mysql编码造成的安全问题
2019-10-19 19:11:10 Author: forum.90sec.com(查看原文) 阅读量:232 收藏

mysql8.0开始,默认编码是utf8mb4,但总有数据库会设置为gbk等,所以可能存在编码安全问题

这里我的编码情况如下

image

表的编码也是gbk

<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPW', 'password');
define('DBNAME', 'stu');
define('DBPORT', '3306');

$link=@mysqli_connect(DBHOST, DBUSER, DBPW, DBNAME, DBPORT);

for($i = 0 ; $i < 256 ; $i++){
$c = chr($i);
$name = @mysqli_real_escape_string($link,'201215121' . $c);
$sql = "SELECT * FROM `s` WHERE `sno` = '{$name}'";
$result=@mysqli_query($link,$sql);
$row = @mysqli_fetch_array($result,MYSQLI_NUM);
if ($row[0] == '201215121') {
echo "$i";
echo "{$c} <br/>";
  }
}

输出$c时可能会出现乱码,所以可以 echo utf8_encode($i);

验证代码:

<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPW', 'password');
define('DBNAME', 'stu');
define('DBPORT', '3306');

$link=@mysqli_connect(DBHOST, DBUSER, DBPW, DBNAME, DBPORT);

$name = @$_GET['name'];

$sql = "SELECT * FROM `s` WHERE `sno` = '{$name}'";

$result=@mysqli_query($link,$sql);
$row = @mysqli_fetch_array($result,MYSQLI_NUM);
echo $row[0];

?>

访问127.0.0.1/index.php?name=admin%c2,发现查询成功

这里是ascii码0-256所有的对照字符

https://blog.csdn.net/ttmice/article/details/50978054

对于其他编码,需要自己再进行测试

参考文章:
https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html
https://www.leavesongs.com/PENETRATION/Mini-XCTF-Writeup.html


文章来源: https://forum.90sec.com/t/topic/544/1
如有侵权请联系:admin#unsafe.sh