $query);
32     if(mysqli_num_rows($result)>=1){
33         //彩蛋:这里还有个xss
34         $html2.="<p class='notice'>用户名中含有{$_GET['name']}的结果如下:<br />";
35         while($data=mysqli_fetch_assoc($result)){
36             $uname=$data['username'];
37             $id=$data['id'];
38             $email=$data['email'];
39             $html1.="<p class='notice'>username:{$uname}<br />uid:{$id} <br />email is: {$email}</p>";
40         }
41     }else{
42 
43         $html1.="<p class='notice'>0o。..没有搜索到你输入的信息!</p>";
44     }
45 }
46 
47 
48 
49 ?>
50 
51 
52 <div class="main-content">
53     <div class="main-content-inner">
54         <div class="breadcrumbs ace-save-state" id="breadcrumbs">
55             <ul class="breadcrumb">
56                 <li>
57                     <i class="ace-icon fa fa-home home-icon"></i>
58                     <a href="sqli.php">sqli</a>
59                 </li>
60                 <li class="active">搜索型注入</li>
61             </ul><!-- /.breadcrumb -->
62 
63             <a href="#" style="float:right" data-container="body" data-toggle="popover" data-placement="bottom" title="tips(再点一下关闭)"
64                data-content="%%">
65                 点一下提示~
66             </a>
67 
68         </div>
69         <div class="page-content">
70 
71 
72             <div id="sqli_main">
73                 <p class="sqli_title">请输入用户名进行查找<br />如果记不住用户名,输入用户名的一部分搜索的试试看?</p>
74                 <form method="get">
75                     <input class="sqli_in" type="text" name="name" />
76                     <input class="sqli_submit" type="submit" name="submit" value="搜索" />
77                 </form>
78                 <?php echo $html2;echo $html1;?>
79             </div>
80 
81 
82 
83         </div><!-- /.page-content -->
84     </div>
85 </div><!-- /.main-content -->
86 
87 
88 
89 
90 
91 <?php
92 include_once $PIKA_ROOT_DIR . 'footer.php';
93 
94 ?>
by limo点击查看
$query="select username,id,email from member where username like '%$name%'";
$query="select username,id,email from member where username like '%1' or '1'='1'#'";
 
 

 

 

 

 

 

 

 可以看见存在sql注入

下面开始修复

点击下面查看代码

<?php
/**
 * Created by runner.han
 * There is nothing new under the sun
 */


$SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1);

if ($SELF_PAGE = "sqli_search.php"){
    $ACTIVE = array('','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','active open','','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','');
}

$PIKA_ROOT_DIR =  "../../";
include_once $PIKA_ROOT_DIR . 'header.php';

include_once $PIKA_ROOT_DIR."inc/config.inc.php";
include_once $PIKA_ROOT_DIR."inc/function.php";
include_once $PIKA_ROOT_DIR."inc/mysql.inc.php";

$link=connect();
$html1='';
$html2='';
if(isset($_GET['submit']) && $_GET['name']!=null){

    //这里没有做任何处理,直接拼到select里面去了
    $name=addslashes($_GET['name']);

    //这里的变量是模糊匹配,需要考虑闭合
    $query="select username,id,email from member where username like '%$name%'";
    $result=execute($link, $query);
    if(mysqli_num_rows($result)>=1){
        //彩蛋:这里还有个xss
        $html2.="<p class='notice'>用户名中含有{$_GET['name']}的结果如下:<br />";
        while($data=mysqli_fetch_assoc($result)){
            $uname=$data['username'];
            $id=$data['id'];
            $email=$data['email'];
            $html1.="<p class='notice'>username:{$uname}<br />uid:{$id} <br />email is: {$email}</p>";
        }
    }else{

        $html1.="<p class='notice'>0o。..没有搜索到你输入的信息!</p>";
    }
}



?>


<div class="main-content">
    <div class="main-content-inner">
        <div class="breadcrumbs ace-save-state" id="breadcrumbs">
            <ul class="breadcrumb">
                <li>
                    <i class="ace-icon fa fa-home home-icon"></i>
                    <a href="sqli.php">sqli</a>
                </li>
                <li class="active">搜索型注入</li>
            </ul><!-- /.breadcrumb -->

            <a href="#" style="float:right" data-container="body" data-toggle="popover" data-placement="bottom" title="tips(再点一下关闭)"
               data-content="%%">
                点一下提示~
            </a>

        </div>
        <div class="page-content">


            <div id="sqli_main">
                <p class="sqli_title">请输入用户名进行查找<br />如果记不住用户名,输入用户名的一部分搜索的试试看?</p>
                <form method="get">
                    <input class="sqli_in" type="text" name="name" />
                    <input class="sqli_submit" type="submit" name="submit" value="搜索" />
                </form>
                <?php echo $html2;echo $html1;?>
            </div>



        </div><!-- /.page-content -->
    </div>
</div><!-- /.main-content -->





<?php
include_once $PIKA_ROOT_DIR . 'footer.php';

?>

在27行修改成如下代码$name=addslashes($_GET['name']);继续测试

 

 

 

 

 

 

 

 此时成功修复了sql注入

 

posted @ 2022-04-18 11:14  limo亮少  阅读(86)  评论(0)    收藏  举报
​ ​ ​ ​
​ ​ ​
​ ​