2.测试页面准备:
登陆页面html
[root@node1 code]#cat /opt/app/code/login.html
jeson sql注入演示
验证页面validate.php
[root@node1 code]#cat /opt/app/code/validate.php<?php
$conn= mysql_connect("localhost", "root", \);
mysql_select_db("info", $conn) or die( he database you selected is not exists);
$name= $_POST[username];
$pwd = $_POST[password];
$sql= "select * from users where username = $name and password=md5($pwd)";echo $sql."
";
$query=mysql_query($sql);
$arr=mysql_fetch_array($query);if($arr) {echo "login success!\n";echo $arr[1];echo $arr[3]."
";
}else{echo "login failed!";
}?>
3.测试登陆和注入:
普通的登陆
登陆成功,or1=1在sql中条件成立# 号代表注释
4.nginx+lua防火墙
下载ngx_lua_waf插件并且移动到指定目录:
[root@node1 code]#mkdir /etc/nginx/wafyum install -y git
git clone /loveshell/ngx_lua_waf.git
[root@node1 data]# mv ngx_lua_waf /etc/nginx/waf/配置nginx.conf
[root@node1 waf]#cat /etc/nginx/nginx.conf
user nginx;
worker_processes4;
worker_cpu_affinity auto;
error_log/var/log/nginx/error.log warn;
pid/var/run/nginx.pid;
worker_rlimit_nofile35535;
events {