Hac*_*net 1 php mysql database sql-server sql-injection
这个问题刚刚出现在我的脑海中,但在任何地方都找不到这个问题,所以我认为这将是最好的提问地点。这仅用于教育目的。我使用了适当的卫生措施,并且没有为我的真实数据库提供 DROP 权限。
让我们假设一个具有所有权限的数据库和一个包含三个值的简单插入查询
INSERT INTO test(a,b,c) VALUES('$a','$b','$c');
上述查询容易受到 SQL 注入攻击。
我们假设用户输入是
结果查询将是这样的:
INSERT INTO test(a,b,c) VALUES('a',(select DATABASE()),'a')-- ','begone2','begone3')
上面的查询将执行并将数据库名称插入表中,但我的问题是攻击者是否能够在实际不知道数据库名称的情况下删除数据库?,查询如下:
INSERT INTO test(a,b,c) VALUES
('a',(DROP DATABASE (select DATABASE())),'a')-- ','begone2','begone3')
我尝试运行上面的查询,但它抛出了一个错误。这个查询有什么问题?
What's wrong with this query?
INSERT INTO test(a,b,c) VALUES
('a',(DROP DATABASE (select DATABASE())),'a')-- ','begone2','begone3')
There are two problems with this query.
You can't put DROP DATABASE into a subquery. A subquery must be a SELECT statement and have a result set (in the example you show, it must be a result set of one column, one row).
For what it's worth, you wouldn't be allowed to use INSERT/UPDATE/DELETE in a subquery either.
DROP DATABASE doesn't accept the result of a subquery as its argument. The syntax DROP DATABASE accepts a database identifier (name), and you can't DROP DATABASE ''. The result of a subquery is always data values (like strings and numbers), not identifiers.
Compare with this query:
SELECT a, b, c, (SELECT x FROM table2)
FROM table1
The subquery returns the value of column x. If the value of x is the string value 'd', this does NOT cause the outer query to return the value of column identified as table1.d. It returns a literal string 'd'.
In general, SQL doesn't allow you to use data values as identifiers. Database names, table names, and column names must be written explicitly in the query before the query is parsed. To make an identifier dynamic, you'd have to run two queries, that is, you'd use the result of the first query as you create a second SQL statement.
| 归档时间: |
|
| 查看次数: |
4542 次 |
| 最近记录: |