PHP + MySQL Injection Method

Currently, few people are paying attention to PHP + MySQL injection in China. PHP security itself is much better than ASP. In addition, MySQL 4.0 does not support sub-statements, and when php. when magic_quotes_gpc in ini is set to on, all single quotation marks, double quotation marks, backlash, and null characters in the submitted variables are automatically escaped as escape characters containing backlash, it also brings a lot of obstacles to injection.

When you get up early and play PHP + MySQL injection, it is really difficult to construct a statement without quotation marks based on the program code to form an effective attack, fortunately, the current technology has been able to construct a statement without single quotation marks for some occasions. As long as you have experience, it is not difficult to construct valid statements.

First, you need to get out of a misunderstanding. Many inject single quotes in PHP + MySQL, or there is no way to use "declare @ a sysname select @ a = <command> exec master. dbo. commands such as xp_mongoshell @ a are used to eliminate quotation marks. In fact, this is a misunderstanding of injection. Because no matter which language is enclosed in quotes, all strings are constants. Even a command like dir is just a string, not a command, unless it is written in the following code:

$ Command = "dir c :\";

System ($ command );

Of course, the commands mentioned here refer not only to system commands, but also to SQL statements. To make the constructed SQL statements run normally, the statements cannot be converted into strings. In any case, use single quotes, when will it be unnecessary? Take a look at the following two SQL statements:

SELECT * FROM article WHERE articleid = '$ id ';

SELECT * FROM article WHERE articleid = $ id;

These two statements are common in various programs, but the security is different: the first statement is to put the variable $ id in a pair of single quotes, so that all submitted variables become strings, even if a correct SQL statement is included, the statement will not be executed normally. The second sentence is different. Because the variable is not put into single quotes, everything submitted contains spaces, all the variables after the space are executed as SQL statements. For these two statements, submit two successfully injected statements to see their differences:

Specify the variable $ id as follows:

1 'and 1 = 2 union select * from user where userid = 1 /*

The entire SQL statement becomes:

SELECT * FROM article WHERE articleid = '1' and 1 = 2 union selec * from user where userid = 1 /*'

Specify the variable $ id as follows:

1 and 1 = 2 union select * from user where userid = 1

The entire SQL statement becomes:

SELECT * FROM article WHERE articleid = 1 and 1 = 2 union select * from user where userid = 1

See it? Because the first sentence contains single quotes, you must first close the single quotes before executing the following statement as an SQL statement, and comment out the single quotes after the original SQL statement to successfully inject the statement. However, if magic_quotes_gpc in php. ini is set to on or the addslashes () function is used before the variable, the injection will fail. However, if the second sentence does not contain variables in single quotes, you do not need to consider closing, commenting, and so on. You can directly submit the statement.