Since I switched to OneNote, I haven’t published a new essay for a long time, but it is still very necessary to think about it. I have started to learn PHP code auditing in the past few days, so let’s start posting these essays first!
First of all, let’s start learning through dvwa, the top ten test platforms. First, bring the links of famous experts for reference here. Thanks for sharing
1.http://drops.wooyun.org/papers/483
2.http://www.lxway.com/86980986.htm is_numeric function bypasses
3.http://www.cnblogs.com/Safe3/archive/2008/08/22/1274095.html Character encoding bypass Wide byte injection
Here we first bring in the simplest low-level php code
<span> $id</span> = <span>$_GET</span>['id'<span>];//未作任何过滤,防注入处理 </span><span>$getid</span> = "SELECT first_name, last_name FROM users WHERE user_id = '<span>$id</span>'"<span>; </span><span>$result</span> = <span>mysql_query</span>(<span>$getid</span>) or <span>die</span>('<pre class="brush:php;toolbar:false">' . <span>mysql_error</span>() . '' );
Seeing this, we can know that this code actually does not process id, resulting in sql injection vulnerability, ok, all kinds of injections are possible, here it is No more details!
Medium level, code:
<span> $id</span>=<span>$_GET</span>['id'<span>]; </span><span>$id</span>=<span>mysql_real_escape_string</span>(<span>$id</span><span>);//这里对id进行了转义的操作 </span><span>$getid</span>="SELECTfirst_name,last_nameFROMusersWHEREuser_id=<span>$id</span>";
The mysql_real_escape_string function escapes the id parameter. Common escapes include
Here I think there should be 2 ways to bypass this processing:
1. Numerical injection
Since this function is mainly aimed at processing character-type special characters, we can inject without using special characters, that is, numerical injection
<span> 构造:1</span> untion <span>select</span> <span>user</span>,password <span>from</span> users
From this you can get the account password in the users table. Of course you will ask, what if you don’t know the specific table name and column name? ok, we can try to use union bool injection
<span> 构造:1</span><span>+</span><span>union</span><span>+</span><span>select</span><span>+</span><span>1</span>,(<span>select</span><span>+</span><span>case</span><span>+</span><span>when</span><span>+</span><span>char</span>(<span>72</span>)<span>=</span>(<span>select</span> mid(table_name,<span>0</span>,<span>1</span>) <span>from</span> information_schema.tables limit <span>0</span>,<span>1</span>)<span>+</span><span>then</span><span>+</span><span>2</span><span>+</span><span>end</span>)
The value in char() needs to be transformed and limited, which may take more time. We can write a python script (ps: take a pit first). In fact, the same effect can be achieved using delayed injection
2. Wide byte injection
mysql_real_escape_string The way to escape parameters is to add a '', and its url encoding is , so we are Add �' to the parameter, where � is a legal gbk character
Then after processing by this function, you can find that it will become �\', like this � will swallow a and become a gbk character \'
And the escape character of mysql is also '' is equivalent to injecting a single quote
<span> 构造:1</span><span>%</span>df<span>%</span>5c<span>%</span><span>27</span><span>%</span><span>20</span><span>||</span><span>1</span><span>+</span><span>--</span><span>+ </span>
The same addslashes function also has the same problem. For details, please refer to the link at the beginning of the article
high级别的php代码
<span>$id</span>=<span>$_GET</span>['id'<span>]; </span><span>$id</span>=<span>stripslashes</span>(<span>$id</span><span>);//剔除参数中的斜杠 </span><span>$id</span>=<span>mysql_real_escape_string</span>(<span>$id</span><span>);//对id中的特殊字符进行转义 </span><span>if</span>(<span>is_numeric</span>(<span>$id</span><span>)){//判断是否是数值或数值字符串 </span>...
好吧,这样一来,我觉得还是变得很安全了,前面2个函数对字符型的注入进行了处理,紧接着is_numeric函数则对数值型注入进行了处理。
然而这样子仍然可以造成sql注入,不过是二次注入,且限制的条件也比较苛刻但是仍有机会造成注入
比如执行sql语句
<span> insert</span> <span>into</span> test(type) <span>values</span>($s);
此时传入的字符串$s=0x31206f722031
这样看可以知道这是一个16进制数,可以通过该函数的检测,然后对16进制解码我们可以发现$s其实实际的值为 ‘1 or 1’
那么这样操作数据库里会变成什么样子
可以看到数据库将这串16进制数进行了转码变成了1 or 1 那么到时候进行数据库取值然后不经处理带入到另一个sql语句中就会造成二次注入.所以我们在写代码的时候不能盲目的信任数据库里的数据,在取出数据时仍需要进行检测。
sql部分的代码就分析到这里,如有不正确的地方,欢迎拍砖!
下篇准备sql blind :)