Common SQL attack regular expressions in PHP

Source: Internet
Author: User
Tags foreach error code error handling php error regular expression table name

As we all know, all the library names are stored in the INFORMATION_SCHEMA library in the MySQL 5+, indicating the field name information. So the attack mode is as follows:

1. Determine whether the first character of the first table name is a A-Z character, where Blind_sqli is assumed to be a known library name.

Note: ^[a-z] In the regular expression indicates that the start character in the string is in a-Z range

The code is as follows

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- Z] ' LIMIT 0,1)/*

2. Determine whether the first character is a character in A-n

The code is as follows

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- N] ' LIMIT 0,1)/*

3. Determines that the character is n

The code is as follows

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^n ') LIMIT 0,1)/* www.111cn.net

4. The change of expression is as follows

The code is as follows

Expression like this: ' ^n[a-z] '-> ' ^ne[a-z] '-> ' ^new[a-z] '-> ' ^news[a-z ' '-> FALSE

This means that the table name is news, to verify that the regular expression is ' ^news$ ', but it is not necessary to directly judge table_name = ' news '.

5. Next guess the other table just need to modify the limit 1,1-> limit 2,1 the next table can be blind.

Cases

The code is as follows

$Exec _commond = "(s| S) * (EXEC (s|+) + (s|x) pw+) (s| S) * ";
$Simple _XSS = "(s| S) * ((%3C) |<) ((%2f) |/) *[a-z0-9%]+ ((%3e) |>) (s| S) * ";
$Eval _XSS = "(s| s) * ((%65) |e) (s) * (%76) |v) (s) * (%61) |a) (s) * ((%6C) |l) (s| S) * ";
$Image _XSS = "(s| S) * ((%3C) |<) ((%69) |i| i| (%49)) ((%6d) |m| m| (%4D)) ((%67) |g| G| (%47)) [^n]+ (%3e) |>) (s| S) * ";
$Script _XSS = "(s| s) * ((%73) |s) (s) * (%63) |c) (s) * ((%72) |r) (s) * ((%69) |i) (s) * (%70) |p) (s) * ((%74) |t) (s| S) * ";
$SQL _injection = "(s| S) * ((%27) | (') | (%3d) | (=)| (/)| (%2f) | (")| ((%22) | (-|%2d) {2}) | (%23) | (%3b) | (;)) + (s| S) * ";

SQL Attack code

The code is as follows
&lt;?php


function Customerror ($errno, $errstr, $errfile, $errline)





echo "&lt;b&gt;error number:&lt;/b&gt; [$errno],error on line $errline in $errfile &lt;br/&gt;";


die ();





Set_error_handler ("Customerror", e_error);


$getfilter = "' | (And|or) b.+? (&gt;|&lt;|=|in|like) |/*.+?*/|&lt;s*scriptb|bexecb| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table|  DATABASE) ";


$postfilter = "B (and|or) b.{1,6}?" (=|&GT;|&LT;|BINB|BLIKEB) |/*.+?*/|&lt;s*scriptb|bexecb| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table|  DATABASE) ";


$cookiefilter = "B (and|or) b.{1,6}?" (=|&GT;|&LT;|BINB|BLIKEB) |/*.+?*/|&lt;s*scriptb|bexecb| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table|  DATABASE) ";


function Stopattack ($StrFiltKey, $StrFiltValue, $ArrFiltReq)


{    


if (Is_array ($StrFiltValue))


    { 


$StrFiltValue =implode ($StrFiltValue);


    } 


if (Preg_match ("/". $ArrFiltReq. " /is ", $StrFiltValue) ==1&amp;&amp;!isset ($_request[' SecurityToken '))


    { 


Slog ("&lt;br&gt;&lt;br&gt; Operation IP:". $_server["REMOTE_ADDR"]. " &lt;br&gt; operation time: ". Strftime ("%y-%m-%d%h:%m:%s ")." &lt;br&gt; Action page: ". $_server[" Php_self "]." &lt;br&gt; Submission Method: ". $_server[" Request_method "." &lt;br&gt; Submit parameters: ". $StrFiltKey."  &lt;br&gt; submit data: ". $StrFiltValue);


print "result Notice:illegal operation!";


exit ();


    } 





foreach ($_get as $key =&gt; $value)





Stopattack ($key, $value, $getfilter);





foreach ($_post as $key =&gt; $value)





Stopattack ($key, $value, $postfilter);





foreach ($_cookie as $key =&gt; $value)





Stopattack ($key, $value, $cookiefilter);





   


function Slog ($logs)





$toppath = "log.htm";


$Ts =fopen ($toppath, "A +");


fputs ($Ts, $logs. "  RN ");


fclose ($Ts);





?&gt;

Sql

Analysis

If you use this function, this function will bypass the standard error handling of PHP, so that you define the error handler (Die ()).

Secondly, if the code has been wrong before the execution, the user-defined program has not been executed, so the user will not be used to write the error processing program.

Then, PHP has a set of error handling mechanism, you can use Set_error_handler () to take over PHP error handling, you can use the Trigger_error () function to actively throw an error.

The Set_error_handler () function sets the user-defined error-handling function. function is used to create the user's own error handling method for the runtime. It needs to first create an error-handling function and then set the error level.

About the usage:

The code is as follows

function Customerror ($errno, $errstr, $errfile, $errline)

{

echo "<b> error code:</b> [${errno}] ${errstr}\r\n";

Echo Error line: {$errline} file {$errfile}\r\n;

9 echo "PHP version", Php_version, "(", Php_os, ") \ r \ n";

Die ();

}

Set_error_handler ("Customerror", e_all| E_STRICT);

Summarize

When PHP encounters an error, it gives the location, number of rows, and reasons for the error script, and many people say it's not a big deal. But the consequences of revealing the actual path are unthinkable, and for some intruders, this information is very important, and in fact there are many servers that are now in question. Some network management simply put the PHP configuration file display_errors set to off to solve, but I think this method is too negative. There are times when we really need PHP to return the wrong information for debugging. And you may need to give the user an account when you make an error, or even navigate to another page. But with the Set_error_handler (), these contradictions can also be resolved.

But this function is rarely used.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.