Dvwa_sql of PHP Code Audit learning

0x00

Because of the move to OneNote, so has not published a new essay for a long time, but think it is still very necessary, these days began to learn PHP code audit, so start to send some of these essays!

First of all, first through the ten test platform DVWA start learning it, first here with the reference to the Daniel Link, thanks to share

1.http://drops.wooyun.org/papers/483

2.http://www.lxway.com/86980986.htm Is_numeric Function Bypass

3.http://www.cnblogs.com/safe3/archive/2008/08/22/1274095.html character encoding bypasses wide-byte injection

0x01

First, bring in the simplest low-level PHP code

　　

$id $_get [' id '];//without any filtering, anti-injection processing     $getid = "Select First_Name, last_name from users WHERE user_id = '$id'";     $result mysql_query ($getiddiemysql_error(). ' </pre> ');

See here we can know that this code actually does not handle the ID, resulting in SQL injection vulnerability, OK, all kinds of injections can be, here is no longer detailed!

0x02

Medium level, code:

$id=$_get[' id '];  $id=mysql_real_escape_string($id);//The operation of ID is escaped here  $getid = "selectfirst_name,last_namefromuserswhereuser_id=$id";

The mysql_real_escape_string function escapes the ID parameter, and the specific escape includes the following

• ' = = '
• "= + \"
• \ = \ \
• \ n = \\n

Here I think there should be 2 ways to get around this deal:

1. Numerical injection
2. Wide byte injection

1. Numerical injection

Since this function is mainly for the processing of character-type special characters, so that we can not use special characters to inject, that is, the numerical injection

　　

Construction: 1 Select User  from users

This allows you to get the account password in the Users table, of course, you would say if you do not know the name of the specific list to change what to do? OK, we can try to inject with union bool

Construction: 1+Union+Select+1,(Select+ Case+ when+Char( the)=(SelectMID (table_name,0,1) fromInformation_schema.tables limit0,1)+ Then+2+End)

Where the values in char () need to be transformed and limit, this may take time, we can write a Python script (PS: First to occupy a pit), in fact, with delay injection can also achieve this effect

2. Wide byte injection

　　Mysql_real_escape_string to escape the argument is to add a '\', its URL encoding is %5c, so we add%df%5c in the parameters %27, where %df%5c is a valid gbk character

< Span lang= "en-US" > So after this function is processed, Can be found to become %df%5c%5c%27, such %df%5c%5c  a Gbk character + \\\ '  

< Span lang= "en-US" > < Span lang= "ZH-CN" > mysql ' \ '
/span>

Construction: 1 %DF%5c%| | 1 + --

　　The same addslashes function also has the same problem, specific reference to the beginning of the article link

0x02

High-level PHP code

$id=$_get[' id ']; $id=stripslashes($id);//The slash $id in the Reject parameter =mysql_real_escape_ String($id);//Escape the special characters in the ID if(is_numeric($id  ) {//To determine whether it is a numeric or    numeric string ...

Okay, so, I think it's still safe. The first 2 functions deal with the injection of the character type, and then the Is_numeric function deals with the numerical injection.

However, this can still lead to SQL injection, but two injections, and the constraints are more stringent but still have the opportunity to inject

　　such as executing SQL statements

　　

Insert  into Values ($s);   

　　The string passed in at this time $s =0x31206f722031

< Span lang= "ZH-CN" > so you can see that this is a 16 binary number, It can be detected by the function, and then to 16 binary decoding we can find $s Actually the value is ' 1 or 1 '  

< Span lang= "ZH-CN" > < Span lang= "en-US" > So how does this work in the database?

< Span lang= "ZH-CN" > < Span lang= "en-US" >

< Span lang= "ZH-CN" > < Span lang= "en-US" > 16 The number of transcoding into 1 or 1  Span lang= "ZH-CN" > then take the database value and then go without processing into another sql

0x03

The SQL section of the code is analyzed here, if there is an incorrect place, welcome to shoot Bricks!

Next Prepare SQL blind:)

Dvwa_sql of PHP Code Audit learning