Summary of basic PHP Security injection experience and skills

Many friends do not know the function of the quotation mark very well. they think that adding quotation marks is the same as not adding them .. quotation marks (including single and double quotes) have a great impact on our injection. here it is important that it is related to the status of magic. when magic is off, it has no effect, when magic is on, it is very different ..

Lecture 1: Determine whether there are injection points

This is very simple. what we commonly use is to see the page structure: index. php? Id = 2. we know that PHP is often used with the MYSQL database. there must be a table in the MYSQL database, such as setting_table. when we submit the address above, the program generally handles the following:
1. use GET or POST to GET the id = 1 we submitted and pass this value to a variable: $ id.
2. query: select * from setting_table where id = $ id
The preceding statement is the query statement, and $ id = 1 is:
Select * from setting_table where id = 1
There is no title, and the information with id 1 is displayed to us, so we can see the normal page.

--------------
Let's see how we determine:
1. we submit id = 1 and 1 = 1
Let's take a look at the consequences. $ id here is 1 and 1 = 1. let's see what it looks like:
Select * from setting_table where id = 1 and 1 = 1
This statement adds an and statement, followed by 1 = 1, which is determined to be true, so it does not affect the establishment of the preceding statement. it also retrieves the id = 1 information and displays it to us, so what we see is the normal page.
2. we submit id = 1 and 1 = 2
Let's take a look at the consequences. $ id here is 1 and 1 = 2. let's see how to perform
Select * from setting_table where id = 1 and 1 = 2
After analyzing this statement, the previous statement is the same, but an and 1 = 2 is added at last. this is naturally not true! And because it is connected with and, so naturally cannot find the matching conditions! Only one error or vacant page can be displayed ~!!

The above is the general basis we use and 1 = 1 & and 1 = 2 to determine, but here we should pay attention to the following points:

1. the where id = $ id instead of where id = $ id must be used for program processing. this single quotation mark is very different.

2. The program does not process the submitted parameters or the processing is not good, so we can directly submit them. if the program processes more submitted parameters, it will be different!

Lecture 2: quick MYSQL version determination

Condition: you get an injection point, for example, news. php? Id = 1
You found this point. The results returned by submitting and 1 = 1 and 1 = 2 are different.

We can guess the MYSQL version in this way .. The procedure is as follows:
1. submit/news. php? Id = 1 /*! 40000 s */if the returned result is normal, the MYSQL version is earlier than 4000. you can adjust the highest digit in sequence. for example, if I change to 39000 and submit, submit 38000 .... until the error message is returned, the final fix is the MYSQL version ..
The following is the test submission process (only MYSQL version is written)
40000 (+) -- 39000 (+) -- 38000 (+) -- 370000 (-) -- 37900 (+) -- 37800 (+) -- 37700 (-) -- end !!
The MYSQL version is 37700.

2. generally, we do not want to guess the specific version. we only consider whether MYSQL is above 4.0. we think that only MYSQL above 4.0 supports UNION queries. below is not supported, so we often only use /*! 40000 s */check if the version is later than 4.0.

PS :/*! 40000 s */Here /*!...... */It is a special annotation method in mysql, and it is nothing strange. remember how to use it ~~

Lecture 3: How to get the table name through PHP injection ..

I am preparing to write it. When someone asks me, I will summarize it. let's take a third lecture!

Quote:

Originally posted by spirit at 2006-5-16 05:57 PM:
I read a lot of articles...
The content is comprehensive.
But I never know how to create a table.
You cannot directly import fields ..??
Come one by one
Database Table field value...
I think this logic is correct ....
By the way, I still feel it...

The table is really hard to work out. Unlike ASP, PHP is not violent until now. we generally have two measures:
1. experience-based guesses: for example, common admin, user, news, vote, wenzhang, guanliyuan, etc ..
2. View brute-force code: use Load_file to obtain the code of the file, and you will be able to see what table and fields the data is interpolated to. this will be clear, but load_file is also very skillful .. I will talk about it later.

--------------------------------------------

Let's talk about it in detail:

1. there is nothing to say, just guess it. for example, you can see an injection point, similar to news. php? Id = 1. you can use union to query specific fields, such as news. php? Id = 1 and 1 = 2 union select 1, 2, 3, 4 is true. you can guess this way: news. php? Id = 1 and 1 = 2 union select 1, 2, 3, 4 from admin/* if the admin table exists, the true result is returned. Otherwise, the admin table does not exist. Others are the same as this one.

2. this is a bit Ultimate. for example, if you get the correct path, you can use load_file (file path) to output the file code, such as the page on which your administrator logs on, you can see the SQL statement in the table where he got the value, right?

This is the principle. I want to share my thoughts with you ....

Lecture 4: Difference in quotation marks

Many friends do not know the function of the quotation mark very well. they think that adding quotation marks is the same as not adding them ..

Quotation marks (including single and double quotes) have a great impact on our injection. here it is important that it is related to the status of magic. when magic is off, it has no effect, when magic is on, it is very different ..
Tips: when magic is on, add a conversion symbol to the single quotation marks ('), double quotation marks ("), (\), and space () that we submit \, make all the above into (\ '), (\ "), (\), etc. this is too troublesome for us to inject, as shown in the following example.

I. first example (no quotation marks)

Suppose the statement is as follows:

QUOTE:
Select * from news where newsid = $ id

1. when magic is off
When it is off, the data information we submit will not be processed. assume that an SQL statement is like this;

We can submit the value of $ id in the URL, as we mentioned earlier to $ id:
$ Id = 1 union select 1, 2, 4 from admin
Then we can get the data we want.
2. when magic is on
There is no difference at this time, because we did not submit sensitive characters

II. the second example shows the SQL statements it processes:

QUOTE:

Select * from news where newsid = $ id

To use $ id, the unfiltered parameter can be submitted as follows:
$ Id = 1 'Union select 1, 2, 3, 4 from admin /*
At the beginning, there must be a () to close the previous one, followed by a/* comment out the following

1. when magic is off
If magic is off, we can submit it directly and use it successfully.

2. when magic is on
If magic is on, the statement we submit becomes:
$ Id = 1 \ 'Union select 1, 2, 4, 4 from admin /*
See, there is no way to exploit it (despite the vulnerability)