May I ask about the technology used to attack PHP websites?

I would like to ask you about the technology used to attack the PHP website. Recently, an abnormal instructor gave us an abnormal question. I hope you can give me some suggestions: & nbsp; he created a personal site built with Linux + Apache + PHP + PostgreSQL in the internal LAN, then, our job is to find the website bug or attack it directly (this article describes the techniques used to attack the PHP website.
Hello everyone. Recently, we have an abnormal instructor who gave us an abnormal subject. I hope you can give me some suggestions:
He created a personal site built with Linux + Apache + PHP + PostgreSQL in the internal LAN, then, our job is to find the website bug or attack it directly (I want the thief to take over its server and change it to a black screen !), Find a bug and add points...
The two methods for the moment are:
1. write a shell and test it infinitely until you find a legal account for the website. (A few of you have already done this. the login request package reaches 5 minutes and 10 000, but fails because the instructor is cunning and the ID is not a common user or webadmin, therefore, this method is difficult)
2. use session to write an article (I saw it online, but I don't know how to operate it)

Therefore, there is a lot of conflict, and there is no good idea in this field. Therefore, we would like to ask experts to give us some advice here. if you can give a brief introduction to the details, you will be grateful.

Thank you for pulling the score first. The answer is satisfactory.



------ Solution --------------------
SQL inject/XSS/CC ....
------ Solution --------------------
It's amazing...
------ Solution --------------------
SQL inject/XSS
These two are relatively reliable
------ Solution --------------------
For reference only:


How to intrude a php website

Lecture 1: Determine whether there are injection points
This is very simple. The most commonly used page format is: index. php? Id = 2. we know that PHP is often used with the MYSQL database. there must be a table in the MYSQL database, such as setting_table. when we submit the address above, the program generally handles the following:
1. use GET or POST to GET the id = 1 we submitted and pass this value to a variable id.
2. query: select * from setting_table where id = $ id
The preceding statement is the query statement. The $ id = 1 is:
Select * from setting_table where id = 1
There is no problem with this. the information with id 1 is displayed to us, so we can see the normal page.

--------------
Let's see how we judge:
1. we submit id = 1 and 1 = 1
Let's see what the result is. $ id here is 1 and 1 = 1. let's see what it looks like:
Select * from setting_table where id = 1 and 1 = 1
This statement adds an and statement, followed by 1 = 1, which is certainly true, so it will not affect the above statement. It will also take out the id = 1 information and display it to us, so we can see the original normal page.
2. we submit id = 1 and 1 = 2
Let's take a look at the effect. $ id here is 1 and 1 = 2. let's see how to execute it in SQL.
Select * from setting_table where id = 1 and 1 = 2
After analyzing this statement, the previous statement is the same, but an and 1 = 2 is added at last. this is naturally not true! And because it is connected with and, so naturally cannot find the matching conditions! Only one error or blank page can be displayed ~!!
The above is the basic original which we generally use and 1 = 1 & and 1 = 2 to judge, but here we should pay attention to the following points:
1. the where id = $ id instead of where id = $ id must be used for processing. this single quotation mark is very different ..
2. The program does not process the submitted parameters or the processing is poor. as a result, we can directly submit them. if the program processes more submitted parameters, it will be different!
Lecture 2: quickly determine the MYSQL version
Premise: you get an injection point, for example, news. php? Id = 1
You found this point. The results returned by submitting and 1 = 1 and 1 = 2 are different.
We can guess the MYSQL version in this way .. The procedure is as follows:
1. submit/news. php? Id = 1 /*! 40000% 20 s */if the returned result is normal, it indicates that the MYSQL version is earlier than 4000. you can adjust the highest digit in sequence. for example, if I change to 39000 for submission, submit 38000 .... until the error message is returned, the final fix is the MYSQL version ..
The following is the test submission process (only MYSQL version is written)
40000 (+) -- 39000 (+) -- 38000 (+) -- 370000 (-) -- 37900 (+) -- 37800 (+) -- 37700 (-) -- end !!
The MYSQL version is 37700.
2. generally, we don't want to guess the specific version. we only need to know if MYSQL is above 4.0. we think that only MYSQL above 4.0 supports UNION queries. the following statements are not supported, so we often only use /*! 40000% 20 s */check if the version is later than 4.0.
PS :/*! 40000% 20 s */Here /*!...... */It is a special annotation method in mysql. it's not surprising. remember how to use it ~~
Lecture 3: How to get the table name through PHP injection ..
I am preparing to write it. When someone asks me, I will summarize it. let's take a third lecture!

Quote:
Originally posted by spirit at 2006-5-16 05:57 PM:
I read a lot of articles...
The content is comprehensive.
But I never know how to create a table.
You cannot directly retrieve fields ..??
Come one by one
Database Table field value...
I think this logic is correct ....
By the way, I still feel it...
The table is really hard to work out. Unlike ASP, PHP is not violent until now. we generally have two methods:
1. experience-based guesses: for example, common admin, user, news, vote, wenzhang, guanliyuan, etc ..
2. View brute-force code: use Load_file to obtain the code of the file, and you will be able to see what table and fields the data is interpolated to. this will be clear, but load_file is also very skillful .. I will talk about it later ..
--------------------------------------------
Let's talk about it in detail:
1. there is nothing to say, just guess it. for example, you can see an injection point, similar to news. php? Id = 1. you can use union to query specific fields, such as news. php? Id = 1 and 1 = 2 union select 1, 2, 3, 4 is true,
You can guess: news. php? Id = 1 and 1 = 2 union select 1, 2, 3, 4 from admin/* if the admin table exists, the true result is returned. Otherwise, the admin table does not exist. Others are the same as this one.
2. this is a bit Ultimate. for example, if you get his absolute path, you can use load_file (file path) to output the file code, such as the page on which the administrator logs on, you can see the SQL statement in the table where he got the value, right?
This is the principle. I want to share my thoughts with you ....
Lecture 4: Difference in quotation marks
Many of my friends don't know much about the function of quotes. they think that adding quotation marks is the same effect as not adding them ..
Quotation marks (including single and double quotes) have a great impact on our injection. here they are mainly related to the status of magic. when magic is off, it has no effect, when magic is on, it is very different ..