PHP Injection 1

This article is mainly for the small dishes, if you are already a veteran, maybe some things will feel more boring, but as long as you look carefully, you will find a lot of interesting things oh.

Read this article you just have to understand the following thing is enough.

1. Understand the PHP+MYSQL environment is how to build, in the CD we included in the relevant articles, if you build php+mysql environment is not very clear, please check this article, in the previous issue of the topic also introduced.
2. Probably understand PHP and Apache configuration, mainly used php.ini and httpd.conf
and this article we mainly use the php.ini configuration. For security reasons we generally open the security mode in PHP.ini, that is, let Safe_mode = on, and another is to return to PHP execution error display_errors This will return a lot of useful information, so we should close,
that is to let Display_ errors=off   the error is displayed, the PHP function does not display the wrong information to the user.
There is also a very important configuration option in the PHP configuration file php.ini MAGIC_QUOTES_GPC, the default for the high version is Magic_quotes_gpc=on, only the
default configuration in the original antique-level PHP is Magic_ Quotes_gpc=off, but some antique things are also used by others Oh!
when the php.ini in the magic_quotes_gpc=on of what happens, do not panic, the sky is not falling down! It simply turns all of the ' (single quotes), ' (double quotes), ' and ' (backslash) and null characters in the submitted variable to an escape character that contains backslashes, such as turning ' into ' and ' to ' \.
is this, let us very uncomfortable oh, many times we have to say Byebye,
but not discouraged, we still have a good way to deal with it, look down!
3. Have a certain base of PHP language and understand some SQL statements, these are very simple, we use very few things, so charging and oh!

Let's take a look at what we can do when magic_quotes_gpc=off, and then we'll try to get a magic_quotes_gpc=on.

One: Magic_quotes_ Gpc=off when the injection

ref= "Http://hackbase.com/hacker" target=_blank> attack
Magic_quotes_gpc=off's situation, though said to be very unsafe, the new version of the default also let
Magic_quotes_gpc=on, but in many servers we also found Magic_quotes_gpc=off, such as www.qichi.*.
There are some programs like the VBB forum even if you configure Magic_quotes_gpc=on, it will automatically eliminate the escape character so that we can take advantage, so say
Magic_quotes_gpc=off's injection mode still has a big market.

Here we will explain mysql+php injection in detail from syntax, injection point and injection type

A: From the MySQL grammar aspect first
1. First of all, some MySQL basic grammar, is not a good study of the children to make up a lesson oh ~_~
1) Select
SELECT [Straight_join] [Sql_small_result]
Select_expression,...
[Into {outfile | DumpFile} ' file_name ' export_options]
[From Table_references
[WHERE Where_definition]
[GROUP by Col_name,...]
[ORDER BY {Unsigned_integer | col_name | formula} [ASC | DESC],...]

; ]
This is commonly used, select_expression refers to the column that you want to retrieve, and we can use where to restrict the condition, and we can also use into outfile to output the select result to the file. Of course, we can also use Select Direct output
For example

Mysql> select ' A ';
+---+
| A |
+---+
| A |
+---+
1 row in Set (0.00 sec)
For details, please see the MySQL Chinese Handbook section 7.12
Here's some leverage.
Look at the code first
This code is for searching.
.........
SELECT * from the users WHERE username like '% $search% ' ORDER by username
.......
?>

Here we are by the way the wildcard in MySQL, '% ' is the wildcard character, other wildcard characters also include ' * ' and ' _ ', where "*" is used to match the field name, and "%" is used to match the field value, note that the% must be applied with like, and a wildcard, which is the underscore "_", It represents the difference between the meaning and the above, which is used to match any single character. In the code above we used the word ' * ' to indicate all the field names returned, and% $search% to represent all content containing $search characters.

How do we inject miles?
Haha, very similar to the ASP
Submit in Table dropdowns
aabb% ' or 1=1 order by id#
Note: #在mysql中表示注释的意思, let the following SQL statements not be executed, as described later.
Maybe someone will ask why they use or 1=1, look below,

Bringing the submitted content into the SQL statement becomes

SELECT * from the users WHERE username like '%aabb% ' or 1=1 the order by id# ORDER by username

If there is no user name containing AABB, then or 1=1 returns the return value as true so that all values can be returned

We can still do this.

Submit in Table dropdowns
% ' ORDER by id#
Or
' ORDER by id#
into the SQL statement.
SELECT * from the users WHERE username like '% ' of ' order by id# ORDER by username
And
SELECT * from the users WHERE username like '% ' order by id# ORDER by username
Of course, the contents are all returned.
List all users yo, maybe even the password is out.
For example, here's a more subtle select statement, and the select is virtually ubiquitous!
2) See update below
This is explained in the MySQL Chinese handbook:
UPDATE [low_priority] tbl_name SET col_name1=expr1,col_name2=expr2,...
[WHERE Where_definition]
Update updates the columns of rows in an existing table with the new value, the SET clause indicates which column to modify and the value they should be given, where clause, if given, specifies which row should be updated, otherwise all rows are updated.
Detailed content to see the MySQL Chinese handbook 7.17, in detail here will be very wordy oh.
Update is mainly used for data updates, such as the revision of the article, user data modification, we seem more concerned about the latter, because ...
Look at the code, first.
We first give the structure of the table so that everyone can see
CREATE TABLE Users (
ID Int (TEN) not NULL auto