Home >Backend Development >PHP Tutorial >PHP injection solution_PHP tutorial

PHP injection solution_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 17:09:12820browse

This article is mainly for side dishes. If you are already an old bird, some things may feel boring, but as long as you look carefully, you will find a lot of interesting things.

After reading this article, you only need to understand the following things.

1. Understand how the php+mysql environment is set up.
2. Have a general understanding of the configuration of php and apache, mainly using php.ini and httpd.conf
In this article we mainly use the configuration of php.ini. For safety reasons, we generally turn on the safe mode in php.ini, that is, let safe_mode = On, and the other is display_errors that returns PHP execution errors. This will return a lot of useful information, so we should turn it off,
That is, after setting display_errors=off to turn off the error display, the PHP function execution error information will no longer be displayed to the user.
There is also a very important configuration option magic_quotes_gpc in the PHP configuration file php.ini. The default for higher versions is magic_quotes_gpc=On, which is only available in the original antique PHP
The default configuration is magic_quotes_gpc=Off, but some people also use antique things!
What will happen when magic_quotes_gpc=On in php.ini? Don’t panic, the sky won’t fall! It just converts all ' (single quotes), " (double quotes), (backslashes) and null characters in the submitted variables into escape characters containing backslashes, for example, ' becomes ', Change it to \. This is what makes us very unhappy. Many times we have to say BYEBYE to character types,
But don’t be discouraged, we still have good ways to deal with it, take a look below!
3. Have a certain basic knowledge of PHP language and understand some SQL statements. These are very simple. We use very few things, so it’s still time to recharge!

Let’s first take a look at what we can do when magic_quotes_gpc=Off, and then we’ll figure out how to deal with magic_quotes_gpc=On

1: Injection when magic_quotes_gpc=Off

ref="http://hackbase.com/hacker" target=_blank>attack

Although magic_quotes_gpc=Off is very unsafe, the new version also allows it by default
magic_quotes_gpc=On, but we also found magic_quotes_gpc=Off in many servers, such as www.qichi.*.
There are also some programs like vbb forum. Even if you configure magic_quotes_gpc=On, it will automatically eliminate escape characters and give us an opportunity, so
The injection method of magic_quotes_gpc=Off is still very popular.

Below we will explain mysql+php injection in detail from the aspects of syntax, injection point and injection type

A: Let’s start with MYSQL syntax

1. Let me first talk about some basic syntax of MySQL, which can be regarded as a supplementary lesson for children who have not studied well~_~
1) select
SELECT [STRAIGHT_JOIN] [SQL_SMALL_RESULT]
Select_expression,...
[INTO {OUTFILE | DUMPFILE} 'file_name' export_options]
[FROM table_references
         [WHERE where_definition]
          [GROUP BY col_name,...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] ,...] ; ]
These are the commonly used ones. select_expression refers to the column you want to retrieve. Later we can use where to restrict the conditions. We can also use into outfile to output the select results to a file. Of course we can also use select to directly output
For example

mysql> select 'a';

+---+
| a |
+---+
| a |
+---+
1 row in set (0.00 sec)
For details, please see section 7.12 of the mysql Chinese manual
Here are some uses
Let’s look at the code first
This code is used for searching
.........
SELECT * FROM users WHERE username LIKE ‘%$search%’ ORDER BY username
.......
?>

Here we talk about the wildcards in mysql by the way, '%' is the wildcard character, other wildcard characters include '*' and '_', among which "*" is used to match field names, and "%" is used to match fields Value, please note that % must be applied together with like, and there is also a wildcard character, which is the underscore "_", which has a different meaning from the above and is used to match any single character. In the above code, we use '*' to represent all returned field names, and %$search% represents all content containing the $search character.

How do we inject it?

Haha, very similar to asp
Submit in the form
Aabb%' or 1=1 order by id#
Note: # means a comment in mysql, which means that the following sql statements will not be executed, which will be discussed later.
Some people may ask why or 1=1 is used, see below,

Put the submitted content into the sql statement to become

SELECT * FROM users WHERE username LIKE ‘%aabb%’ or 1=1 order by id# ORDER BY username

If there is no username containing aabb, then or 1=1 makes the return value still true, enabling all values ​​to be returned

We can still do this

Submit in the form
%' order by id#
or
' order by id#
Bring it into the sql statement and become
SELECT * FROM users WHERE username LIKE ‘% %’ order by id# ORDER BY username
and
SELECT * FROM users WHERE username LIKE ‘%%’ order by id# ORDER BY username
Of course, all content is returned.
All users are listed, and maybe even their passwords are listed.
Here is an example first. More subtle select statements will appear below. Select is actually almost everywhere!
2) See the update below
This is explained in the Mysql Chinese manual:
UPDATE [LOW_PRIORITY] tbl_name SET col_name1=expr1,col_name2=expr2,...
         [WHERE where_definition]
UPDATE updates the columns of an existing table row with new values. The SET clause specifies which columns are to be modified and the values ​​they should be given. The WHERE clause, if given, specifies which rows should be updated, otherwise all rows are updated.
For details, please see Section 7.17 of the MySQL Chinese Manual. It would be very wordy to introduce in detail here.
It can be seen from the above that update is mainly used for data updates, such as article modifications and user profile modifications. We seem to be more concerned about the latter because...
Look at the code first
Let’s first give the structure of the table so that everyone can understand it
CREATE TABLE users (
id int(10) NOT NULL auto

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629770.htmlTechArticleThis article is mainly for novices. If you are already an old bird, maybe some things will It feels rather boring, but as long as you look carefully, you will find a lot of interesting things. ...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn