【安全牛学习笔记】基于PHP的SQL注入漏洞原理及解决办法
来源:互联网 发布:云计算系统 编辑:程序博客网 时间:2024/06/06 01:14
基于PHP的SQL注入漏洞原理及解决办法
----------------------------------------------------------------------
[mysqlDriver]
<?php
//this file is the entry
error_erporting(E_ALL);
//include files
include 'conf.php';
include 'functions.php';
include 'actions.php';
include 'models.php';
STRACE_LOG = array();
if($action = $_REQUEST['action'] and funciton_exists($action."Action")){
call_user_func($action.'Action');
}else{
error('action not exists');
}
-----------------------------------------------------------------------
root@w:~# service apache2 status
Apache2 is runing (pid 7970).
root@w:~# service mysql status
[info] /usr/bin/mysqladmin ver 8.42 Distib 5.5.40, for debian-linux-gnu on i686
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All right reserved.
Oracle is a registere trademark of Oracle Corportion and/or its
affiliates.Other name may be trademarks of their respective owers.
Server version 5.5.40-0+wherezy-log
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysql/mysqld.sock
Uptime: 3 hours 47 min 40 sec
Threads: 1 Qestions: 1271 Slow queries: 0 Opens: 457 Flush tables: 1 Open
tables: 50 Qestions per second avg: 0.093
root@w:~# php -v
PHP 5.4.36-0+deb7ul (cli) (built: Dec 31 2014 08:33:05)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
www-data@w:~$ vim conf.php
<?php
//here is configure file for framework
define('DSN','mysql:host=localhost;dbname=secruity' );
define('DBHOST','127.0.0.1');
define('DBUSER','root');
www-data@w:~$ vim mysqlDriver.php
<?php
//this file is for mysql connection;
class mysql{
public $conn = null;
public function musql($table){
$this->conn = mysql_connect(DBHOST,DBUSER,DBPASS);
mysql_select_db($table);
}
}
class mysqlPDO{
public $conn;
public function mysqlPDO(){
try{
$pdo = new PDO(DSN,DBUSER,DBPASS);
$this->conn = $pdo;
}catch(PDOException $e){
error('error:'.$e);
}
}
}
-----------------------------------------------------------------------
sql注入原理及修复方法
[php语言环境]
1.常见数据库操作方法
2.漏洞原理(sql注入)
3.漏洞危害
4.一些Tips
5.如何避免及修复漏洞
-----------------------------------------------------------------------
[actions.php]
<?php
// indexAction
function indexAction(){
if($id = request('id')){
$id = request('id');
$indexModel = new indexModel();
$result = $ indexModel->getDataById($id);
include 'tpl/index.tpl';
}else{
error('id not exists');
}
}
//someAction
function someAction(){
error("here is someAction");
}
//orderAction
function orderAction(){
if($order = request('order')){
$orderModel = new orderModel();
$result = $orderModel->orderData($order);
trace($order);
include 'tpl/index.php';
}else{
error('order keywords not exists');
}
}
//indexPDOAction
function indexPDOAction(){
if($id = request('id')){
$indexModel_pdo = new indexModelPDO();
$result = $indexModel_pdo->getDataByPDO($id);
include 'tpl/indexPDO.tpl';
}else{
error('id not exists');
}
}
-----------------------------------------------------------------------
<?php
include 'head.tpl';
?>
<div class="panel panel-default">
<!-- Default panel contents -->
<div class="panel-heading">UserList</div>
<!-- Table -->
<table class="table">
<thead>
<tr>
<th>id</th>
<th>username</th>
<th>password</th>
</tr?
</thead?
<?php
while ($row = mysql_fetch_array($result,MYSQL_NUM)){
echo '<tbody><tr>';
echo '<th>',$row[0].'</th>';
echo '<th>',$row[1].'</th>';
echo '<th>',$row[2].'</th>';
echo '</tr></tbody';
}
?>
-----------------------------------------------------------------------
漏洞原理:
没有对用户提交的数据做安全处理,直接接拼接到sql语句中,传递给数据库引擎执行。
本质是冯.诺依曼体系结构,没有讲书籍和指令严格的区分开。
-----------------------------------------------------------------------
[models.php]
<?php
include 'mysqlDriver.php';
class indexModel{
// some vars for model
public $conn = null;
//construct function for model
public function indexModel(){
$mysql = new mysql('security');
if($mysql->conn){
trace('log:mysql connected');
$this->conn = $mysql-conn;
}else{
error('error: mysql connecting error');
}
}
// model functions
public function getDataById($id){
$sql = 'select * from users where id='.$id.'';
$result = mysql_query($sql,$this->conn);
echo mysql_erron().':'.mysql_error()';
return $result;
}
}
-----------------------------------------------------------------------
root@w:~# tail -f /var/log/mysql/mysql.log
//监视filename文件的尾部内容(默认10行,相当于增加参数 -n 10),刷新显示在屏幕上。
222 Query select * from users where id=3 '
222 Quit
150128 9:50:07 223 Connect root@localhost on
223 Init DB security
223 Query select * from users where id=3 union select 1,2,user()
223 Quit
150128 9:51:49 224 Conncet root@localhost on
224 Init DB security
224 Query select * from users where id=1
224 Quit
150128 9:55:53 255 Connect debian-sys-maint@localhost on
225 Quit
225 Connect debian-sys-maint@localhost on
226 Quit
150128 10:00:44 227 Connect root@localhost on
227 Init DB security
227 Query select * from users where id=3
227 Quit
150128 10:02:31 228 Connect root@localhost on
228 Init DB security
228 Query select * from users where id=3 and 1=1
228 Quit
root@w:~# mysql
Welcome to the MySQL monitor. Commands end with ; or \g
Your MySQL connection id is 230
Server version: 5.5.40-0+wheeyl-log (Debian)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliate. Other names my be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select user()
-> ;
+-----------------+
| user |
+-----------------+
| root@localhost |
+-----------------+
1 row in set (0.00 sec)
http://sql.com/index.php?action=index.php&id=3 union select 1,2,version()
http://sql.com/index.php?action=index.php&id=3 union select 1,2,load_file("/etc/passwd")
漏洞危害
任意操作数据库数据(读取、修改等),利用数据库引擎读取系统文件、执行系统命令udf,也就是拖库、提权等。
危害等级:高/严重
一些Tipe
都有哪些地方会存在sql注入?
select * from table where id=xx order by xx lim it xx update table set username=xx where id =xxx insert into table values(id ,username,password)
如何避免&修复漏洞:
1.对数据做安全处理(转义)
2.使用PDO(数据与指令隔离)
addslashes \'"
-----------------------------------------------------------------------
models.php
<?php
include 'mysqlDriver.php';
class indexMode{
// some vars for model
pubilc $conn = null;
//construct function for model
public function indexModel(){
$mysql = new mysql('security');
if ($mysql->conn){
trace('log:mysql connected');
$this->conn = $mysql->conn;
}else{
error('error: mysql connecting error');
}
}
// model function
public function getDataById($id){
$id = addslashes($id);
// $id = intval($id);
$sql = 'select * from users where id='.$id.'"';
// $sql = 'select * from users where id='.$id.'';
$result = mysql_query($sql,$this->conn);
echo mysql_errno().':'.mysql_error()'
retun $result;
}
error('error:mysql connecting error');
}
}
publicd function orderData($order){
$sql = 'select * from users order by '.$order;
$result = mysql_query($sql,$this->conn);
return $result;
}
}
class indexModelPDO{
public $db;
public $conn;
public $db_prepare;
public function indexModelPDO(){
$this-db = new mysqlPDO();
$this-conn = $this->db->conn;
}
public function getDataByPDO($id){
$this->db_prepare = $this->conn->prepare('select * from users where id>?');
$this->db_prepare->execute(array($id));
return $this->db_prepare->fetchAll();
}
}
-----------------------------------------------------------------------
1,
第一种情况:
int-->intval($var)
第二种情况:
string -> ((adddslashes($var),"$var") //注意的第2点
http://sql.com/index.php?action=indexPDO&id=6 union select 1,2,user()
select * from users where id>'6 union select 1,2,user()'
http://sql.com/index.php?action=indexPDO&id=6'
select * from users where id>'6 \''
2,使用预编译,php->PDO
select * from users where id> 6 union select 1,2,user() //注意的第1点
object
- 【安全牛学习笔记】基于PHP的SQL注入漏洞原理及解决办法
- 【安全牛学习笔记】初识sql注入漏洞原理
- 【安全牛学习笔记】初识sql注入漏洞原理
- 【安全牛学习笔记】初识sql注入漏洞原理
- 【安全牛学习笔记】CSRF跨站请求伪造攻击漏洞的原理及解决办法
- 【安全牛学习笔记】反射型XSS攻击漏洞的原理及解决办法
- 网站SQL注入漏洞原理及解决办法
- 【安全牛学习笔记】手动漏洞挖掘-SQL注入
- 【安全牛学习笔记】手动漏洞挖掘-SQL注入
- 【安全牛学习笔记】手动漏洞挖掘-SQL注入
- 【安全牛学习笔记】手动漏洞挖掘-SQL注入
- 【安全牛学习笔记】KALI版本更新和手动漏洞挖掘(SQL注入)
- 【安全牛学习笔记】存储型XSS漏洞原理及修复方法
- sql注入漏洞原理
- 【安全牛学习笔记】手动漏洞挖掘-SQL注入XSS-简介、跨站脚本检测和常见的攻击利用手段
- 【安全牛学习笔记】KALI版本更新(第一个ROLLING RELEASE)和手动漏洞挖掘(SQL注入)
- 【安全牛学习笔记】KALI版本更新(第一个ROLLING RELEASE)和手动漏洞挖掘(SQL注入)
- java安全-SQL注入漏洞
- Catch That Cow
- Divide and Conquer:169. Majority Element
- logback日志组件使用案例
- 排序算法总结
- TCP/IP <1>
- 【安全牛学习笔记】基于PHP的SQL注入漏洞原理及解决办法
- 第十三单元笔记总结
- ResNet学习
- 【网络爬虫】-WP0001-Anaconda_Python2_Python3_conda_Pip_pycharm环境配置
- Python GUI--Tkinter简单实现个性签名设计
- 个人总结13
- sublime text3配置PyQt5开发环境
- 【JZOJ 5415】【NOIP2017提高A组集训10.22】公交运输
- MATLAB R2012a课后习题答案