Summary of regular expressions for common sql attacks in php
- 2021-07-24 10:33:01
- OfStack
This paper illustrates the common sql attack regular expression in php. Share it for your reference. The specific analysis is as follows:
As we all know, the information_schema library in MYSQL 5 + stores all the library name, indication, and field name information. Therefore, the attack mode is as follows:
1. Determine whether the first character of the first table name is a character from a-z, where blind_sqli is a hypothetically known library name.
Note: ^ [a-z] in a regular expression indicates that the starting character in a string is in the range of a-z
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-z]' LIMIT 0,1) /*2. Determine whether the first character is a character in a-n
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-n]' LIMIT 0,1)/*3. Make sure the character is n
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^n' LIMIT 0,1) /*4. Replace the expression as follows
expression like this: '^n[a-z]' -> '^ne[a-z]' -> '^new[a-z]' -> '^news[a-z]' -> FALSEThe name of the table is news. To verify that it is, the regular expression is' ^ news $', but it is not necessary to directly judge table_name =' news '.
5. Next to guess the other tables, just modify limit 1, 1- > limit 2, 1 can blind the following table.
For example:
$Exec_Commond = "( \s|\S)*(exec(\s|\+)+(s|x)p\w+)(\s|\S)*";
$Simple_XSS = "( \s|\S)*((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)(\s|\S)*";
$Eval_XSS = "( \s|\S)*((%65)|e)(\s)*((%76)|v)(\s)*((%61)|a)(\s)*((%6C)|l)(\s|\S)*";
$Image_XSS = "( \s|\S)*((%3C)|<)((%69)|i|I|(%49))((%6D)|m|M|(%4D))((%67)|g|G|(%47))[^\n]+((%3E)|>)(\s|\S)*" ;
$Script_XSS = "( \s|\S)*((%73)|s)(\s)*((%63)|c)(\s)*((%72)|r)(\s)*((%69)|i)(\s)*((%70)|p)(\s)*((%74)|t)(\s|\S)*";
$SQL_Injection = "( \s|\S)*((%27)|(')|(%3D)|(=)|(/)|(%2F)|(")|((%22)|(-|%2D){2})|(%23)|(%3B)|(;))+(\s|\S)*";
sql attack code:
<?php
function customError($errno, $errstr, $errfile, $errline)
{
echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />";
die();
}
set_error_handler("customError",E_ERROR);
$getfilter="'|(and|or)\b.+?(>|<|=|in|like)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
$postfilter="\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
$cookiefilter="\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq)
{
if(is_array($StrFiltValue))
{
$StrFiltValue=implode($StrFiltValue);
}
if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1&&!isset($_REQUEST['securityToken']))
{
slog("<br><br> Operation IP: ".$_SERVER["REMOTE_ADDR"]."<br> Operation time : ".strftime("%Y-%m-%d %H:%M:%S")."<br> Actions page :".$_SERVER["PHP_SELF"]."<br> Submission method : ".$_SERVER["REQUEST_METHOD"]."<br> Submit parameters : ".$StrFiltKey."<br> Submit data : ".$StrFiltValue);
print "result notice:Illegal operation!";
exit();
}
}
foreach($_GET as $key=>$value)
{
StopAttack($key,$value,$getfilter);
}
foreach($_POST as $key=>$value)
{
StopAttack($key,$value,$postfilter);
}
foreach($_COOKIE as $key=>$value)
{
StopAttack($key,$value,$cookiefilter);
}
function slog($logs)
{
$toppath="log.htm";
$Ts=fopen($toppath,"a+");
fputs($Ts,$logs."rn");
fclose($Ts);
}
?>sql analysis:
If you use this function, it bypasses PHP's standard error handling, so define your own error handler (die ()).
Secondly, if an error occurs before the code is executed, the user-defined program has not been executed at that time, so the error-reporting handler written by the user himself will not be used.
Then, there is a set of error handling mechanism in PHP, which can take over PHP error handling by using set_error_handler (), or actively throw an error by using trigger_error () function.
The set_error_handler () function sets user-defined error handling functions. Function is used to create user-owned error handling methods at run time. It needs to create an error handler and then set the error level.
About the usage of:
function customError($errno, $errstr, $errfile, $errline)
{
echo "<b> Error code :</b> [${errno}] ${errstr}\r\n";
echo " The line of code where the error is located: {$errline} Documents {$errfile}\r\n";
echo " PHP Version ",PHP_VERSION, "(" , PHP_OS, ")\r\n";
// die();
}
set_error_handler("customError",E_ALL| E_STRICT);Summarize
When PHP encounters an error, it will give the location, number of lines and reason of the error script. Many people say that this is not a big deal. However, the consequences of revealing the actual path are unimaginable. For some intruders, this information is very important, and in fact, many servers now have this problem. Some network managers simply set display_errors in the PHP configuration file to Off to solve this problem, but I think this method is too negative. Sometimes, we do need PHP to return error information for debugging. Moreover, when an error occurs, it may be necessary to give the user an explanation or even navigate to another page. But with set_error_handler (), these contradictions can be resolved. But I found that this function is rarely used.
I hope this article is helpful to everyone's PHP programming.