Home >Backend Development >PHP Tutorial >PHP injection solution_PHP tutorial
This article is mainly for side dishes. If you are already an old bird, some things may feel boring, but as long as you look carefully, you will find a lot of interesting things.
After reading this article, you only need to understand the following things.
1. Understand how the php+mysql environment is set up.
2. Have a general understanding of the configuration of php and apache, mainly using php.ini and httpd.conf
In this article we mainly use the configuration of php.ini. For safety reasons, we generally turn on the safe mode in php.ini, that is, let safe_mode = On, and the other is display_errors that returns PHP execution errors. This will return a lot of useful information, so we should turn it off,
That is, after setting display_errors=off to turn off the error display, the PHP function execution error information will no longer be displayed to the user.
There is also a very important configuration option magic_quotes_gpc in the PHP configuration file php.ini. The default for higher versions is magic_quotes_gpc=On, which is only available in the original antique PHP
The default configuration is magic_quotes_gpc=Off, but some people also use antique things!
What will happen when magic_quotes_gpc=On in php.ini? Don’t panic, the sky won’t fall! It just converts all ' (single quotes), " (double quotes), (backslashes) and null characters in the submitted variables into escape characters containing backslashes, for example, ' becomes ', Change it to \.
This is what makes us very unhappy. Many times we have to say BYEBYE to character types,
But don’t be discouraged, we still have good ways to deal with it, take a look below!
3. Have a certain basic knowledge of PHP language and understand some SQL statements. These are very simple. We use very few things, so it’s still time to recharge!
1: Injection when magic_quotes_gpc=Off
ref="http://hackbase.com/hacker" target=_blank>attack
Although magic_quotes_gpc=Off is very unsafe, the new version also allows it by default
magic_quotes_gpc=On, but we also found magic_quotes_gpc=Off in many servers, such as www.qichi.*.
There are also some programs like vbb forum. Even if you configure magic_quotes_gpc=On, it will automatically eliminate escape characters and give us an opportunity, so
The injection method of magic_quotes_gpc=Off is still very popular.
A: Let’s start with MYSQL syntax
1. Let me first talk about some basic syntax of MySQL, which can be regarded as a supplementary lesson for children who have not studied well~_~
1) select
SELECT [STRAIGHT_JOIN] [SQL_SMALL_RESULT]
Select_expression,...
[INTO {OUTFILE | DUMPFILE} 'file_name' export_options]
[FROM table_references
[WHERE where_definition]
[GROUP BY col_name,...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] ,...] ; ]
These are the commonly used ones. select_expression refers to the column you want to retrieve. Later we can use where to restrict the conditions. We can also use into outfile to output the select results to a file. Of course we can also use select to directly output
For example
+---+
| a |
+---+
| a |
+---+
1 row in set (0.00 sec)
For details, please see section 7.12 of the mysql Chinese manual
Here are some uses
Let’s look at the code first
This code is used for searching
.........
SELECT * FROM users WHERE username LIKE ‘%$search%’ ORDER BY username
.......
?>
How do we inject it?
Haha, very similar to asp
Submit in the form
Aabb%' or 1=1 order by id#
Note: # means a comment in mysql, which means that the following sql statements will not be executed, which will be discussed later.
Some people may ask why or 1=1 is used, see below,
SELECT * FROM users WHERE username LIKE ‘%aabb%’ or 1=1 order by id# ORDER BY username
If there is no username containing aabb, then or 1=1 makes the return value still true, enabling all values to be returned
We can still do this
Submit in the form
%' order by id#
or
' order by id#
Bring it into the sql statement and become
SELECT * FROM users WHERE username LIKE ‘% %’ order by id# ORDER BY username
and
SELECT * FROM users WHERE username LIKE ‘%%’ order by id# ORDER BY username
Of course, all content is returned.
All users are listed, and maybe even their passwords are listed.
Here is an example first. More subtle select statements will appear below. Select is actually almost everywhere!
2) See the update below
This is explained in the Mysql Chinese manual:
UPDATE [LOW_PRIORITY] tbl_name SET col_name1=expr1,col_name2=expr2,...
[WHERE where_definition]
UPDATE updates the columns of an existing table row with new values. The SET clause specifies which columns are to be modified and the values they should be given. The WHERE clause, if given, specifies which rows should be updated, otherwise all rows are updated.
For details, please see Section 7.17 of the MySQL Chinese Manual. It would be very wordy to introduce in detail here.
It can be seen from the above that update is mainly used for data updates, such as article modifications and user profile modifications. We seem to be more concerned about the latter because...
Look at the code first
Let’s first give the structure of the table so that everyone can understand it
CREATE TABLE users (
id int(10) NOT NULL auto