当访问id=1’编码后的网址时(http://127.0.0.1/sqli/base64.php?id=MSc%3d),页面返回错误。1 and 1=1和1 and 1=2的Base64编码分别为MSBhbmQgMT0x和MSBhbmQgMT0y,再次访问id=MSBhbmQgMT0x和id=MSBhbmQgMT0y,返回结果如图60和图61所示。
$id=base64_decode(@$_GET['id']); $con=mysqli_connect("localhost","root","root","test"); // 检测连接 if(mysqli_connect_errno()) {echo"连接失败: ".mysqli_connect_error(); } mysqli_select_db($con,'test');$sql="select * from users where id=$id"; $result=mysqli_query($con,$sql);if(!$result) {exit("error"); }while($row=mysqli_fetch_array($result)) {echo"ID:".$row['id']." ";echo"user:".$row['username']." ";echo"pass:".$row['password']." ";echo""; }mysqli_close($con); echo"now use ".$sql.""; ?>
由于代码没有过滤解码后的$id,且将$id直接拼接到SQl语句中,所以存在SQL注入漏洞。当访问id=1 union select 1,2,3--+(访问时,先进行Base64编码)时,执行的SQL语句为: