admin

SQL Injection——Stacked Queries
SQL Injection——Stacked Queries0x1 PrincipleStacked Querie...
扫描右侧二维码阅读全文
18
2018/11

SQL Injection——Stacked Queries

SQL Injection——Stacked Queries

0x1 Principle

Stacked Queries 堆查询/堆叠注入,当我们在执行sql语句时,使用;来表示语句的结束,那么在同一行内我们使用;来分割多条语句,那么这多条语句会执行吗

0x2 Experiment

环境:

主机:Kali linux2.0
服务:PHP 7.2.9-1
数据库:Mysql 10.1.35-MariaDB-1

实验:

show databases;
use test; //选择一个数据库
show tables; //查看有哪些表
selelct * from user;create database test1;  //执行多条语句

-w678

-w658
可以看到语句执行成功并没有报错,而且提示有一行受到影响,那么test1数据库创建成功了么,我们再来看下
-w644
这里可以看到已经执行成功了

php+mysql是否支持这个特性呢?

<?php
$servername = "localhost";
$username = "root";
$password = "root";
 $db_name = "test";
// 创建连接
$conn = new mysqli($servername, $username, $password,$db_name);
 
// 检测连接
if ($conn->connect_error) {
    die("连接失败: " . $conn->connect_error);
} 
$id =1;
if(isset($_GET['id'])){
    $id = $_GET['id'];
};
$sql = "select * from user where id = ".$id;
$result = $conn->query($sql);
if($result->num_rows>0){
     while($row = $result->fetch_assoc()) {
        echo "id: " . $row['id']."<br>";
    }
    else{
        printf("Errormessage: %s\n", $conn->error);
    }
    echo $sql;
}

-w557
-w1042
这里是失败的
普通的mysqli->query或者mysql_query是不支持多语句查询的只有使用mysqli->multi_query()或者PDO的时候才会支持多语句查询
我们修改下代码看下


$servername ='localhost';
$username = "root";
$password = "root";
$db_name = "test";
// 创建连接
$conn = new mysqli($servername, $username,$password,$db_name);
 
// 检测连接
if ($conn->connect_error) {
    die("连接失败: " . $conn->connect_error);
} 
$id =1;
if(isset($_GET['id'])){
    $id = $_GET['id'];
};
$sql = "select * from user where id = ".$id;
echo $sql."<br/>";
if ($conn->multi_query($sql)) {
    do {
   
        if ($result = $conn->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("id:%s\n", $row[0]);
            }
            $result->free();
        }
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($conn->next_result());
}

?>

-w1043
-w800
可以看到执行成功,但是mysqli这种多语句查询在实际开发中很少使用
那么PDO是开发中经常使用的php扩展

<?php
$servername = "localhost";
$username = "root";
$password = "root";
$db_name = "test";
 
try {
    $conn = new PDO("mysql:host=$servername;dbname=$db_name", $username, $password);
     $id =1;
     if(isset($_GET['id'])){
        $id = $_GET['id'];
        }
    $sql = "select * from user where id = ".$id;
    $res=$conn->query($sql);
    foreach ($res as $key => $value) {
    echo 'id:'.$value['id'].'<br>';
    
  }
echo $sql;

}
catch(PDOException $e)
{
    echo $e->getMessage();
}
?>

-w1043
-w800
可以看到执行成功

0x3 Summary

Mysql/PHPphp+mysql(query)不支持 PDO、mysql_multi_query()、mysqli->multi_query()支持
Oracle不支持
SQL Server支持
Postgresql支持

参考

http://www.sqlinjection.net/stacked-queries/
http://php.net/manual/zh/pdo.drivers.php
http://php.net/manual/zh/book.mysqli.php

Last modification:November 19th, 2018 at 02:22 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment