Theory PHP Common Vulnerabilities third bomb: injection vulnerability-vulnerability warning-the black bar safety net

2016-06-22T00:00:00
ID MYHACK58:62201676165
Type myhack58
Reporter 雷鬼
Modified 2016-06-22T00:00:00

Description

Injection, is probably the user-controllable number of variables, to the database operation, and cause a change in sql the original intent of the effect. For example, a registered user of logic, detecting whether the user name exists, the user submitted over the user name to get to the database to query. If the code logic, not the user name to do better than the filter, the user can submit some special characters to complete the injection.

Now the injection of the main reason is that many programmers in writing sql statements, or like to engage in statement stitching.

According to the sql classification, the injection is generally divided into four types:

  • select

  • update

  • insert

  • delete

If there is a mysql error, then, these four can be used for error injection, very convenient;

If there is no mysql error

  1. select the injection: you can try with union select+echo to inject, if there is no echo back, it would only be able to use the blinds.

  2. update injection: if it is in the update set position, then we can find this table to which the column will be displayed. For example, if an update of the injection point is in the user table and is in the set position of controllable, then we can update email this column, then go to the user profile look at their email on the data, statements such as update table set email=(select user ()); if it is in the where after the words, then the General is blind.

  3. insert the injection: it is by find which column will not be displayed, try to put you out of the data inserted to this column to go inside. If no display, then, is also blind.

  4. delete injection: are generally blind.

Digital type of injection is mainly because of his variables and did not use the single quotation marks. But basically be forced to type conversion, such as intval($username)?. But sometimes there are omissions. While the character type and search type, is there will be single quotation marks. So you need a closing single quote and then to be injected.

Say to the single quotes have to say php. ini in the configuration of Magic_quotes_gpc in the slightly higher version the default is on, but in 5. 4 It has been abolished. From a literally point of view, the GPC QUOTE. GPC corresponding to the is the GET, POST and COOKIE, wherein the content, will be the escape character for ' “ \ NULL, the escape way is the front to add a escape character. Leading to losing the original meaning, not the closing single quote for the injection.

Global does not do addslashes.

Like this global not the GET/POST/COOKIE to do the addslashes, this manufacturer is basically in the query, and then to some user-controllable variables, addslashes, even without addslashes directly into the query.

So even if in the query the time for the addslashes, and in many cases are also able to find a few missing addslashes. This is relatively simple, not much to say.

Global do addslashes

Now slightly better manufacturers are known in the global file to GET/POST/COOKIE to do the addslashes (even the In into the query in a function and then do the escape or pre-compiled, this to kneel) so basically don't worry about where the omission of the WHERE forget addslashes) this fundamental is first, get magic quotes gpc to determine the gpc is turned on, if not open, then call addslashes to escape. If the opening words, you don't have to addslashes. Haven't turned on addslashes。

The following are some common injection method

Width byte injection

This is a platitude, from the beginning of the database character set GBK width byte injection, now also have for a long time. But not the character set to GBK will be able to wide byte injection.

There are always some friends say how I see the cms character set is gbk, but why not width bytes? This is because the connection to the database in different ways. Database connection when using the Set names gbk this can be wide bytes.

But now, such basic can't see. Because the basic are provided a binary read. Such a wide-byte basic is gone, but with the other one, because the conversion character set caused by the wide byte injection. For example, from utf8 to go to gbk or from gbk to go to utf8 or something.

> Example: Tick: 74cms the latest version of the injected 8-9

Analysis:“Kam”word, from the UTF8 converted to GBK after became %e5%5c 7 4, cms for GET/POST/COOKIE, etc. are done with addslashes, so the'escape to\' ->%5C %e5%5c%5c' two\, then the single quotes out.

> Example 2: Tick: qibocms Download SystemSQL injectiona coin(official website can be reproduced)

Decoding leads to the injection

Because in the global file, addslashes, if we can find some decoding, such as urldecode, the base64_decode and the like, then we first be submitted to the encode after, then it can not be escaped. Then decode, and then brought into the query, causing the injection, the disregard of the gpc.

This is very common. Many examples just to find one

> Example: Tick: qibocms B2b injected one //qibocms injection Example: Tick: phpdisk V7 sql injection2 //phpdisk injection

Variable coverage caused by the injection

Common variable coverage what's the extract and the parse_str function is what, and of course$$is.

Variable coverage have combined some specific scenarios. For example, extract($_POST)or something directly from the POST array, removing the variables. This still met a few, and then overwrite some of the variables.

Coverage while is generally covered off of the table prefix or the like. For example Select * from $pre_admin where xxx like this, just override the$pre, and then directly up the whole statement and then injected.

> Example: Tick: qibocms classification of injection one can enhance their own management Example 2: Tick: phpmps injection one

Of course $$ is also quite often used this example is very good.

> Example 3: Tick: MetInfo the latest version(5.2.4)a SQL blind injection vulnerability

Some replace caused by the injection

[1] [2] [3] next