所以我一直在嘗試復(fù)制二階SQL注入.這是我準(zhǔn)備的兩個基于php的網(wǎng)站的示例模板.我們把它稱為選民登記表.用戶可以注冊,然后您可以檢查您是否是注冊選民.
insert.php
<?php$db_selected = mysql_select_db('canada',$conn);if (!db_selected) die("can't use mysql: ". mysql_error());$sql_statement = "INSERT into canada (UserID,FirstName,LastName,Age,State,Town) values ('".mysql_real_escape_string($_REQUEST["UserID"])."', '".mysql_real_escape_string($_REQUEST["FirstName"])."', '".mysql_real_escape_string($_REQUEST["LastName"])."', ".intval($_REQUEST["Age"]).", '".mysql_real_escape_string($_REQUEST["State"])."', '".mysql_real_escape_string($_REQUEST["Town"])."')";echo "You ran the sql query=".$sql_statement."<br/>";$qry = mysql_query($sql_statement,$conn) || die (mysql_error());mysql_close($conn);Echo "Data inserted successfully";}?>select.php
<?php$db_selected = mysql_select_db('canada', $conn);if(!db_selected) die('Can\'t use mysql:' . mysql_error());$sql = "SELECT * FROM canada WHERE UserID='".addslashes($_POST["UserID"])."'";echo "You ran the sql query=".$sql."<br/>";$result = mysql_query($sql,$conn);$row=mysql_fetch_row($result);$sql1 = "SELECT * FROM canada WHERE FirstName = '".$row[1]."'";echo "The web application ran the sql query internally=" .$sql1. "<br/>";$result1 = mysql_query($sql1, $conn);$row1 = mysql_fetch_row($result1);mysql_close($conn);echo "<br><b><center>Database Output</center></b><br><br>";echo "<br>$row1[1] $row1[2] , you are a voter! <br>";echo "<b>VoterID: $row[0]</b><br>First Name: $row[1]<br>Last Name: $row[2] <br>Age: $row[3]<br>Town: $row[4]<br>State: $row[5]<br><hr><br>";}?>因此,我故意使這個易受攻擊,以顯示二階SQL注入如何工作,用戶可以在第一個名稱部分輸入代碼(我目前卡住的地方,我嘗試了很多不同的方式,但似乎我無法得到它可以做任何事情).
然后當(dāng)一個人想要激活他在第一個名字部分中插入的代碼時,他只需輸入用戶ID并插入代碼即可.
例如:
我將在insert.php頁面中輸入:
userid = 17
firstname =(我需要在這里注入一些東西)
lastname = ..
年齡= ..
鎮(zhèn)= ..
州= ..
