Use GBK Double Byte encoding to break through the limit of single quotes escape in PHP for SQL Injection

Use GBK Double Byte encoding to break through the limit of single quotes escape in PHP for SQL Injection

Date: 2010-10-18|
Source: redice's blog|
Author: redice|
305 onlookers|
0 people applaud!

Today, I read the article dubyte encoding: the invisible killer of PHP in the essence of anti-DDoS 2009, which is deeply inspired.

When magic_quotes_gpc in PHP. INI is set to on, the submitted parameters are escaped. For example, single quotes are escaped '. All of a sudden, the routing of injection is truncated.

GBK dubyte encoding: a Chinese character is expressed in two bytes. The first byte corresponds to 0x81-0xfe, And the last byte corresponds to 0x40-0xfe (except 0x7f), which exactly covers the corresponding encoding 0x5c.

0xd5 0x5c corresponds to the Chinese character "yellow", so % D5 % 5c is "yellow" after URL Decoding ".

When we submit the parameter % D5 ', it is encoded as % D5 % 27 by the browser URL, and decoded
0xd50x27, Which is escaped by PHP and then 0xd50x5c0x27, that is, the escape character 0x5c (\) is inserted before 0x27 (\). When MySQL uses GBK encoding for connection
At the time of connection, the byte sequence 0xd50x5c0x27 is understood by MySQL as GBK encoding: '.

In this way, the PHP escape character is eaten, which breaks through the limit of single quotes escape.

The local test is as follows:

The test script index. php is as follows:

View plaincopy to clipboardprint?

2. <? PHP
4. $ Conn= 0;
6. $ Conn= Mysql_connect ("Localhost","Root","See2006");
8. If(!$ Conn)
10. {
12. Die("The database connection cannot be enabled. Error :". Mysql_error ());
14. }
18. // Select a database
20. Mysql_select_db ("Test",$ Conn);
24. // Set the character set of MySQL output data
26. Mysql_query ("Set names 'gbk '");
30. $ SQL="Select * from news where content like '%".$ _ Request['K']. "%'";
32. Echo "Current SQL statement :".$ SQL."<Br/>";
36. $ Result= Mysql_query ($ SQL,$ Conn);
40. If(!$ Result)
42. EchoMysql_error ();
46. While($ Result&&$ Row= Mysql_fetch_array ($ Result))
48. {
50. Echo "$ Row [title] <br/>";
52. }
54. ?>

The search keyword is blank. All entries are displayed.

PHP automatically escapes single quotes

An error occurred while using double-byte encoding to bypass PHP escaping.

Correct syntax using the # annotated SQL statement

Number of Union guess fields and positions of displayed Fields

View Current user in Union

View the current database name in Union

View test database table names in Union

View the name field value of the User table in Union

Union: view the pass field value of the User table