Variable cover injection
The situation can be generally defined value from the parameter value of the variable to replace the original variable called coverage hole. Often resulting in variable coverage hole scenario are: $$ improper use, improper extract () function uses, parse_str () function is used improperly, improper import_request_variables () used to open a global variable registration.
Case presentation
Directly on the case may be better understood, and more reproducible Duokanjibian will understand
Assuming the server-side normal inquiry
<?php
// $id=$_REQUEST['x']; // 接受get传递参数x的值
$id=addslashes($_REQUEST['x']);
// $id=$_GET['x']; // 接受get传递参数x的值
// 连接数据库
$conn=mysqli_connect('127.0.0.1','root','root');
// 选择数据库并连接
mysqli_select_db($conn,'dvwa');
$sql="select * from users where user_id=$id";
$result = mysqli_query($conn,$sql);
while($row=mysqli_fetch_array($result)){
echo "id:".$row['user_id']."<br>";
echo "user:".$row['user']."<br>";
echo "pass:".$row['password']."<br>";
}
mysqli_close($conn); // 关闭连接
echo "当前执行的sql语句:".$sql; //输出sql命令
?>
- access
192.168.203.128/test/sqlin.php?x=1
- When the server code (or less where coverage exists variable )
- access
192.168.203.128/test/sqlin.php?x=1
- access
192.168.203.128/test/sqlin.php?y=id
Covering the above type is variable
When there is a problem of source code, there may be a blanket implant of variable
- access
192.168.203.128/test/sqlin.php?y=id
- access
192.168.203.128/test/sqlin.php?y=id&x=1
Parsing :
// 访问 192.168.203.128/test/sqlin.php?y=id&x=1
$id=$_GET['y']; // --> $id='id'
$$id=addslashes($_REQUEST['x']); // --> $$id=$id=1