Welcome to the NetSPI SQL Injection Wiki:https://sqlwiki.netspi.com/
因为需要了解下 SQL 注入,就使用 PHP 自己写了一个只有一个网页的网站测试下,现在记录下过程。。。
直接使用的 KALI系统 (KALI官网:Kali Linux | Penetration Testing and Ethical Hacking Linux Distribution)。KALI 是一个渗透测试的神器。集成了好多黑客工具,当然也就集成了许多开发所需的环境。
这里只涉及 MySQL 和 apache
启动 MySQL :
root@kali:~# systemctl start mysql //启动 mysql 服务
root@kali:~# systemctl status mysql //查看 mysql 状态
SQL 建表脚本(添加一些测试数据):
MySQL样例数据库脚本:MySQL样例数据库脚本_数据库脚本-MySQL代码类资源-CSDN下载
DROP SCHEMA IF EXISTS world;
CREATE SCHEMA world;
USE world;
SET AUTOCOMMIT=0;--
-- Table structure for table `City`
--DROP TABLE IF EXISTS `City`;CREATE TABLE `City` (`ID` int(11) NOT NULL AUTO_INCREMENT,`Name` char(35) NOT NULL DEFAULT '',`CountryCode` char(3) NOT NULL DEFAULT '',`District` char(20) NOT NULL DEFAULT '',`Population` int(11) NOT NULL DEFAULT '0',PRIMARY KEY (`ID`),KEY `CountryCode` (`CountryCode`),CONSTRAINT `city_ibfk_1` FOREIGN KEY (`CountryCode`) REFERENCES `Country` (`Code`)
) ENGINE=InnoDB AUTO_INCREMENT=4080 DEFAULT CHARSET=latin1;--
-- Dumping data for table `City`
--
-- ORDER BY: `ID`INSERT INTO `City` VALUES (1,'Kabul','AFG','Kabol',1780000);
INSERT INTO `City` VALUES (2,'Qandahar','AFG','Qandahar',237500);
INSERT INTO `City` VALUES (3,'Herat','AFG','Herat',186800);
INSERT INTO `City` VALUES (4,'Mazar-e-Sharif','AFG','Balkh',127800);
INSERT INTO `City` VALUES (5,'Amsterdam','NLD','Noord-Holland',731200);
INSERT INTO `City` VALUES (6,'Rotterdam','NLD','Zuid-Holland',593321);
INSERT INTO `City` VALUES (7,'Haag','NLD','Zuid-Holland',440900);
INSERT INTO `City` VALUES (8,'Utrecht','NLD','Utrecht',234323);
INSERT INTO `City` VALUES (9,'Eindhoven','NLD','Noord-Brabant',201843);
INSERT INTO `City` VALUES (10,'Tilburg','NLD','Noord-Brabant',193238);
COMMIT;
--
-- Table structure for table `Country`
--DROP TABLE IF EXISTS `Country`;CREATE TABLE `Country` (`Code` char(3) NOT NULL DEFAULT '',`Name` char(52) NOT NULL DEFAULT '',`Continent` enum('Asia','Europe','North America','Africa','Oceania','Antarctica','South America') NOT NULL DEFAULT 'Asia',`Region` char(26) NOT NULL DEFAULT '',`SurfaceArea` float(10,2) NOT NULL DEFAULT '0.00',`IndepYear` smallint(6) DEFAULT NULL,`Population` int(11) NOT NULL DEFAULT '0',`LifeExpectancy` float(3,1) DEFAULT NULL,`GNP` float(10,2) DEFAULT NULL,`GNPOld` float(10,2) DEFAULT NULL,`LocalName` char(45) NOT NULL DEFAULT '',`GovernmentForm` char(45) NOT NULL DEFAULT '',`HeadOfState` char(60) DEFAULT NULL,`Capital` int(11) DEFAULT NULL,`Code2` char(2) NOT NULL DEFAULT '',PRIMARY KEY (`Code`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;--
-- Dumping data for table `Country`
--
-- ORDER BY: `Code`INSERT INTO `Country` VALUES ('ABW','Aruba','North America','Caribbean',193.00,NULL,103000,78.4,828.00,793.00,'Aruba','Nonmetropolitan Territory of The Netherlands','Beatrix',129,'AW');
INSERT INTO `Country` VALUES ('AFG','Afghanistan','Asia','Southern and Central Asia',652090.00,1919,22720000,45.9,5976.00,NULL,'Afganistan/Afqanestan','Islamic Emirate','Mohammad Omar',1,'AF');
INSERT INTO `Country` VALUES ('AGO','Angola','Africa','Central Africa',1246700.00,1975,12878000,38.3,6648.00,7984.00,'Angola','Republic','Jos?Eduardo dos Santos',56,'AO');
INSERT INTO `Country` VALUES ('AIA','Anguilla','North America','Caribbean',96.00,NULL,8000,76.1,63.20,NULL,'Anguilla','Dependent Territory of the UK','Elisabeth II',62,'AI');
INSERT INTO `Country` VALUES ('ALB','Albania','Europe','Southern Europe',28748.00,1912,3401200,71.6,3205.00,2500.00,'Shqip雛ia','Republic','Rexhep Mejdani',34,'AL');
INSERT INTO `Country` VALUES ('AND','Andorra','Europe','Southern Europe',468.00,1278,78000,83.5,1630.00,NULL,'Andorra','Parliamentary Coprincipality','',55,'AD');
INSERT INTO `Country` VALUES ('ANT','Netherlands Antilles','North America','Caribbean',800.00,NULL,217000,74.7,1941.00,NULL,'Nederlandse Antillen','Nonmetropolitan Territory of The Netherlands','Beatrix',33,'AN');
INSERT INTO `Country` VALUES ('ARE','United Arab Emirates','Asia','Middle East',83600.00,1971,2441000,74.1,37966.00,36846.00,'Al-Imarat al-碅rabiya al-Muttahida','Emirate Federation','Zayid bin Sultan al-Nahayan',65,'AE');
INSERT INTO `Country` VALUES ('ARG','Argentina','South America','South America',2780400.00,1816,37032000,75.1,340238.00,323310.00,'Argentina','Federal Republic','Fernando de la R鷄',69,'AR');
INSERT INTO `Country` VALUES ('ARM','Armenia','Asia','Middle East',29800.00,1991,3520000,66.4,1813.00,1627.00,'Hajastan','Republic','Robert Kot歛rjan',126,'AM');
INSERT INTO `Country` VALUES ('ASM','American Samoa','Oceania','Polynesia',199.00,NULL,68000,75.1,334.00,NULL,'Amerika Samoa','US Territory','George W. Bush',54,'AS');
COMMIT;
--
-- Table structure for table `CountryLanguage`
--DROP TABLE IF EXISTS `CountryLanguage`;CREATE TABLE `CountryLanguage` (`CountryCode` char(3) NOT NULL DEFAULT '',`Language` char(30) NOT NULL DEFAULT '',`IsOfficial` enum('T','F') NOT NULL DEFAULT 'F',`Percentage` float(4,1) NOT NULL DEFAULT '0.0',PRIMARY KEY (`CountryCode`,`Language`),KEY `CountryCode` (`CountryCode`),CONSTRAINT `countryLanguage_ibfk_1` FOREIGN KEY (`CountryCode`) REFERENCES `Country` (`Code`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;--
-- Dumping data for table `CountryLanguage`
--
-- ORDER BY: `CountryCode`,`Language`INSERT INTO `CountryLanguage` VALUES ('ABW','Dutch','T',5.3);
INSERT INTO `CountryLanguage` VALUES ('ABW','English','F',9.5);
INSERT INTO `CountryLanguage` VALUES ('ABW','Papiamento','F',76.7);
INSERT INTO `CountryLanguage` VALUES ('ABW','Spanish','F',7.4);
INSERT INTO `CountryLanguage` VALUES ('AFG','Balochi','F',0.9);
INSERT INTO `CountryLanguage` VALUES ('AFG','Dari','T',32.1);
INSERT INTO `CountryLanguage` VALUES ('AFG','Pashto','T',52.4);
INSERT INTO `CountryLanguage` VALUES ('AFG','Turkmenian','F',1.9);
INSERT INTO `CountryLanguage` VALUES ('AFG','Uzbek','F',8.8);
INSERT INTO `CountryLanguage` VALUES ('AGO','Ambo','F',2.4);
INSERT INTO `CountryLanguage` VALUES ('AGO','Chokwe','F',4.2);
COMMIT;SET AUTOCOMMIT=1;启动 apache
root@kali:~# systemctl start apache2
root@kali:~# systemctl status apache2
apache 的默认主页是 /var/www/html/index.html。直接访问 http://localhost/index.html
修改 index.html 为 index.php
index.php 内容如下: (数据库连接部分参考:https://www.runoob.com/php/php-pdo.html)
<?php
ini_set("display_errors", "On");
error_reporting(E_ALL | E_STRICT);print('Hello '); // 输出 "Hello " 并且没有换行符
echo "World\n"; // 输出 "World" 并且换行
echo "<br />";
echo "<hr />";
echo '<p align="center">DataBase connect test</p>';$dbms='mysql'; //数据库类型
$host='127.0.0.1'; //数据库主机名
$dbName='world'; //使用的数据库
$user='root'; //数据库连接用户名
$pass=''; //对应的密码
$dsn="$dbms:host=$host;dbname=$dbName";try {// 连接到数据库$dbh = new PDO($dsn, $user, $pass); $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $dbh->exec('set names utf8'); echo "连接成功<br/>";// sql 语句$strsql="SELECT id,name,countrycode FROM `City` LIMIT 5";//你还可以进行一次搜索操作foreach ($dbh->query($strsql) as $row) {//print_r($row); //你可以用 echo($GLOBAL); 来看到这些值echo "id: {$row['id']} ";echo "name: {$row['name']} ";echo "countrycode: {$row['countrycode']} ";echo "<br />";}$dbh = null;
} catch (PDOException $e) {die ("Error!: " . $e->getMessage() . "<br/>");
}
?><br />
<hr />
<p align="center">input test</p>
<form><div>Input Query ID:<input type="text" name="search" style="width:60%;" ><input type="submit" name="submit" value="Search" ><br /><br />SQL Query String : <?phpif(isset($_GET['submit'])) {$val = $_GET['search'];$str_sql = "SELECT id,name,countrycode FROM City where id = $val";echo "<b>$str_sql</b>";echo "<br />";$dbms='mysql'; //数据库类型$host='127.0.0.1'; //数据库主机名$dbName='world'; //使用的数据库$user='root'; //数据库连接用户名$pass=''; //对应的密码$dsn="$dbms:host=$host;dbname=$dbName";try {// 连接到数据库$dbh = new PDO($dsn, $user, $pass); $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $dbh->exec('set names utf8'); echo "<br /><br />";// 遍历foreach ($dbh->query($str_sql) as $row) {//print_r($row); //你可以用 echo($GLOBAL); 来看到这些值echo '<table border="1">';echo "<tr>";echo "<td>";echo "id: {$row['id']} ";echo "</td>";echo "<td>";echo "name: {$row['name']} ";echo "</td>";echo "<td>";echo "countrycode: {$row['countrycode']} ";echo "</td>";echo "</tr>";echo "</table>";}$dbh = null;} catch (PDOException $e) {die ("Error!: " . $e->getMessage() . "<br/>");}}else{echo "please input the number ID !!!";} ?></div>
</form>
浏览器直接访问:http://localhost/index.php
mysql 数据库中结果
到此,我的第一个 php 程序结束。。。。。
一个 简单的 SQL 注入验证
输入要查询的 ID (数字),点击 search 按钮,注意 浏览器 url 变化,传递一个参数 search=1 。然后下面显示查询结果。
现在修改 URL 传递的参数。
修改后的 URL 为 :http://localhost/index.php?search=1 or '1'='1'&submit=Search
再来一个复杂点的 SQL 注入验证:
URL:http://localhost/index.php?search=1 union select code,name,region from Country LIMIT 5;&submit=Search
一个读取文件的 SQL 注入
至此,一个简单的 SQL 注入验证完成。SQL 注入不止这些东西,以后慢慢学习研究。。。
SQL注入攻击与防御 第二版:http://download.csdn.net/detail/hx0_0_8/9284595
