PHP Code Audit Learning dvwa_sql,php Audit dvwa_sql_php Tutorial

dvwa_sql,php Audit Dvwa_sql of PHP code Audit learning

0x00

Because of the move to OneNote, so has not published a new essay for a long time, but think it is still very necessary, these days began to learn PHP code audit, so start to send some of these essays!

First of all, first through the ten test platform DVWA start learning it, first here with the reference to the Daniel Link, thanks to share

1.http://drops.wooyun.org/papers/483

2.http://www.lxway.com/86980986.htm Is_numeric Function Bypass

3.http://www.cnblogs.com/safe3/archive/2008/08/22/1274095.html character encoding bypasses wide-byte injection

0x01

First, bring in the simplest low-level PHP code

　　

$id $_get [' id '];//without any filtering, anti-injection processing     $getid = "Select First_Name, last_name from users WHERE user_id = '$id'";     $result mysql_query ($getiddie ('
Mysql_error () . '
' );

See here we can know that this code actually does not handle the ID, resulting in SQL injection vulnerability, OK, all kinds of injections can be, here is no longer detailed!

0x02

Medium level, code:

$id=$_get[' id '];  $id=mysql_real_escape_string($id);//The operation of ID is escaped here  $getid = "selectfirst_name,last_namefromuserswhereuser_id=$id";

The mysql_real_escape_string function escapes the ID parameter, and the specific escape includes the following

• ' = = '
• "= + \"
• \ = \ \
• \ n = \\n

Here I think there should be 2 ways to get around this deal:

1. Numerical injection

Since this function is mainly for the processing of character-type special characters, so that we can not use special characters to inject, that is, the numerical injection

　　

Construction: 1 Select User  from users

This allows you to get the account password in the Users table, of course, you would say if you do not know the name of the specific list to change what to do? OK, we can try to inject with union bool

Construction: 1 + Union + Select + 1, (select+case+when+Char (*)=(Select Mid (table_name,0,1 from 0,1)+then+2+End

Where the values in char () need to be transformed and limit, this may take time, we can write a Python script (PS: First to occupy a pit), in fact, with delay injection can also achieve this effect

2. Wide byte injection

　　Mysql_real_escape_string to escape the argument is to add a '\', its URL encoding is %5c, so we add%df%5c%27 in the parameters , where %df%5c is a valid gbk character

< Span lang= "en-US" > So after this function is processed, Can be found to become %df%5c%5c%27, such %df%5c%5c a gbk character + \\\ '

< Span lang= "en-US" > < Span lang= "ZH-CN" > mysql ' \ '
/span>

Construction: 1 %DF%5c%| | 1 + --

　　The same addslashes function also has the same problem, specific reference to the beginning of the article link

0x02

High-level PHP code

$id=$_get[' id ']; $id=stripslashes($id);//The slash $id in the Reject parameter =mysql_real_escape_string ($id);//Escape the special characters in the ID if(is_numeric($id)) {// Determines whether a numeric or numeric string     ...

Okay, so, I think it's still safe. The first 2 functions deal with the injection of the character type, and then the Is_numeric function deals with the numerical injection.

However, this can still lead to SQL injection, but two injections, and the constraints are more stringent but still have the opportunity to inject

　　such as executing SQL statements

　　

Insert  into Values ($s);   

　　The string passed in at this time $s =0x31206f722031

　　In this way you can know that this is a number of numbers, can be detected by the function, and then to the encoding of the 1 we can find that the actual value of the $s is actually "1"

< Span lang= "ZH-CN" > < Span lang= "en-US" > So how does this work in the database?

< Span lang= "ZH-CN" > < Span lang= "en-US" >

< Span lang= "ZH-CN" > < Span lang= "en-US" > 16 The number of transcoding into 1 or 1 Then the database is then taken to the value and then not processed into another sql There are two injections in the statement. So we can not blindly trust the data in the database when we write the code, still need to detect when the data is taken out.

0x03

The SQL section of the code is analyzed here, if there is an incorrect place, welcome to shoot Bricks!

Next Prepare SQL blind:)

http://www.bkjia.com/PHPjc/1063513.html www.bkjia.com true http://www.bkjia.com/PHPjc/1063513.html techarticle PHP Code Audit Learning dvwa_sql,php Audit Dvwa_sql 0x00 because of the turn of the OneNote ranks, so has not published a new essay for a long time, but think it is very necessary, these days ...

