Php injection Xiangjie _ PHP Tutorial

Php injection. This article mainly serves the dishes. if you are an old bird, some things may be boring, but as long as you read it carefully, you will find a lot of interesting things. This article mainly serves the dishes. if you are an old bird, some things may be boring, but as long as you read it carefully, you will find a lot of interesting things.

To read this article, you only need to understand the following.

1. understand how the php + mysql environment is built.
2. understand the configuration of php and apache, mainly using php. ini and httpd. conf.
In this article, we mainly use the configuration of php. ini. For the sake of security, we usually open php. the security mode in ini, that is, making safe_mode = On, and returning display_errors with php execution errors will return a lot of useful information, so we should disable it,
That is, after display_errors = off is disabled, the php function execution error information will not be displayed to the user.
In the php configuration file php. ini, magic_quotes_gpc is an important configuration option. by default, magic_quotes_gpc = On is used in the later version, and only
The default configuration is magic_quotes_gpc = Off, but some antique items are also used!
What will happen when magic_quotes_gpc = On is in php. ini? don't worry. the sky will not collapse! It only converts all '(single quotation marks), "(double quotation marks), \ (backslash), and null characters in the submitted variables into escape characters containing the backslash, for example, convert 'to \' and \ \\.
This makes us very uncomfortable. many times we have to say BYEBYE to the character type,
But don't be discouraged. we still have a good way to deal with it. let's look down!
3. have a certain php language Foundation and understand some SQL statements. these are very simple. We use very few things, so the charge is still coming!

Let's take a look at what we can do when magic_quotes_gpc = Off, and then we can find a way to solve the problem of magic_quotes_gpc = On.

1. injection when magic_quotes_gpc = Off

Ref = "http://hackbase.com/hacker" target = _ blank> attack
Although magic_quotes_gpc = Off is not safe, the new version also makes
Magic_quotes_gpc = On, but we also find magic_quotes_gpc = Off On many servers, such as www. qichi .*.
Some other programs, such as the vbb Forum, even if you configure magic_quotes_gpc = On, it will automatically eliminate escape characters so that we can take advantage of them.
Magic_quotes_gpc = Off injection methods are still available in large markets.

Next we will explain in detail mysql + php injection in terms of syntax, injection points and injection types.

A: starting with MYSQL syntax
1. First, let's talk about some basic mysql syntaxes. it's a supplementary lesson for children who haven't learned well ~ _~
1) select
SELECT [STRAIGHT_JOIN] [SQL _SMALL_RESULT]
Select_expression ,...
[INTO {OUTFILE | DUMPFILE} 'File _ name' export_options]
[FROM table_references
[WHERE where_definition]
[Group by col_name,...]
[Order by {unsigned_integer | col_name | formula} [ASC | DESC],...];]
These are commonly used. select_expression refers to the column to be retrieved. we can use where to limit the conditions, or we can use into outfile to output the select result to the file. Of course, we can also use select to directly output
For example

Mysql> select 'A ';
+ --- +
| A |
+ --- +
| A |
+ --- +
1 row in set (0.00 sec)
For details, see mysql Chinese manual section 7.12.
The following describes some exploitation.
View code first
This code is used for searching.
.........
SELECT * FROM users WHERE username LIKE '% $ search %' order by username
.......
?>

Here, by the way, the wildcard character '%' in mysql is a wildcard, and other wildcards include '*' and '_', where "*" is used to match the field name, "%" is used to match the field value. Note that % must be used with like. another wildcard is the underscore "_", which indicates that the meaning is different from the preceding one, is used to match any single character. In the above code, '*' is used to indicate the names of all returned fields, and % $ search % indicates all content containing the $ search character.

How do we inject miles?
Haha, similar to asp
Submit in form
Aabb % 'or 1 = 1 order by id #
Note: # It indicates the meaning of the comment in mysql, that is, the subsequent SQL statement is not executed, which will be discussed later.
Someone may ask why or 1 = 1 is used,

Import submitted content into SQL statements to become

SELECT * FROM users WHERE username LIKE '% aabb %' or 1 = 1 order by id # order by username

If there is no user name containing aabb, or 1 = 1 causes the return value to be true, so that all values can be returned.

We can also do this.

Submit in form
% 'Order by id #
Or
'Order by id #
Entered into SQL statements
SELECT * FROM users WHERE username LIKE '%' order by id # order by username
And
SELECT * FROM users WHERE username LIKE '%' order by id # order by username
Of course, all content is returned.
Listing all the users, maybe even the password.
Here is an example. a more subtle select statement will appear below. select is actually almost everywhere!
2) Let's take a look at update.
Mysql Chinese manual explains this:
UPDATE [LOW_PRIORITY] tbl_name SET col_name1 = expr1, col_name2 = expr2 ,...
[WHERE where_definition]
UPDATE updates the columns in the row of an existing table with the new value. The SET clause specifies the column to be modified and the value they should be given. if so, it specifies the row to be updated, otherwise, all rows are updated.
For more information, see mysql Chinese manual section 7.17. here we will introduce it in detail.
We can see from the above that update is mainly used for data updates, such as article modification and user data modification. we seem to be more concerned with the latter because ......
Check the code first.
Let's first give the table structure so that you can understand it.
Create table users (
Id int (10) not null auto

....