问题
This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).
Same scenario, but I have this code (in another page):
$ID = $_GET['id'];
$sql = "SELECT * FROM blog WHERE id='$ID'";
$result = mysql_query($sql);
This should be easy enough to exploit, right?
If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?
回答1:
It's called UNION and allows you to pull from extra tables by using a second query.
I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1 would work. (pulls from the users table and maps the username and password values to their blog "equivalents").
回答2:
I don't think anyone would think you're trying to hack someone - this is a legitimate question.
You can't run a second query here, but you could do something malicious. For example if the query were an authentication query like so:
SELECT * FROM `users` WHERE `username` = '$username' AND `password` = '$password';
You could quite easily log in with ' OR 1 = 1 and gain access to the website.
Also, if the query was a DELETE or UPDATE query you could probably manipulate it to run without a WHERE clause.
来源:https://stackoverflow.com/questions/8340915/php-mysql-injection-example