sql注入环境搭建
pip install tornado
import tornado.ioloop
import tornado.web
import pymysql
class LoginHandler(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
self.render("login.html")
def post(self, *args, **kwargs):
username = self.get_argument('username', None)
password = self.get_argument('password', None)
conn = pymysql.connect(host='192.168.2.11', port=3306, user='root', password='123456', db='bbs')
cur = conn.cursor()
tmp = "select username from userinfo where username = '%s' and password='%s'" % (username, password)
print(tmp)
effect_row = cur.execute(tmp)
res = cur.fetchone()
if res:
self.write("登录成功")
else:
self.write("登录失败")
conn.commit()
cur.close()
conn.close()
settings = {
}
application = tornado.web.Application([
(r'/login', LoginHandler)
], **settings)
if __name__ == '__main__':
print("http://127.0.0.1:8888/login")
application.listen(8888)
tornado.ioloop.IOLoop.instance().start()
create table userinfo(
username varchar(40),
password varchar(40)
);
insert into userinfo(username,password)values(
'maotai','123456'
);
![[sql]sql注入](/default/index/img?u=L2RlZmF1bHQvaW5kZXgvaW1nP3U9YUhSMGNITTZMeTlwYldGblpYTXlNREU0TG1OdVlteHZaM011WTI5dEwySnNiMmN2TVRNeE1qUXlNQzh5TURFNE1EUXZNVE14TWpReU1DMHlNREU0TURReE56RXpOREF4TnpBNU5TMHhNRGd6TVRJMU1qRXpMbkJ1Wnc9PQ== "[sql]sql注入")
![[sql]sql注入](/default/index/img?u=L2RlZmF1bHQvaW5kZXgvaW1nP3U9YUhSMGNITTZMeTlwYldGblpYTXlNREU0TG1OdVlteHZaM011WTI5dEwySnNiMmN2TVRNeE1qUXlNQzh5TURFNE1EUXZNVE14TWpReU1DMHlNREU0TURReE56RXpOREUxT1RJNU1DMHhOakU1TkRrM01Ea3dMbkJ1Wnc9PQ== "[sql]sql注入")
模拟sql注入
使用注释
maotai' -- f
![[sql]sql注入](/default/index/img?u=L2RlZmF1bHQvaW5kZXgvaW1nP3U9YUhSMGNITTZMeTlwYldGblpYTXlNREU0TG1OdVlteHZaM011WTI5dEwySnNiMmN2TVRNeE1qUXlNQzh5TURFNE1EUXZNVE14TWpReU1DMHlNREU0TURReE56RXpOREkxTVRZME1DMHhNekF4T0RZeE9UWTBMbkJ1Wnc9PQ== "[sql]sql注入")
select username from userinfo where username = 'maotai' -- f' and password='123456'
使用or
aaron ' or 1=1 -- c
![[sql]sql注入](/default/index/img?u=L2RlZmF1bHQvaW5kZXgvaW1nP3U9YUhSMGNITTZMeTlwYldGblpYTXlNREU0TG1OdVlteHZaM011WTI5dEwySnNiMmN2TVRNeE1qUXlNQzh5TURFNE1EUXZNVE14TWpReU1DMHlNREU0TURReE56RXpORGN3TnpFME5TMHlNamt4TURBMU9EY3VjRzVu "[sql]sql注入")
select username from userinfo where username = 'aaron ' or 1=1 -- c' and password='123213'
改进sql注入漏洞
![[sql]sql注入](/default/index/img?u=L2RlZmF1bHQvaW5kZXgvaW1nP3U9YUhSMGNITTZMeTlwYldGblpYTXlNREU0TG1OdVlteHZaM011WTI5dEwySnNiMmN2TVRNeE1qUXlNQzh5TURFNE1EUXZNVE14TWpReU1DMHlNREU0TURReE56RTBNREExT1RjMU15MHlOamd4TWpJME1TNXdibWM9 "[sql]sql注入")
import tornado.ioloop
import tornado.web
import pymysql
class LoginHandler(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
self.render("login.html")
def post(self, *args, **kwargs):
username = self.get_argument('username', None)
password = self.get_argument('password', None)
conn = pymysql.connect(host='192.168.2.11', port=3306, user='root', password='123456', db='bbs')
cur = conn.cursor()
# tmp = "select username from userinfo where username = '%s' and password='%s'" % (username, password)
# print(tmp)
effect_row = cur.execute("select username from userinfo where username=%s and password=%s",
(username, password,))
res = cur.fetchone()
if res:
self.write("登录成功")
else:
self.write("登录失败")
conn.commit()
cur.close()
conn.close()
settings = {
}
application = tornado.web.Application([
(r'/login', LoginHandler)
], **settings)
if __name__ == '__main__':
print("http://127.0.0.1:8888/login")
application.listen(8888)
tornado.ioloop.IOLoop.instance().start()