问题描述
我正在研究一些软件安全主题,我发现了这个网站:http://teachcryptography.blogspot.com.br/2015/03/badstore-funway-of-exploiting-web.html
I'm studying some topics of software security and I found this site : http://teachcryptography.blogspot.com.br/2015/03/badstore-funway-of-exploiting-web.html
我试图在快速项目搜索表单中使用 SQL 注入来泄漏数据.这是查询:
I'm trying to leak data using SQL inject in Quick Item Search form.Here is the query :
"SELECT itemnum, sdesc, ldesc, price FROM itemdb WHERE '$squery' IN
(itemnum,sdesc,ldesc)";
我用这个输入得到了正确的答案:1=1'/* 但输入 '-' 也是正确的.有人可以向我解释为什么吗?
I got the right answer with this input : 1=1'/* but the input '-' is also right. Could someone explain to me why?
推荐答案
字符串 '-' (single-quote, hyphen, single-quote) 因为整数到字符串的转换行为一些关系型数据库.由于您发布的内容看起来像PHP代码,因此我假设所涉及的数据库是MySQL.
The string '-' (single-quote, hyphen, single-quote) works because of the integer to string casting behavior of some RDBMS. Since what you posted looks like PHP code, I will make the assumption that the database involved is MySQL.
在 MySQL 中,将非数字字符串转换为整数将导致零.此外,尝试对两个字符串进行算术运算将首先导致它们被强制转换为整数.那么我们来看看取值后的字符串:
In MySQL, a non-numeric string cast to an integer will result in zero. Further, attempting an arithmetic operation on two strings will first cause them to be cast to integers. So let's look at the string after the value is substituted:
WHERE ''-'' IN (itemnum, sdesc,ldesc)
MySQL 将尝试对两个空字符串 '' 进行减法,字面意思是:'' 减去 ''.为了实现这一点,它们必须首先被转换为整数,这些整数为零 (0-0=0).现在看起来像:
MySQL will attempt to do subtraction of the two empty strings '', so literally: '' minus ''. To accomplish that, they must first be cast to integers, which are zero (0-0=0). Now it looks like:
WHERE 0 IN (itemnum, sdesc,ldesc)
与非数字字符串转换为零的原因相同,这次 MySQL 会将 varchar 列 sdesc, ldesc 转换为整数.除非它们以数字开头,否则该转换的结果为零.''-'' 中的 0 然后起作用,因为 IN() 将匹配任何列出的列和 varchar 已全部转换为等效的 0.
For the same reason that the non-numeric string casts to zero, this time MySQL will cast the varchar columns sdesc, ldesc to an integer. Unless they begin with numbers, the result of that cast is zero. The 0 from ''-'' then works because the IN() will match any of the listed columns and the varchar have all been cast to equivalent 0.
这是 MySQL 尝试对字符串进行算术运算:
Here's MySQL attempting arithmetic on the strings:
> select ''-'';
+-------+
| ''-'' |
+-------+
| 0 |
+-------+
这是 MySQL 将空字符串转换为 0:
Here's MySQL casting the empty string to 0:
> select CAST('' AS SIGNED);
+--------------------+
| CAST('' AS SIGNED) |
+--------------------+
| 0 |
+--------------------+
最后,MySQL 返回 TRUE 因为整数 0 匹配字符串值:
Finally, here's MySQL returning TRUE because integer 0 matches string values:
> SELECT 0 IN (123, 'abc', 'def');
+--------------------------+
| 0 IN (123, 'abc', 'def') |
+--------------------------+
| 1 |
+--------------------------+
这篇关于SQL 注入 - BadStore.net的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!