After turning on magic_quote_gpc=on, the functions of addslshes() and stripslashes() can be realized. In PHP 4.0 and above, this option is enabled by default, so in PHP 4.0 and above, even if the parameters in the PHP program are not filtered, the PHP system will filter every parameter that passes GET, Variables passed through POST and COOKIE methods are automatically converted. In other words, all input injection attack codes will be converted, which will bring great difficulties to attackers.
Despite this, attackers still have the opportunity to conduct SQL injection attacks. . . . . . The premise is that when the parameter is a numeric type, it has not been processed by the Intval() function, because after being processed by intval(), all data will be forced to be converted into numbers.
As mentioned before, turning on magic_quote_gpc=on is equivalent to using the addslshes() function. But the numeric type does not use single quotes, so of course the conversion by the addslshes() function is bypassed. When using the char() function or HEX() that comes with MySQL, char() can interpret the parameters as integers and return a string composed of ASCII code characters of these integers. When using hexadecimal representation, 0x must be added before the number. .
Example demonstration:
Suppose we know the administrator’s username is admin, but the password is unknown. And magic_quote_gpc has been enabled.
SQL statement:
代码如下 | 复制代码 |
$sql="select * from users where username=$name and password='$pwd'"; |
Note: The variable $name is not quoted
At this time, enter username=admin%23 in the address bar, and the synthesized sql statement is:
代码如下 | 复制代码 |
select * from users where username='admin' #' and password=''; |
At this time, the single quote (’) entered through the URL address bar will be added with a backslash, and the SQL statement will be invalid.
Admin converted to ASCII is char(97,100,109,105,110)
At this time enter
in the address bar代码如下 | 复制代码 |
username=char(97,100,109,105,110)%23 |
The SQL statement becomes:
代码如下 | 复制代码 |
select * from users where username=char(97,100,109,105,110)#' and password=''; |
If the execution result is true, you can enter the background smoothly.
For numeric injection attacks, intval() must be used to force the parameters into numbers before any numeric parameters are put into the database, thus eliminating the occurrence of numeric injection vulnerabilities.
For example:
The code is as follows | Copy code | ||||
|
Enter in the address bar:
代码如下 | 复制代码 |
id=5’ or 1=1%23 |
The SQL statement will become:
The code is as follows
|
Copy code
|
||||
select * from articles where id=’5’; |
Summary:
true