Common PHP vulnerabilities: Injection Vulnerability injection brings controllable user variables into database operations and changes the original SQL intention. For example, in the logic of registering a user, when detecting whether the user name exists, you can retrieve the user name submitted by the user to the database for query. If the user name is not properly filtered in the code logic, you can submit some special characters to complete the injection.
The main reason for injection is that many programmers prefer statement concatenation when writing SQL statements.
According to the SQL classification, injection is generally divided into four types:
-
Select
-
Update
-
Insert
-
Delete
If there is a mysql error, these four methods can use error injection, which is very convenient; if there is no mysql error
-
Select injection: try to use union select + Echo for injection. if there is no echo, blind injection is enough.
-
Update injection: if it is at the position of the update set, we can find which column of the table will be displayed. For example, if an update injection point is in the user table and is controllable in the set position, we can update the column by email, then go to the user information and check your email to get the data. The statement is, for example, update table set email = (select user (). if it is after where, this is generally the case of blind injection.
-
Insert injection: it is usually used to find which column will not be displayed. try to insert the data to this column as much as possible. If it is not displayed, it is also a blind note.
-
Delete injection: generally, it is blind injection.
Numeric injection is mainly because its variables are not enclosed in single quotes. However, it is basically forced type conversion, such as intval ($ username. But sometimes there are omissions.
However, both the simplified type and the search type have single quotation marks. Therefore, you must close the single quotes before injecting them.
Speaking of single quotes, I have to say that the Magic_quotes_gpc configuration in php. ini is on by default in a slightly higher version, but has been abolished in 5.4.
Literally, it's just for gpc quote. The content of GPC corresponds to GET, POST, and COOKIE. the escape character is '\ NULL. the escape method is to add an escape character before. As a result, the original meaning is lost and single quotes cannot be closed for injection.
Addslashes is not performed globally
Such vendors do not perform addslashes on GET/POST/COOKIE globally. these vendors will perform addslashes on user-controllable variables during query, even without addslashes, the query is directly carried in.
In this way, even if you perform addslashes during the query, you can find a few missing addslashes in many cases. This is relatively simple, not to mention.
Global addslashes
Vendors who are a little better now know that they are doing addslashes on GET/POST/COOKIE in the global file (or even escape or pre-compile them in the function that is brought into the query, which is a top-notch issue) therefore, you don't have to worry about missing content or forget about addslashes. First, get magic quotes gpc to determine whether the gpc is enabled. if not, call addslashes to escape. If it is enabled, it will not be used for addslashes. Addslashes is not enabled.
The following describes some common injection methods.
Wide byte injection
This is an old-fashioned question. it has been a long time since the wide-byte injection of the database character set GBK. However, if the character set is GBK, Width-byte injection can be performed.
There are always some friends who say what I think the cms character set is gbk, but why cannot It be wide bytes?
This is because the database connection methods are different. When the database is connected, Set names gbk can be used to provide a wide byte.
But now it is basically invisible. Because binary reading is basically set. Such a wide byte is basically gone, but there is another one, because the conversion character set causes wide byte injection. For example, convert from utf8 to gbk or from gbk to utf8 or something.
Example: WooYun: 74cms latest injection 8-9
Resolution: The word "expires" is changed from UTF8 to GBK and then % e5 % 5c 74. cms implements addslashes for GET/POST/COOKIE, therefore, if 'escape is \ '-> % 5C % e5 % 5c % 5c', it is enclosed in single quotation marks.
Example 2: WooYun: qibocms download system SQL injection (reproduced on the official website)
Injection caused by decoding
Because in the global file addslashes, if we can find some decoded ones, such as urldecode and base64_decode, we will submit the encode first, so we will not be escaped. Then decode the code and then bring it into the query, resulting in injection, ignoring gpc.
This is common. Many examples can be found at will.
Example: WooYun: qibocms B2B injection // qibocms injection
Example: WooYun: phpdisk V7 SQL injection 2 // phpdisk injection
Injection caused by variable overwrite
Common variables include extract and parse_str functions, and $.
Variable overwrites must be combined with specific scenarios. For example, extract ($ _ POST), directly extracts the variable from the POST array. In this case, we have encountered several issues and then replaced some of the previous variables.
Overwrite the table prefix. For example, Select * from $ pre_admin where xxx overwrites $ pre, then directly supplements the statement and injects it.
Example: WooYun: qibocms classification injection can be upgraded to management by yourself
Example 2: WooYun: phpmps injection
Of course, $ is also a good example.
Example 3: WooYun: The latest MetInfo version (5.2.4): SQL blind injection vulnerability
Injection caused by some replace
In some cms, there are always some funny filter functions. for example, the replace of 'whatever is empty, but he seems to have forgotten that he has escaped globally.
At this time, when the user submits a ', the global definition is converted to \', and then the filter function will replace the 'with Null, then \ is left, resulting in a single quotation mark, if it is a double query
select * from c_admin where username=’admin\’ and email=’inject#’
This allows injection.
Example: WooYun: PHPCMS full version kill SQL Injection Vulnerability
Of course there are some replace that users can control. That is to say, the user can submit the information as Null, for example, the injection of cmseasy and ecshop long ago.
For example, this code:
$order_sn = str_replace($_GET['subject'],'',$_GET['out_trade_no']);
This is because it will be escaped. If 'is submitted as \', we can see that it is empty here and we get it. then we can find a way to replace \ to replace it.
However, if we use GET to submit \ to replace, it will be escaped, that is, replace out \. However, we only need \ ', so we cannot remove \. if I have \, you need to clear the hair.
Here we will clarify our ideas:
Addslashes will escape '"\ NULL
' => \'" => \"\ => \\NULL => \0
Here, we will submit % 00', which will be escaped to generate \ 0 \ '. at this time, we will commit again to replace 0 with null, and then it will become \', the single quotation marks are successful.
Example: WooYun: cmseasy bypasses patch SQL injection
SERVER injection caused by not escaping
In many cms, the addslashes of The get post cookie are basically used, but the SERVER is not escaped. Some SERVER variables can also be controlled by users. For example, there are many QUERY_STRING X_FORWARDED_FOR CLIENT_IP HTTP_HOST ACCEPT_LANGUAGE.
The most common here is X_FORWARDED_FOR, which is generally used in ip functions. If the ip address is not verified to be valid, return directly. This will usually cause injection.
Example 1: WooYun: Phpyun injection vulnerability 2
Here we talk about verifying ip addresses. here we basically use regular expressions to verify if they are valid. Some vendors may write errors in their regular expressions. For example, in the regular expression (%. +) of the ip address verified in cmseasy, arbitrary characters can be written later.
Example 2: WooYun: CmsEasy unlimited SQL injection in the latest version
Injection caused by FILES not escaped
This is also similar because only the cookie get post is escaped globally, and FILES are omitted and not subject to gpc.
FILES injection is generally because of the upload, the upload name will be taken into the insert database. Then the file name is controllable, which leads to injection.
Example: WooYun: qibocms yellow page system SQL injection
In addition, the file name is escaped only when the file is stored. after obtaining the suffix, the file name is escaped when the file is stored, but the suffix is not escaped.
Example: WooYun: Supesite foreground injection #2 (Insert)
Uninitialized injection
A long time ago, for the convenience of php <4.20, register_globals was on by default. The disadvantages of register_globals are also apparent, so the default is off a long time ago.
Nowadays, many cms like to imitate register_globals to create a pseudo-global mechanism. For example, qibocms metinfo destoon.
This is a lot easier, but if initialization is omitted, it will lead to injection. I think this is quite interesting. I have found several more examples.
Example: WooYun: qibocms local Portal system injection (demo test)
Example: WooYun: qibocms local Portal system injection (multiple similar, demo test)
Example: WooYun: Qibo local Portal system SQL Injection Vulnerability (batch login is not required)
Example: WooYun: Qibo whole site/local portal SQL Injection Vulnerability
Injection caused by keys in the array
During Global escape, many cms only checks whether gpc is enabled. if it is off, the value in the array will be addslashes, but the key in the array will be escaped.
This also causes a problem. That is, when Gpc is off, the key of the array is not filtered, resulting in single quotation marks. (I heard that earlier php versions do not escape keys in two-dimensional arrays even if gpc on)
If the key in the array is read and then brought into the query, it will also cause security problems.
There are many such examples. It's terrible.
Example: WooYun: qibocms V7 the latest version of SQL is injected into one and the other place where escape characters can be introduced. // Array key injection
Example: WooYun: qibocms multiple systems bypass the patch to continue injection 2
Example: all open-source systems of WooYun: qibocms, Getshell
Example: WooYun: Discuz 5.x 6.x 7.x front-end SQL Injection Vulnerability
Offset injection
This is a common injection.
The code is roughly as follows:
If $ _ GET [a] submits an array with a key of 0, $ a is the value of the corresponding key.
However, it is not mandatory to be an array. Then we commit a string, and the [0] after it is the first character to be truncated. In global, single quotes are escaped as \ ', and the first character is intercepted \. \ Will eat a single quotation mark, and then write inject at $ B to inject it.
Example: WooYun: qibocms local Portal system injection #4 (demo test)
And the injection of Disucz 7.2 sent by map is the same.
Injection caused by third-party plug-insA common hole. Common uc and alipay tenpay chinabank, especially uc, because striplashes are used in the default uc.
For Uc, the default uckey is used. Or the constant uckey is not initialized at all, which leads to uckey control and Getshell or injection.
What about tenpay and alipay? some of them are because they forget to include the filtered files, and the key is empty by default, so they can pass verification.
Example: WooYun: phpmps injection (other user passwords can be modified, and the website is successful) // phpmps uc injection
Example: WooYun: PHPEMS (online examination system) design defect Getshell one (the official website has shell)/phpems uc caused getshell
For example: WooYun: The Tuu group purchases can be injected with one, which can be directly promoted to manage and unlimited money collection. // Chinabank injection
Example: WooYun: Destoon SQL injection vulnerability 2 (conditional) // destoon tenpay injection
Example: WooYun: CSDJCMS: The latest SQL script version. // csdj tenpay injection
Digital injectionIn fact, it's not just a number, but it's just like this in some places that forget to add single quotes. Here, only the numeric type will not be enclosed in single quotes.
This is generally the case:
$id=$_GET[id];Select * from table where id=$id;
$ Id, which is not enclosed in single quotes and is not forced to convert the type. even if addslashes is used, it is not affected because you do not need to close single quotes.
Example: WooYun: qibocms local Portal system injection #3 (demo test)
It is not a number type, and some other points also forget to add single quotes, resulting in injection.
Example: WooYun: Supesite foreground injection #3 (Delete)
Secondary InjectionIt is also a common injection. It involves warehouse receiving and warehouse picking. Because there is a global escape, and then when the database is imported
Insert into table (username) values ('a \'');
In this way, the escape character will disappear, and it is '. If you query the database again, that is, the database is a'. If you import the database again, then the single quotation marks are successfully introduced again, resulting in injection.
Example: WooYun: phpyun v3.2 (20141226.
Example: WooYun: qibocms local Portal system secondary injection #5 (demo test)
Example: WooYun: 74cms (20140709) secondary injection
Example: WooYun: The latest version of Hdwiki is injected twice.
Injection caused by intercepting charactersSome cms sometimes limits the length of user input, so only part
For example, cutstr ($ asd, 32) of uchome );
In this way, only 32 characters can be entered, and this in uchome is not followed by a character as in dz...
Then, if we submit a 1111111111111111111111111111111 'escaped to 1111111111111111111111111111111 \'And then truncate 32 characters, which is 1111111111111111111111111111111 \
If it is a double query, eat a single quotation mark, and then the next connected controllable variable can be injected.
Example: WooYun: Hdwiki (20141205) has seven SQL injection vulnerabilities (including vulnerabilities with improper processing and security) // 0x06
Example: WooYun: Hdwiki (20141205) has seven SQL injection vulnerabilities (including vulnerabilities with improper processing and security) // 0x06
Reposted from: http://drops.wooyun.org/papers/4544. The basic information of the original document is simplified.