sql和shell注入测试
1.整数型参数,必须intval转义,用addslashes转义不行
<?php
$test = $_REQUEST["test"];
$test = addslashes($test);
$sql =" select * from tbl1 where id=$test";
print $sql;
//输入test=1 or 1=1 得到 select * from tbl1 where id=1 or 1=1被注入
?>
<?php
$test = $_REQUEST["test"];
$test = intval($test);
$sql =" select * from tbl1 where id=$test";
print $sql;
//输入 test=1 or 1=1 得到 select * from tbl1 where id=1
?>
2.字符串型参数,必须addslashes转义
<?php
$test = $_REQUEST["test"];
$sql =" select * from tbl1 where xxx='$test'";
print $sql;
//输入 test=1 or 1=1 得到 select * from tbl1 where xxx='1' or 1=1' 被注入
?>
<?php
$test = $_REQUEST["test"];
$test = addslashes($test);
$sql =" select * from tbl1 where xxx='$test'";
print $sql;
//输入 test=1 or 1=1 得到 select * from tbl1 where xxx='1\' or 1=1'
?>
3.执行系统命令的,必须 escapeshellarg 转义
<?php
$test = $_REQUEST["test"];
$cmd ="host ".$test;
print $cmd;
//输入test=www.baidu.com%26%26uname 得到 host www.baidu.com&&uname ,越界命令被执行了
?>
<?php
$test = $_REQUEST["test"];
$test = addslashes($test);
$cmd ="host ".$test;
print $cmd;
//输入test=www.baidu.com%26%26uname 得到 host www.baidu.com&&uname ,越界命令被执行了,addslashes不能防护shell注入
?>
<?php
$test = $_REQUEST["test"];
$test = escapeshellarg($test);
$cmd ="host ".$test;
print $cmd;
//输入test=www.baidu.com%26%26uname 得到 host "www.baidu.com&&uname"
?>