发现一个Token repetition bug

by eric15342335 - opened Mar 13

Mar 13

谢谢分享模型！我想分享一下在我Ollama 0.17.7/Windows/RTX 4050跑的时候，观察到的一个现象：

>>> /clear
Cleared session context
>>> 怎么试探一个php登录页面有没有SQL注入潜力
Thinking...
好的，我们来一步步分析如何试探一个 PHP 登录页面是否存在 SQL 注入漏洞。

---

### 🚩 什么是 SQL 注入？

SQL 注入是一种攻击方式，攻击者通过在输入字段（如用户名、密码）中插入恶意的 SQL 代码，来操纵后端数据库查询。如果应用没有对用户输入进行充分的验证和转义，攻击者可能
获得数据库的访问权限、读取敏感数据、甚至完全控制数据库。

---

### ✅ 为什么登录页面是 SQL 注入的常见目标？

登录页面通常需要验证用户名和密码。如果这些字段直接拼接到 SQL 查询中（例如 `SELECT * FROM users WHERE username = '$username'`），而没有进行过滤或转义，就存在注入风
险。

---

### 🔍 如何试探是否存在 SQL 注入？

以下是一些常见的测试方法，**请先备份原始数据（如果可能）**，再进行测试。

---

#### 1. 基础测试：尝试注入 `'`

在用户名或密码字段中输入：

```
' OR 1=1 --
```

或

```
' OR 'a'='a
```

如果页面跳转到首页或提示“登录成功”，可能是存在注入漏洞。

> ✅ 正确示例：
> - 输入 `admin' OR '1'='1`（相当于 `admin' OR 1=1`）
> - 如果登录成功，则说明查询被注入。

---

#### 2. 试探字段数量

尝试判断登录页面是基于用户名+密码，还是单字段（如用户名）。

- 输入 `admin' AND 1=1 --`（测试是否能绕过）
- 如果成功登录，则说明该字段可以被注入。

---

#### 3. 检测数据库类型

注入后，尝试获取数据库信息。

例如，使用：

```
' UNION SELECT 1,2,3,4,5 --
```

如果页面正常响应，说明可以注入。

然后可以尝试：

```
' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 --
```

这个查询会尝试从数据库中获取更多字段信息。

---

#### 4. 获取数据库名

使用：

```
' UNION SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,571,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,5253,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,10858,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,1109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,1899,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,2190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261

Trina-QwQ

Owner 25 days ago

感谢反馈！请问repetition_penality temprature和top_p/top_k的值是多少？

eric15342335

25 days ago

是 repeat_penalty = 1
temperature = 0.6
top_p = 0.95
top_k = 20 喵，
但是很难复现，我这次试了5-6次才能成功

>>> /show info
  Model
    architecture        qwen3
    parameters          4.02B
    context length      262144
    embedding length    2560
    quantization        unknown

  Capabilities
    completion
    tools
    thinking

  Parameters
    stop              "<|im_start|>"
    stop              "<|im_end|>"
    temperature       0.6
    top_k             20
    top_p             0.95
    repeat_penalty    1

>>> /clear
Cleared session context
>>> 怎么试探一个php登录页面有没有SQL注入潜力
Thinking...
要试探一个 PHP 登录页面是否存在 SQL 注入漏洞，可以采取以下步骤（**注意：请先备份原始数据或测试环境，避免影响生产系统**）：

---

### ✅ 1. 基础注入测试（最常见）

在用户名或密码字段中输入以下内容：

#### ▶️ 用户名测试（常见注入点）
```sql
' OR '1'='1
```
示例：
```
username: ' OR '1'='1
password: any_value
```

**预期响应**：
- 如果页面登录成功 → 存在 SQL 注入漏洞（通常为布尔型注入）
- 如果页面拒绝登录 → 漏洞可能被过滤，尝试其他方式

---

### ✅ 2. 常见注入语句

| 类型 | 示例 |
|------|------|
| **布尔型注入** | `' OR '1'='1` |
| **时间延迟注入** | `' OR SLEEP(5)`（看页面是否延迟响应） |
| **获取数据库信息** | `' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,

eric15342335

25 days ago

感觉是UNION SELECT之后的数字才会出现这种情况?

Trina-QwQ

Owner 12 days ago

感觉是UNION SELECT之后的数字才会出现这种情况?

好w，我看看怎么修w

Upload images, audio, and videos by dragging in the text input, pasting, or clicking here.

Tap or paste here to upload images

· Sign up or log in to comment