时间戳

首页 > 解决方案 > 如何在localhost php文件上使用sqlmap,如何放置参数?

php - 如何在localhost php文件上使用sqlmap,如何放置参数?

问题描述

我在 XAMPP 上使用 MacOSx 和 apache 服务器

这是我的文件的链接 - http://localhost:8080/logi/index.php如果我写 sqlmap -u http://localhost:8080/logi/index.php?id=1 这个错误出现: [ CRITICAL] 所有测试参数似乎都不是可注射的。

我想检查我的登录表单是否存在漏洞,但我不明白我应该写哪些参数、哪个 id 或者我可能必须使用 --data?

这是我的代码:

<?php
SESSION_START();
require ('connect.php');
//This is the validation for the login
if(isset($_POST['login'])){
    $sql="SELECT * FROM members WHERE email=? AND password=?";
    $ss=mysqli_prepare($connect,$sql);
    $ss->bind_param("ss",$eu,$pe);
    $eu=$_POST['email'];
    $pe=$_POST['password'];
    $ss->execute();

    if(!empty($eu) && !empty($pe) && $ss->fetch()>0){
        $_SESSION['email']=$_POST['email'];
        header('Location:welcome.php');
    }

    if(empty($eu)){
        $eerr="Did you forget your email?";
    }elseif(empty($pe)){
        $pwerr="Password required";
    }elseif($ss->fetch()!==1){
        $eerr="That account do not exist";
    }


}

//This is the validation for registration
if(isset($_POST['register'])){
    $sql="SELECT * FROM members WHERE email=?";
    $sss=mysqli_prepare($connect,$sql);
    $sss->bind_param("s",$e);
    $e=$_POST['remail'];
    $pw=$_POST['rpassword'];
    $sss->execute();

    if(!empty($e) && !empty($pw) && $sss->fetch()<1 && filter_var($e, FILTER_VALIDATE_EMAIL)){
        $sql="INSERT INTO members (email,password)VALUES(?,?)";
        $sss=mysqli_prepare($connect,$sql);
        $sss->bind_param("s",$e);
        $pq=$_POST['rpassword'];
        $sss->execute();
        echo"You have signed up!";
    }

    if(empty($e)){
        $emailerr="Please provide your email adress!";
    }elseif(empty($pw)){
        $passworderr="Choose a password";
    }elseif($sss->fetch()>0){
        $emailerr="That account exist";
    }elseif(!filter_var($e, FILTER_VALIDATE_EMAIL)){
        $emailerr="Invalid email";
    }


}


?>
<!DOCTYPE html>
<html>
<head>
<title>Login and Registration</title>
<style>
span{
    color:red;
}
</style>
</head>
<body>
Login
<form action="" method="POST">
<input type="text" name="email" placeholder="Email"/><span><?php echo $eerr;?><span><br>
<input type="password" name="password" placeholder="Password"/><span><?php echo $pwerr;?></span><br>
<input type="submit" name="login" value="Login"/>
</form>
<br><br>
Register
<form action="" method="POST">
<input type="text" name="remail" placeholder="Email"><span>*<?php echo $emailerr;?></span><br>
<input type="password" name="rpassword" placeholder="Password"><span>*<?php echo $passworderr;?><span><br>
<input type="submit" name="register" value="Register"/>
</form>
</body>
</html

标签: phpsql-injectionsqlmap

解决方案

推荐阅读