有这样的查询:
select * from tablename where username='value1' and password='value2';
如果我设置以下字段:
username ='admin' and password ='admin';
然后我以管理员身份登录网站。
现在,如果我想 SQL 注入我的查询,我将在用户名字段中输入 value
'or 1=1,之后查询将执行如下:
select * from tablename where username ='' or 1=1
假设在此之后的所有内容都成功执行了查询。
我的问题是基于上面的例子,我们将以什么用户身份登录?
作为:
1. 管理员
2. 还是表中的第一行?
3.或任何其他用户以及如何?
这只是一个 SQL 查询,它不会登录或执行任何其他应用程序功能。如何处理检索到的数据完全取决于特定的应用程序。
代码可能会愉快地使用结果记录集中的第一行,并假定这是要登录的用户。它也可能抛出异常,例如,如果查询正在使用 LINQ 完成.SingleOrDefault()并被使用。没有看到应用程序代码,就无法知道。
All rows in the tablename table will be returned to whatever is running this query. The order in which these rows are returned isn't well defined (and tables don't have an order, so your guess of "first row" is wrong for a number of reasons)
We'd then need to see the consuming code to know what happens - it might take the first row it's given, it might take the last row it's given (different runs of this query could have different first and last rows, because as I said, the order isn't well defined). It may attempt to (in some manner) merge all of the resulting rows together.
You shouldn't try to reason about what happens when your code is subject to SQL injection, you should just apply adequate defenses (e.g. parameterized queries) so you don't have to think about it again.
For example, lets say, for the sake of argument, that this query always returned the rows in some particular order (so long as the moon is full), such that the lowest UserID (or similar) is the first row, and that the consuming code uses the first returned row and ignores other rows. So you decide to "cunningly" create a dummy user with UserID 0 which can't do anything and warns you of an attack.
Well, guess what - all the attacker has to do is inject an ORDER BY CASE WHEN UserName='Admin' THEN 0 ELSE 1 END into the query - and bingo, the first row returned is now guaranteed to be the Admin user.