PHP+MYSQL的SQL约束攻击（原理+实现）

原创

程序小黑 2021-09-03 09:55:35 博主文章分类：PHP ©著作权

文章标签 网络安全 PHP WEB php html 文章分类 PHP 后端开发

©著作权归作者所有：来自51CTO博客作者程序小黑的原创作品，请联系作者获取转载授权，否则将追究法律责任

SQL约束攻击环境搭建

MYSQL：

表结构：
PHP+MYSQL的SQL约束攻击（原理+实现）_PHP
创建表命令：create table ctf(name char(10),password char(20));

表内数据：
PHP+MYSQL的SQL约束攻击（原理+实现）_网络安全_02
插入命令：insert into ctf values(‘admin’,‘PassAdmin’);

PHP

LOGIN页面：

<html>

    <head><title>登陆系统</title></head>


<body>

        <center>
            <h1>欢迎来到登陆系统！</h1>
            <h3>第一个注册的用户为：admin</h3>
        </center>
        <form action="./login.php" method="post">
            <center><input type="text" name="username" placeholder="请输入用户名"></center>
            <center><input type="text" name="password" placeholder="请输入密码" ></center>
            <center><input type="submit" name="submit"></center>
        </form>
        <center><a href="./register.php">没有账号点这里！！！</a><br><br></center>
</body>
</html>

<?php
if(isset($_POST['submit'])){
    $username = $_POST['username'];
    if($username == 'admin'){
        echo "<center>admin已被禁用！</center>";
        exit(0);
    }
    $password = $_POST['password'];

    try{
        $db = new PD('mysql:host=7fp9co9h.2326.dnstoo.com:5505;dbname=czlgj','czlgj_f','Wa360218171');
    }catch(PDOException $e){
        echo $e;
    }
    $query = "select * from login where name = ? and  password = ?;";
    $sql = $db -> prepare($query);
    $sql->execute(array($username,$password));
    $arr = $sql->fetchAll();
    $arr[0][0] = str_replace(' ','',$arr[0][0]);
    echo "<center>当前用户为：".$arr[0][0]."</center><br>";
    if(!empty($arr) && trim($arr[0][0] == 'admin'))
    {
        echo "GJCTF{RandLpsxQQQ}";
        exit(0);
    }else if(!empty($arr)){
        echo "<center>登陆成功。然并卵。</center>";
        exit(0);
    }else{
        echo "登陆失败。";
        exit(0);
    }

}
?>

注册界面：

<html>
<head><title>注册</title></head>
<body>
<center><h1>欢迎来到注册页面</h1></center>
<center><h3>title:admin已被注册</h3></center>
<center>
    <form action="./register.php" method="post">
        <input type="text" name="username" placeholder="请输入用户名"><br><br>
        <input type="text" name="password" placeholder="请输入密码"><br><br>
        <input type="text" name="password2" placeholder="请再次输入密码"><br><br>
        <input type="submit" name="submit" value="提交"><br><br>
    </form>
</center>
</body>
</html>

<?php
if(!empty($_POST['submit']))
{
    $username = addslashes(htmlspecialchars($_POST['username']));
    $password = addslashes(htmlspecialchars($_POST['password']));
    $password2 = addslashes(htmlspecialchars($_POST['password2']));
    if($username == 'admin'){
        echo "<script>alert('admin已被注册！');window.location.href='./register.php';</script>";
        exit(0);
    }
    if($password !=$password2){
        echo "<script>alert('请确保两次输入的密码相同。');window.location.href='./register.php';</script>";
        exit(0);
    }
    try{
        $db = new PDO('mysql:host=7fp9co9h.2326.dnstoo.com:5505;dbname=czlgj','czlgj_f','Wa360218171');
    }catch (PDOException $e){
        echo $e;
    }
    $sql = $db->prepare("insert into login values(?,?)");
    $sql->execute(array($username,$password));
    $number = $sql->rowCount();
    if($number!=0){
        echo "<script>alert('注册成功！');window.location.href='./login.php'</script>";
    }else{
        echo "<script>alert('注册失败！');window.location.href='./register.php';</script>";
    }
}
?>

不过我自己搭了一个平台放在外网上了，有兴趣的可以上去看看。
环境链接：http://www.czlgjbbq.top/GJCTF/login.php