1 Experiment introduction

1.1 The experiment purpose

Because the web server is not rigorous enough to filter the code , There may be a risk of bypassing the universal user name or universal password .
Deepen the understanding of web page code and SQL Code understanding .

1.2 Experimental environment

Experimental target ——win2008 virtual machine ：

• The experimental range of this section is at win2008 The system is based on phpstudy Build a simple website ,win2008 And phpstudy The installation process of can refer to 《【 Language environment 】WAMP Environment deployment and optimization — With win2008R2SP1 For the operating system 》, The construction process of the website can refer to 《【(SQL+HTML+PHP) comprehensive 】 A case of comprehensive development of a simple forum website （ With user registration 、 Sign in 、 Cancellation 、 Modify the information 、 Message and other functions ）》.

• This experiment is conducted on the login page of the forum .
  

• The website's verification code for login account password is as follows .
  

<?php
include "../inc/dblink.inc.php"// Include the files of the database connection in this file 
?>
<html>
<head>
    <meta charset="utf-8">
    <title>   Sign in ---- Forum today </title>

</head>
<body>
    <h1> Forum today BBS</h1>
    <?php
    if(isset($_POST['userSubmit'])){
    
        if($_POST['vcode']==$_COOKIE['vcode']){
    
            $userName=$_POST['userName'];
            $userPass=$_POST['userPass'];
            $sql="select * from users where name='".$userName."' && password='".md5($userPass)."'";
            if($results=mysqli_query($link,$sql)){
    
                if(mysqli_num_rows($results)>0){
    
                    setcookie('name',$userName,time()+3600*24, "/PHP/jrltbbs");
                    // Be careful cookie The path of , Different path cookie Think it's two cookie
                    echo " Login successful , return <a href='../index.php'> home page </a> or <a href='./index.php'> Personal center </a>";
                }else{
    
                    echo " Wrong user name or password ,<a href='./login.php'> Please login again </a>";
                }
            }else{
    
                die("sql There is a mistake in the sentence ");
            }

        }else{
    
            echo " Verification code error ,<a href='./login.php'> Please login again </a>";
        }
    }else{
    
        $html=<<<HTML
       <form 
        method="post">
         user name ：<input type="text" name="userName"><br/>
         password ：<input type="password" name="userPass"><br/>
         Verification Code ：<input type="text" name="vcode"> 
        <iframe src= "./vcode.php" width="100" height=30 frameboder="0"></iframe><br>
        <input type="submit" name="userSubmit"  value=" Sign in ">
    </form>
HTML;
        echo $html;
    }
    ?>
    <hr/>
</body>
</html>

<?php
mysqli_close($link);
?>

Based on the above sql sentence , Can be preliminarily analyzed , The key variable is name, instead of password（ No matter what you type , It's all going on md5 encryption , Unable to proceed Sql Statement splicing ）

2 experiment

2.1 experimental analysis

（1） Above code 8 Line is used to check whether the account and password entered by the client exist in the database , The key to successful login lies in 10 That's ok if Statement to determine whether the condition is true , in other words As long as the user name or password constructed can make SQL Statement can successfully query and return results , You can log in .
（2） because SQL The statement is closed with single quotation marks , Therefore, the constructed statement needs to pay attention to the single quotation marks before and after shielding .

2.2 Experimental process

（1） Enter url http://172.16.1.1/PHP/jrltbbs/member/login.php Go to the login page of the website

（2） Enter the user name in the login interface aaa' or 1=1#, Password optional , as follows , Click login .

（3） You can see the successful login .

（4） Click on personal Center , You can see that the current login account is the first account registered in the database .

2.3 The experimental results are summarized — Universal user name and universal password

The experiment is carried out with the combination of different user names and passwords. The results are as follows . The universal user name letters in the table （ Such as aaa and a）, Note whether the user exists in the database or not , Will lead to different results .

Be careful ： When the background code filters and converts the input parameters , We need to pay attention to the various bypass skills we have learned before .

3 summary

（1） Deepen the understanding SQL Statement construction and bypass ;
（2） Master the method of universal user name and password detection .