Welcome to the NetSPI SQL Injection Wiki:https://sqlwiki.netspi.com/

 

因为需要了解下 SQL 注入,就使用 PHP 自己写了一个只有一个网页的网站测试下,现在记录下过程。。。

直接使用的 KALI系统 (KALI官网:https://www.kali.org/)。KALI 是一个渗透测试的神器。集成了好多黑客工具,当然也就集成了许多开发所需的环境。

这里只涉及 MySQL 和 apache 

启动 MySQL :

 

root@kali:~# systemctl start mysql      //启动 mysql 服务
root@kali:~# systemctl status mysql     //查看 mysql 状态

 

 

SQL 建表脚本(添加一些测试数据):

MySQL样例数据库脚本:http://download.csdn.net/detail/freeking101/9915991

DROP SCHEMA IF EXISTS world;
CREATE SCHEMA world;
USE world;
SET AUTOCOMMIT=0;

--
-- Table structure for table `City`
--

DROP TABLE IF EXISTS `City`;

CREATE TABLE `City` (
  `ID` int(11) NOT NULL AUTO_INCREMENT,
  `Name` char(35) NOT NULL DEFAULT '',
  `CountryCode` char(3) NOT NULL DEFAULT '',
  `District` char(20) NOT NULL DEFAULT '',
  `Population` int(11) NOT NULL DEFAULT '0',
  PRIMARY KEY (`ID`),
  KEY `CountryCode` (`CountryCode`),
  CONSTRAINT `city_ibfk_1` FOREIGN KEY (`CountryCode`) REFERENCES `Country` (`Code`)
) ENGINE=InnoDB AUTO_INCREMENT=4080 DEFAULT CHARSET=latin1;


--
-- Dumping data for table `City`
--
-- ORDER BY:  `ID`

INSERT INTO `City` VALUES (1,'Kabul','AFG','Kabol',1780000);
INSERT INTO `City` VALUES (2,'Qandahar','AFG','Qandahar',237500);
INSERT INTO `City` VALUES (3,'Herat','AFG','Herat',186800);
INSERT INTO `City` VALUES (4,'Mazar-e-Sharif','AFG','Balkh',127800);
INSERT INTO `City` VALUES (5,'Amsterdam','NLD','Noord-Holland',731200);
INSERT INTO `City` VALUES (6,'Rotterdam','NLD','Zuid-Holland',593321);
INSERT INTO `City` VALUES (7,'Haag','NLD','Zuid-Holland',440900);
INSERT INTO `City` VALUES (8,'Utrecht','NLD','Utrecht',234323);
INSERT INTO `City` VALUES (9,'Eindhoven','NLD','Noord-Brabant',201843);
INSERT INTO `City` VALUES (10,'Tilburg','NLD','Noord-Brabant',193238);
COMMIT;
--
-- Table structure for table `Country`
--

DROP TABLE IF EXISTS `Country`;

CREATE TABLE `Country` (
  `Code` char(3) NOT NULL DEFAULT '',
  `Name` char(52) NOT NULL DEFAULT '',
  `Continent` enum('Asia','Europe','North America','Africa','Oceania','Antarctica','South America') NOT NULL DEFAULT 'Asia',
  `Region` char(26) NOT NULL DEFAULT '',
  `SurfaceArea` float(10,2) NOT NULL DEFAULT '0.00',
  `IndepYear` smallint(6) DEFAULT NULL,
  `Population` int(11) NOT NULL DEFAULT '0',
  `LifeExpectancy` float(3,1) DEFAULT NULL,
  `GNP` float(10,2) DEFAULT NULL,
  `GNPOld` float(10,2) DEFAULT NULL,
  `LocalName` char(45) NOT NULL DEFAULT '',
  `GovernmentForm` char(45) NOT NULL DEFAULT '',
  `HeadOfState` char(60) DEFAULT NULL,
  `Capital` int(11) DEFAULT NULL,
  `Code2` char(2) NOT NULL DEFAULT '',
  PRIMARY KEY (`Code`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;


--
-- Dumping data for table `Country`
--
-- ORDER BY:  `Code`

INSERT INTO `Country` VALUES ('ABW','Aruba','North America','Caribbean',193.00,NULL,103000,78.4,828.00,793.00,'Aruba','Nonmetropolitan Territory of The Netherlands','Beatrix',129,'AW');
INSERT INTO `Country` VALUES ('AFG','Afghanistan','Asia','Southern and Central Asia',652090.00,1919,22720000,45.9,5976.00,NULL,'Afganistan/Afqanestan','Islamic Emirate','Mohammad Omar',1,'AF');
INSERT INTO `Country` VALUES ('AGO','Angola','Africa','Central Africa',1246700.00,1975,12878000,38.3,6648.00,7984.00,'Angola','Republic','Jos?Eduardo dos Santos',56,'AO');
INSERT INTO `Country` VALUES ('AIA','Anguilla','North America','Caribbean',96.00,NULL,8000,76.1,63.20,NULL,'Anguilla','Dependent Territory of the UK','Elisabeth II',62,'AI');
INSERT INTO `Country` VALUES ('ALB','Albania','Europe','Southern Europe',28748.00,1912,3401200,71.6,3205.00,2500.00,'Shqip雛ia','Republic','Rexhep Mejdani',34,'AL');
INSERT INTO `Country` VALUES ('AND','Andorra','Europe','Southern Europe',468.00,1278,78000,83.5,1630.00,NULL,'Andorra','Parliamentary Coprincipality','',55,'AD');
INSERT INTO `Country` VALUES ('ANT','Netherlands Antilles','North America','Caribbean',800.00,NULL,217000,74.7,1941.00,NULL,'Nederlandse Antillen','Nonmetropolitan Territory of The Netherlands','Beatrix',33,'AN');
INSERT INTO `Country` VALUES ('ARE','United Arab Emirates','Asia','Middle East',83600.00,1971,2441000,74.1,37966.00,36846.00,'Al-Imarat al-碅rabiya al-Muttahida','Emirate Federation','Zayid bin Sultan al-Nahayan',65,'AE');
INSERT INTO `Country` VALUES ('ARG','Argentina','South America','South America',2780400.00,1816,37032000,75.1,340238.00,323310.00,'Argentina','Federal Republic','Fernando de la R鷄',69,'AR');
INSERT INTO `Country` VALUES ('ARM','Armenia','Asia','Middle East',29800.00,1991,3520000,66.4,1813.00,1627.00,'Hajastan','Republic','Robert Kot歛rjan',126,'AM');
INSERT INTO `Country` VALUES ('ASM','American Samoa','Oceania','Polynesia',199.00,NULL,68000,75.1,334.00,NULL,'Amerika Samoa','US Territory','George W. Bush',54,'AS');
COMMIT;
--
-- Table structure for table `CountryLanguage`
--

DROP TABLE IF EXISTS `CountryLanguage`;

CREATE TABLE `CountryLanguage` (
  `CountryCode` char(3) NOT NULL DEFAULT '',
  `Language` char(30) NOT NULL DEFAULT '',
  `IsOfficial` enum('T','F') NOT NULL DEFAULT 'F',
  `Percentage` float(4,1) NOT NULL DEFAULT '0.0',
  PRIMARY KEY (`CountryCode`,`Language`),
  KEY `CountryCode` (`CountryCode`),
  CONSTRAINT `countryLanguage_ibfk_1` FOREIGN KEY (`CountryCode`) REFERENCES `Country` (`Code`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `CountryLanguage`
--
-- ORDER BY:  `CountryCode`,`Language`

INSERT INTO `CountryLanguage` VALUES ('ABW','Dutch','T',5.3);
INSERT INTO `CountryLanguage` VALUES ('ABW','English','F',9.5);
INSERT INTO `CountryLanguage` VALUES ('ABW','Papiamento','F',76.7);
INSERT INTO `CountryLanguage` VALUES ('ABW','Spanish','F',7.4);
INSERT INTO `CountryLanguage` VALUES ('AFG','Balochi','F',0.9);
INSERT INTO `CountryLanguage` VALUES ('AFG','Dari','T',32.1);
INSERT INTO `CountryLanguage` VALUES ('AFG','Pashto','T',52.4);
INSERT INTO `CountryLanguage` VALUES ('AFG','Turkmenian','F',1.9);
INSERT INTO `CountryLanguage` VALUES ('AFG','Uzbek','F',8.8);
INSERT INTO `CountryLanguage` VALUES ('AGO','Ambo','F',2.4);
INSERT INTO `CountryLanguage` VALUES ('AGO','Chokwe','F',4.2);
COMMIT;

SET AUTOCOMMIT=1;

 

启动 apache

 

root@kali:~# systemctl start apache2
root@kali:~# systemctl status apache2

 

 

apache 的默认主页是  /var/www/html/index.html。直接访问 http://localhost/index.html 

修改 index.html 为 index.php

index.php 内容如下: (数据库连接部分参考:https://www.runoob.com/php/php-pdo.html

 

<?php 
ini_set("display_errors", "On");
error_reporting(E_ALL | E_STRICT);

print('Hello '); // 输出 "Hello " 并且没有换行符
echo "World\n";  // 输出 "World" 并且换行
echo "<br />";
echo "<hr />";
echo '<p align="center">DataBase connect test</p>';


$dbms='mysql';      //数据库类型
$host='127.0.0.1';  //数据库主机名
$dbName='world';    //使用的数据库
$user='root';       //数据库连接用户名
$pass='';           //对应的密码
$dsn="$dbms:host=$host;dbname=$dbName";

try {
    // 连接到数据库
    $dbh = new PDO($dsn, $user, $pass);  
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);  
    $dbh->exec('set names utf8'); 
    echo "连接成功<br/>";
    // sql 语句
    $strsql="SELECT id,name,countrycode FROM `City` LIMIT 5";
    //你还可以进行一次搜索操作
    foreach ($dbh->query($strsql) as $row) {
        //print_r($row); //你可以用 echo($GLOBAL); 来看到这些值
        echo "id: {$row['id']}        ";
        echo "name: {$row['name']}        ";
        echo "countrycode: {$row['countrycode']}        ";
        echo "<br />";
    }
    $dbh = null;
} catch (PDOException $e) {
    die ("Error!: " . $e->getMessage() . "<br/>");
}
?>

<br />
<hr />
<p align="center">input test</p>
<form>
	<div>
		Input Query ID:
		<input type="text" name="search" style="width:60%;" >
		<input type="submit" name="submit" value="Search" >
		<br /><br />
		SQL Query String : 
		<?php
		if(isset($_GET['submit'])) 
		{
			$val = $_GET['search'];
			$str_sql = "SELECT id,name,countrycode FROM City where id = $val";
			echo "<b>$str_sql</b>";
			echo "<br />";
			$dbms='mysql';      //数据库类型
			$host='127.0.0.1';  //数据库主机名
			$dbName='world';    //使用的数据库
			$user='root';       //数据库连接用户名
			$pass='';           //对应的密码
			$dsn="$dbms:host=$host;dbname=$dbName";

			try {
    				// 连接到数据库
    				$dbh = new PDO($dsn, $user, $pass);  
    				$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);  
    				$dbh->exec('set names utf8');     	
    				echo "<br /><br />";
    				// 遍历
    				foreach ($dbh->query($str_sql) as $row) 
    				{
        				//print_r($row);           //你可以用 echo($GLOBAL); 来看到这些值
    					echo '<table border="1">';
    					echo "<tr>";
    					echo "<td>";
        				echo "id: {$row['id']}        ";
        				echo "</td>";
        				echo "<td>";
        				echo "name: {$row['name']}        ";
        				echo "</td>";
        				echo "<td>";
        				echo "countrycode: {$row['countrycode']}        ";
        				echo "</td>";
        				echo "</tr>";
        				echo "</table>";
    				}
    				$dbh = null;
			} 
			catch (PDOException $e) 
			{
    				die ("Error!: " . $e->getMessage() . "<br/>");
			}
		}
		else
		{
			echo "please input the number ID !!!";
		}				
		?>
	</div>
</form>

浏览器直接访问:http://localhost/index.php

 

mysql 数据库中结果

到此,我的第一个 php 程序结束。。。。。

 

一个 简单的 SQL 注入验证

输入要查询的 ID (数字),点击 search 按钮,注意 浏览器 url 变化,传递一个参数 search=1 。然后下面显示查询结果。

现在修改 URL 传递的参数。

修改后的 URL 为 :http://localhost/index.php?search=1 or ‘1’=’1′&submit=Search

再来一个复杂点的 SQL 注入验证:

URL:http://localhost/index.php?search=1 union select code,name,region from Country LIMIT 5;&submit=Search

一个读取文件的 SQL 注入

至此,一个简单的 SQL 注入验证完成。SQL 注入不止这些东西,以后慢慢学习研究。。。

SQL注入攻击与防御 第二版:http://download.csdn.net/detail/hx0_0_8/9284595