PHP Injection Xiang Solution

This article is mainly for the small dishes, if you are already a veteran, maybe some things will feel more boring, but as long as you look carefully, you will find a lot of interesting things oh.

To read this you just have to understand that this is enough.

1. Understand how the PHP+MYSQL environment is built.
2. Probably understand the configuration of PHP and Apache, mainly used to php.ini and httpd.conf
The main use of this article is the php.ini configuration. For security reasons we generally open the security mode in PHP.ini, that is, let Safe_mode = ON, and one is to return the PHP execution error display_errors This will return a lot of useful information, so we should close it,
That is, when Display_errors=off turns off the error display, the PHP function does not display the wrong information to the user.
In the PHP configuration file php.ini also has a very important configuration option MAGIC_QUOTES_GPC, the high version of the default is Magic_quotes_gpc=on, only in the original antique-level PHP
The default configuration is Magic_quotes_gpc=off, but antique things are also used by others Oh!
When the php.ini in Magic_quotes_gpc=on what will happen, do not panic, the sky is not falling down! It simply turns all of the ' (single quotes), ' (double quotes), ' and ' (backslash) and null characters in the submitted variable to an escape character that contains backslashes, such as turning ' into ' and ' to ' \.
This is the point that makes us very unhappy oh, many times we have to say Byebye,
But don't be discouraged, we still have a good way to deal with it, look down!
3. Have a certain base of PHP language and understand some SQL statements, these are very simple, we use very little things, so charging and oh!

Let's see what we can do when we magic_quotes_gpc=off, and then we'll find a way to get a magic_quotes_gpc=on.

One: Magic_quotes_gpc=off when the injection

ref= "Http://hackbase.com/hacker" target=_blank> attack
Magic_quotes_gpc=off's situation, though said to be very unsafe, the new version of the default also let
Magic_quotes_gpc=on, but in many servers we also found Magic_quotes_gpc=off, such as www.qichi.*.
There are some programs like the VBB forum even if you configure Magic_quotes_gpc=on, it will automatically eliminate the escape character so that we can take advantage, so say
Magic_quotes_gpc=off's injection mode still has a big market.

Here we will explain mysql+php injection in detail from syntax, injection point and injection type

A: from MySQL syntax first
  1. First of all, some of the basic MySQL grammar, is not a good study of children to make up a lesson oh ~_~
      1) Select
    SELECT [ Straight_join] [Sql_small_result]
    select_expression,...
    [into {outfile | DumpFile} ' file_name ' export_options]
    [from Table_references
         [WHERE where_definition]
        [GROUP by Col_name,...]
[ORDER by {Unsigned_integer | col_name | formula} [ASC | DESC],...] ;  ]
This is commonly used, select_expression refers to the column that you want to retrieve, and we can use where to restrict the condition, and we can also use into outfile to output the select result to the file. Of course, we can also use Select to output directly
for example

Mysql> select ' A ';
+---+
| A |
+---+
| A |
+---+
1 row in Set (0.00 sec)
For details, please see the MySQL Chinese Handbook section 7.12
Here's some leverage.
Look at the code first
This code is for searching.
.........
SELECT * from the users WHERE username like '% $search% ' ORDER by username
.......
?>

Here we are by the way the wildcard in MySQL, '% ' is the wildcard character, other wildcard characters also include ' * ' and ' _ ', where "*" is used to match the field name, and "%" is used to match the field value, note that the% must be applied with like, and a wildcard, which is the underscore "_", It represents the difference between the meaning and the above, which is used to match any single character. In the code above we used the word ' * ' to indicate all the field names returned, and% $search% to represent all content containing $search characters.

How do we inject miles?
Haha, very similar to the ASP
Submit in Table dropdowns
aabb% ' or 1=1 order by id#
Note: #在mysql中表示注释的意思, let the following SQL statements not be executed, as described later.
Maybe someone will ask why they use or 1=1, look below,

Bringing the submitted content into the SQL statement becomes

SELECT * from the users WHERE username like '%aabb% ' or 1=1 the order by id# ORDER by username

If there is no user name containing AABB, then or 1=1 returns the return value as true so that all values can be returned

We can still do this.

Submit in Table dropdowns
% ' ORDER by id#
Or
' ORDER by id#
into the SQL statement.
SELECT * from the users WHERE username like '% ' of ' order by id# ORDER by username
And
SELECT * from the users WHERE username like '% ' order by id# ORDER by username
Of course, the contents are all returned.
List all users yo, maybe even the password is out.
For example, here's a more subtle select statement, and the select is virtually ubiquitous!
2) See update below
This is explained in the MySQL Chinese handbook:
UPDATE [low_priority] tbl_name SET col_name1=expr1,col_name2=expr2,...
[WHERE Where_definition]
Update updates the columns of rows in an existing table with the new value, the SET clause indicates which column to modify and the value they should be given, where clause, if given, specifies which row should be updated, otherwise all rows are updated.
Detailed content to see the MySQL Chinese handbook 7.17, in detail here will be very wordy oh.
Update is mainly used for data updates, such as the revision of the article, user data modification, we seem more concerned about the latter, because ...
Look at the code, first.
We first give the structure of the table so that everyone can see
CREATE TABLE Users (
ID Int (TEN) not NULL auto