On PHP Common Vulnerability Third bomb: Injection vulnerability

Source: Internet
Author: User
Injection, is probably the user controllable some variables, into the database operation, and caused the effect of changing the original SQL. For example, the logic of registering users, the detection of the existence of the user name, the user submitted to the user name to the database to query. If the user name is not filtered in the code logic, the user can submit some special characters to complete the injection.

The main reason for injection now is that many programmers prefer to make statements when writing SQL statements.

According to the SQL classification, injection is generally divided into four types:

    • Select

    • Update

    • Insert

    • Delete

If there is MySQL error, these four kinds can be injected with error, very convenient;

If you don't have MySQL error

    1. Select injection: You can try to use the Union select+ Echo to inject, if there is no echo, then only enough blind.

    2. Update injection: If it is in the location of the update set, then we can find out which column of the table will be displayed. For example, if an update injection point is in the user table and is controllable at the set location, then we can update the e-mail column, and then go to the user profile to see their own email on the data, statements such as Update table set email= ( Select User ()); if it is in the where, then the general is the blind.

    3. Insert injection: Generally also by looking for which column will not be displayed, try to get the data to be inserted into this column. If not shown, it is also a blind note.

    4. The injection of Delete: it is generally a blind bet.

Digital injection is mainly because his variables are not quoted in single quotes. But basically it is forced type conversion, such as Intval ($username) what. But sometimes there are omissions.

Both the character and the search type are quoted in single quotes. So you need to close the single quotation mark and then inject.

Speaking of single quotes have to say a php.ini configuration magic_quotes_gpc, in a slightly higher version of the default is on, but in 5.4 has been abolished.

From the literal point of view, is the GPC quote. The GPC corresponds to get, post, and cookie, where the contents are escaped with the character ' "\ NULL, escaped by adding the previous escape character. Thus causing the loss of the original meaning, cannot be closed single quotation marks for injection.

The whole world did not do addslashes

Like this global not to Get/post/cookie do addslashes, this kind of manufacturer basically will be in the query, and then some user controllable variables to addslashes, even do not carry addslashes directly into the query.

This is even in the query when the addslashes, in many cases can also find a few missing addslashes. This is relatively simple, not much to say.

Global do Addslashes

Now a little bit better manufacturers are aware of the global file in the Get/post/cookie do addslashes (even in the function of the query to escape or pre-compile, this to kneel) so basically don't worry about where the missing where forget the addslashes) The basic is first get magic quotes GPC to determine if the GPC is open, if not open, then call Addslashes to escape. If you turn it on, you don't have to addslashes. Addslashes without opening it.

Here are some common ways to inject

Wide byte injection

This is a commonplace problem, from the beginning of the database character set GBK wide-byte injection, and now also for a long time. However, it is not possible to inject a wide byte character set for GBK.

There are always some small partners that I see the CMS character set is GBK, but how can not be wide-byte?

This is because the database is connected in different ways. When the database is connected, it uses the Set names GBK so that it can be wide bytes.

But now the basic can not see. Because the basic is set up binary read. Such a wide byte is basically gone, but there is another, because the conversion character set caused by the wide-byte injection. For example, transfer from UTF8 to GBK, or from GBK to UTF8 or something.

Example: Wooyun:74cms The latest version of injection 8-9

Analysis: "Kam" word, from UTF8 turned into GBK after the%e5%5c 74,cms to Get/post/cookie, and so have done addslashes, so ' escaped for \ '->%5c%e5%5c%5c ' two, then single quotation marks out.

Example 2:wooyun:qibocms download system SQL inject one (official website can be reproduced)

Decoding leads to injection

Because in the global file addslashes, if we can find some decoding, such as UrlDecode, Base64_decode and so on, then we first commit the encode, then we can not be escaped. Then decode after, and then bring into the query, causing the injection, ignoring GPC.

This is very common. A lot of examples can be found anywhere

Example: Wooyun:qibocms-to-business injection of a//QIBOCMS injection

Example: Wooyun:phpdisk V7 SQL injection 2//phpdisk injection

Injection caused by variable overlay

Common variables cover what extract and PARSE_STR functions, and of course $$.

The variable overlay has some specific scenarios to combine. For example extract ($_post), remove the variable directly from the POST array. This has been met a few, and then overwrite some of the previous variables.

Overwrite the words, the general is to overwrite the table prefix and so on. For example, Select * from $pre _admin where xxx like this covers the $pre, and then directly complements the entire statement and then injects.

Example: WOOYUN:QIBOCMS classification injects a piece that can elevate itself for management

Example 2:wooyun:phpmps injected a

Of course, $$ also quite often use this example is very good.

Example 3:wooyun:metinfo latest version (5.2.4) a SQL blind vulnerability

Some replace-caused injections

Some CMS, there is always some tease than filter functions, such as will be ' what the replace into empty, but he seems to forget that his overall escape.

At this point, when the user submits a ', the global escape to the ', then this filter function will be ' replaced with empty, then left a \, resulting in a single quote can be eaten, is double query words

SELECT * from c_admin where username= ' admin\ ' and email= ' inject# '

So we can inject it.

Example: Wooyun:phpcms full version kill SQL injection Vulnerability

Of course, some of the replace is user-controllable. This means that the user may want to commit to empty, such as the Cmseasy and ecshop of the long ago injection.

For example, this code:

er _sn = str_replace ($_get[' subject '), ' ', $_get[' out_trade_no ']);

Here because it will be escaped, if the commit ' is ', here you can see, here, clear empty, is we get to, then we will find a way to replace the \.

But if we get the commit to replace the \, then it will be escaped, that is, replace. But we just \ ', so can't take \ Remove, if I have \, also want you empty a hair ah.

Here we will clarify the idea:

Addslashes will escape to ' \ NULL '

' = = ', ' = = ' \    ' = ' =    \\NULL =

So here we submit%00 ', will be escaped to generate \0\ ', at this time we re-commit to replace the 0 into empty, then become the \ ', single quotation marks are also successful.

Example: Wooyun:cmseasy bypass patch SQL injection

Injection caused by server not escaping

Because in many CMS, the get POST COOKIE is basically addslashes, and the server is not escaped. Some server variables are also controlled by the user. For example what query_string x_forwarded_for client_ip http_host accept_language a lot.

The most common of course here is x_forwarded_for, which is typically used in IP functions. If the IP is not verified later, it will return directly, and this will most of the time lead to injection.

Example 1:wooyun:phpyun Injection Vulnerability II

Here is the verification of IP, here is basically a regular to verify the legality. And some manufacturers are even right to write the wrong. For example, in Cmseasy, the validation IP is in the regular (%.+), resulting in any character that can be written later.

Example 2:wooyun:cmseasy latest version Unlimited SQL injection

Files not escaped caused by injection

This is also the same as the global only to the cookie GET POST escaped, missing files, and not by the GPC.

Files are injected in general because the upload will be uploaded to the name of the insert into the storage. Then the name of the file here is what we can control, so it causes the injection.

Example: WOOYUN:QIBOCMS Yellow Pages System SQL injection One

There are some, in the storage time only to escape the name of the file, and after obtaining the suffix, in the storage when the file name escaped and no suffix escaped also caused by injection

Example: Wooyun:supesite front injection #2 (Insert)

Initialization-caused injection

A long time ago php<4.20, for convenience, register_globals default is on. And to the back of the register_globals of the drawbacks also appear, so also in a long time ago by default is off.

And now, many CMS like to imitate register_globals to engage in pseudo-Global mechanism. For example what Qibocms metinfo destoon what ah.

This is a lot more convenient, but if the initialization is omitted, then it will lead to injection. Feel this kind of fun to find a few more examples.

Example: Wooyun:qibocms local portal system inject a problem (demo test)

Example: Wooyun:qibocms Local portal system injection (multiple similar, demo test)

Example: Wooyun: Qibo Local portal System SQL injection Vulnerability (no login available in bulk)

Example: Wooyun: Qibo whole station/local portal SQL injection Vulnerability

The injection caused by the key in the array

Because in the case of the global escape, many CMS just determine whether the GPC is turned on, if off, the value of the array in the row addslashes, but forget the array of key to escape.

Then this also leads to a problem. That is, when GPC off, the array key is not filtered, resulting in the introduction of single quotes. (I heard that the lower version of PHP will not escape the key in the two-dimensional array even if GPC on)

If you read the key in the array and then bring the key into the query, it also creates a security problem.

And that's a lot of examples. It's horrible.

Example: Wooyun:qibocms V7 Whole station system latest SQL injection one & Another place where you can introduce escape characters. Injection of Array key

Example: WOOYUN:QIBOCMS multiple systems bypass patches continue to inject 2

Example: Wooyun:qibocms all open source system Getshell

Example: Wooyun:discuz 5.x 6.x 7.x foreground SQL injection Vulnerability

Injection due to offset

This is a more common kind of injection.

The code might look like this:

     

If here $_get[a] commits an array and contains a key of 0, then $ A is the value of the corresponding key.

But there is no requirement for an array. Then we commit a string, then [0] is the first character to intercept. In the global, single quotation marks are escaped as \ ', and the first character is intercepted for \. \ will eat a single quote, and then write inject at $b to inject it.

Example: Wooyun:qibocms Local portal System Injection # # (demo test)

And the map sends the same DISUCZ 7.2 of that injection.

Injections caused by third-party plug-ins

A very common kind of hole. Compare common UC and Alipay Tenpay Chinabank, especially UC, because the default UC will striplashes

UC, the general problem is uckey default. Or Uckey This constant is not initialized at all, resulting in uckey controllable, which leads to Getshell or injection.

There are Tenpay and Alipay, some of them because they forget to include the filtered file, and the key is empty by default, which can be verified.

Example: Wooyun:phpmps injection (can modify other user password, official website success)//Phpmps UC Injection

Example: Wooyun:phpems (online exam system) design defect Getshell One (official website already shell)/phpems UC to Getshell

Example: Wooyun: The most soil buy inject a can directly enhance their own management & unlimited money. Most soil buy Chinabank injection

Example: Wooyun:destoon SQL Injection Vulnerability 2 (conditional)//destoon Tenpay Injection

Example: Wooyun:csdjcms program Dance Latest version of SQL a//CSDJ Tenpay injection

Digital injection

In fact, it's not just a digital type, it's just that there are places where you forget to add single quotes. There is no single quotation mark in the general digital type.

The general is this:

$id =$_get[id]; Select * FROM table where id= $id;

$id, no quotation marks, and no forced type conversion, then even if the addslashes, because there is no need to close the single quotation mark, so there is no effect.

Example: Wooyun:qibocms Local portal System injection (demo test)

Not some digital type, some other points also forget to add single quotes, resulting in injection.

Example: Wooyun:supesite front-injection #3 (Delete)

Two-time injection

is also a more common injection. It involves warehousing and out-of-stock. Because there is a global escape, and then the storage time

Insert into table (username) VALUES (' a\ ');

After this, the escape character disappears, then a '. If you put this query out, then that is out of the library is a ', if you put out the library again into the query what, then the successful introduction of single quotation marks caused by the injection.

Example: Wooyun:phpyun v3.2 (20141226) injected two places.

Example: Wooyun:qibocms Local portal System two injections # # (Demo test)

Example: Wooyun:74cms (20140709) Two pieces two injections

Example: Wooyun:hdwiki The latest version two times inject one

Injection caused by the interception of characters

Some CMS sometimes limit the length of user input, so they only intercept part

For example Uchome's Cutstr ($ASD, 32);

This allows only 32 characters to be entered, and this in uchome does not have the following characters, such as DZ.

So if we commit a 1111111111111111111111111111111 ' escaped into 1111111111111111111111111111111\ '

And then intercept 32 characters, which is 1111111111111111111111111111111\.

If double query again, eat a single quotation mark, and then the next connected controllable variable can be injected.

Example: Wooyun:hdwiki (20141205) There are 7 SQL injection vulnerabilities (including previously improperly handled security vulnerabilities)//0x06 inside

Example: Wooyun:hdwiki (20141205) There are 7 SQL injection vulnerabilities (including previously improperly handled security vulnerabilities)//0x06 inside

Reprinted from: http://drops.wooyun.org/papers/4544, on the basis of the original text has a simple reorganization and modification.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.