问题
I am trying to write a website with Django that could display SQL injection for classroom purposes.However when i try to exploit the query nothing is getting returned. I am using a MYSQL database
peopledata = people.objects.raw("select * from people where name = \"%s\" "%input
result = list(peopledata)
I tried using "; show tables; -- and "; --, in the input field and nothing showed up. Is there a way to display the exploited data?
回答1:
Your input should be any_name OR'x'='x' or any_name OR name IS NOT NULL
The first input would guarantee the clause to be true no matter what the first clause is.
The second query will then return every record in the database, instead of returning the name you searched for. This is demonstrates a big security risk. If the data being returned is confidential (id SSN) the user has now received access to data he/she should not be viewing.
Another example would be:
any_name; DROP TABLE people; --
And:
any_name; INSERT INTO people('email','passwd','login_id','full_name')
VALUES ('steve@email.com','hello','steve','Steve LastName'); --
NOTE: Apply these queries appropriately to your DB. Using single/double quotes when necessary etc.
来源:https://stackoverflow.com/questions/17113712/django-raw-query-sql-injection-display-attack