国产av日韩一区二区三区精品,成人性爱视频在线观看,国产,欧美,日韩,一区,www.成色av久久成人,2222eeee成人天堂

Table of Contents
php代碼審計(jì)學(xué)習(xí)之dvwa_sql,php審計(jì)dvwa_sql
0x01
0x02" >0x02
0x02" >0x02
0x03" >0x03
Home php教程 php手冊(cè) php代碼審計(jì)學(xué)習(xí)之dvwa_sql,php審計(jì)dvwa_sql

php代碼審計(jì)學(xué)習(xí)之dvwa_sql,php審計(jì)dvwa_sql

Jun 13, 2016 am 08:52 AM
php

php代碼審計(jì)學(xué)習(xí)之dvwa_sql,php審計(jì)dvwa_sql

0x00

  由于轉(zhuǎn)了onenote行列,所以已經(jīng)好久沒(méi)有發(fā)表新的隨筆了,但是想想還是非常有必要的,這幾天開(kāi)始學(xué)習(xí)php代碼審計(jì),所以先開(kāi)始發(fā)這一些的隨筆吧!

  首先就先通過(guò)十大測(cè)試平臺(tái)dvwa開(kāi)始學(xué)習(xí)吧,先在這里帶上參考的大牛鏈接,感謝分享

  1.http://drops.wooyun.org/papers/483

  2.http://www.lxway.com/86980986.htm ? is_numeric 函數(shù)繞過(guò)

  3.http://www.cnblogs.com/Safe3/archive/2008/08/22/1274095.html ?字符編碼繞過(guò) ?寬字節(jié)注入

0x01

  這里先帶入最簡(jiǎn)單low級(jí)別的php代碼

  

<span>  $id</span> = <span>$_GET</span>['id'<span>];//未作任何過(guò)濾,防注入處理
    </span><span>$getid</span> = "SELECT first_name, last_name FROM users WHERE user_id = '<span>$id</span>'"<span>;
    </span><span>$result</span> = <span>mysql_query</span>(<span>$getid</span>) or <span>die</span>('<pre class="brush:php;toolbar:false">' . <span>mysql_error</span>() . '
' );

  看到這里我們可以知道這段代碼其實(shí)對(duì)id沒(méi)有進(jìn)行處理,導(dǎo)致sql注入漏洞,ok,各種注入都可以,在這里就不再詳敘了!

0x02

  medium級(jí)別,代碼:

<span>  $id</span>=<span>$_GET</span>['id'<span>];
  </span><span>$id</span>=<span>mysql_real_escape_string</span>(<span>$id</span><span>);//這里對(duì)id進(jìn)行了轉(zhuǎn)義的操作
  </span><span>$getid</span>="SELECTfirst_name,last_nameFROMusersWHEREuser_id=<span>$id</span>";

  mysql_real_escape_string 函數(shù)對(duì)id參數(shù)進(jìn)行了轉(zhuǎn)義操作,具體常見(jiàn)的轉(zhuǎn)義包括

  • ' => \'
  • " => \"
  • \ => \\
  • \n => \\n

  這里我想應(yīng)該有2張方法來(lái)繞過(guò)這個(gè)處理:

  1.數(shù)值型注入

    由于這個(gè)函數(shù)主要針對(duì)的是字符型特殊字符的處理,這樣我們可以不使用特殊字符來(lái)進(jìn)行注入,即數(shù)值注入

  

<span>  構(gòu)造:1</span> untion <span>select</span> <span>user</span>,password <span>from</span> users

    由此可以獲得users表中的賬號(hào)密碼,當(dāng)然你會(huì)說(shuō)要是是不知道具體表名列名改怎么辦?ok,我們可以嘗試使用union bool注入

<span>  構(gòu)造:1</span><span>+</span><span>union</span><span>+</span><span>select</span><span>+</span><span>1</span>,(<span>select</span><span>+</span><span>case</span><span>+</span><span>when</span><span>+</span><span>char</span>(<span>72</span>)<span>=</span>(<span>select</span> mid(table_name,<span>0</span>,<span>1</span>) <span>from</span> information_schema.tables limit <span>0</span>,<span>1</span>)<span>+</span><span>then</span><span>+</span><span>2</span><span>+</span><span>end</span>)

    其中char()中的數(shù)值需要變換以及l(fā)imit,這樣子可能會(huì)比較花時(shí)間,我們可以寫(xiě)個(gè)python腳本(ps:先占個(gè)坑),其實(shí)用延時(shí)注入也同樣可以實(shí)現(xiàn)這樣的效果

  2.寬字節(jié)注入

  mysql_real_escape_string 對(duì)參數(shù)進(jìn)行轉(zhuǎn)義的方法就是添加一個(gè)‘\’,它的url編碼就是%5c ,這樣我們?cè)趨?shù)中添加%df%5c%27 ,其中%df%5c為合法的gbk字符

  那么經(jīng)過(guò)該函數(shù)一處理,可以發(fā)現(xiàn)會(huì)變成%df%5c%5c%27 ,這樣子%df%5c會(huì)吞掉一個(gè)%5c 變成 一個(gè)gbk字符+ \\\'

  mysql的轉(zhuǎn)義符也是'\' 相當(dāng)于注入了一個(gè)單引號(hào)

<span>  構(gòu)造:1</span><span>%</span>df<span>%</span>5c<span>%</span><span>27</span><span>%</span><span>20</span><span>||</span><span>1</span><span>+</span><span>--</span><span>+ </span>

  同樣的addslashes函數(shù)也存在同樣的問(wèn)題,具體參考文章開(kāi)始的鏈接

0x02

  high級(jí)別的php代碼

<span>$id</span>=<span>$_GET</span>['id'<span>];
</span><span>$id</span>=<span>stripslashes</span>(<span>$id</span><span>);//剔除參數(shù)中的斜杠
</span><span>$id</span>=<span>mysql_real_escape_string</span>(<span>$id</span><span>);//對(duì)id中的特殊字符進(jìn)行轉(zhuǎn)義
</span><span>if</span>(<span>is_numeric</span>(<span>$id</span><span>)){//判斷是否是數(shù)值或數(shù)值字符串
    </span>...

  好吧,這樣一來(lái),我覺(jué)得還是變得很安全了,前面2個(gè)函數(shù)對(duì)字符型的注入進(jìn)行了處理,緊接著is_numeric函數(shù)則對(duì)數(shù)值型注入進(jìn)行了處理。

  然而這樣子仍然可以造成sql注入,不過(guò)是二次注入,且限制的條件也比較苛刻但是仍有機(jī)會(huì)造成注入

  比如執(zhí)行sql語(yǔ)句

  

<span>  insert</span> <span>into</span> test(type) <span>values</span>($s);

?

  此時(shí)傳入的字符串$s=0x31206f722031??

  這樣看可以知道這是一個(gè)16進(jìn)制數(shù),可以通過(guò)該函數(shù)的檢測(cè),然后對(duì)16進(jìn)制解碼我們可以發(fā)現(xiàn)$s其實(shí)實(shí)際的值為 1 or 1?

  那么這樣操作數(shù)據(jù)庫(kù)里會(huì)變成什么樣子

  

  可以看到數(shù)據(jù)庫(kù)將這串16進(jìn)制數(shù)進(jìn)行了轉(zhuǎn)碼變成了1 or 1? 那么到時(shí)候進(jìn)行數(shù)據(jù)庫(kù)取值然后不經(jīng)處理帶入到另一個(gè)sql語(yǔ)句中就會(huì)造成二次注入.所以我們?cè)趯?xiě)代碼的時(shí)候不能盲目的信任數(shù)據(jù)庫(kù)里的數(shù)據(jù),在取出數(shù)據(jù)時(shí)仍需要進(jìn)行檢測(cè)。

0x03

  sql部分的代碼就分析到這里,如有不正確的地方,歡迎拍磚!

  下篇準(zhǔn)備sql blind :)

?

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undress AI Tool

Undress AI Tool

Undress images for free

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Using std::chrono in C Using std::chrono in C Jul 15, 2025 am 01:30 AM

std::chrono is used in C to process time, including obtaining the current time, measuring execution time, operation time point and duration, and formatting analysis time. 1. Use std::chrono::system_clock::now() to obtain the current time, which can be converted into a readable string, but the system clock may not be monotonous; 2. Use std::chrono::steady_clock to measure the execution time to ensure monotony, and convert it into milliseconds, seconds and other units through duration_cast; 3. Time point (time_point) and duration (duration) can be interoperable, but attention should be paid to unit compatibility and clock epoch (epoch)

Why We Comment: A PHP Guide Why We Comment: A PHP Guide Jul 15, 2025 am 02:48 AM

PHPhasthreecommentstyles://,#forsingle-lineand/.../formulti-line.Usecommentstoexplainwhycodeexists,notwhatitdoes.MarkTODO/FIXMEitemsanddisablecodetemporarilyduringdebugging.Avoidover-commentingsimplelogic.Writeconcise,grammaticallycorrectcommentsandu

How to Install PHP on Windows How to Install PHP on Windows Jul 15, 2025 am 02:46 AM

The key steps to install PHP on Windows include: 1. Download the appropriate PHP version and decompress it. It is recommended to use ThreadSafe version with Apache or NonThreadSafe version with Nginx; 2. Configure the php.ini file and rename php.ini-development or php.ini-production to php.ini; 3. Add the PHP path to the system environment variable Path for command line use; 4. Test whether PHP is installed successfully, execute php-v through the command line and run the built-in server to test the parsing capabilities; 5. If you use Apache, you need to configure P in httpd.conf

PHP Syntax: The Basics PHP Syntax: The Basics Jul 15, 2025 am 02:46 AM

The basic syntax of PHP includes four key points: 1. The PHP tag must be ended, and the use of complete tags is recommended; 2. Echo and print are commonly used for output content, among which echo supports multiple parameters and is more efficient; 3. The annotation methods include //, # and //, to improve code readability; 4. Each statement must end with a semicolon, and spaces and line breaks do not affect execution but affect readability. Mastering these basic rules can help write clear and stable PHP code.

python if else example python if else example Jul 15, 2025 am 02:55 AM

The key to writing Python's ifelse statements is to understand the logical structure and details. 1. The infrastructure is to execute a piece of code if conditions are established, otherwise the else part is executed, else is optional; 2. Multi-condition judgment is implemented with elif, and it is executed sequentially and stopped once it is met; 3. Nested if is used for further subdivision judgment, it is recommended not to exceed two layers; 4. A ternary expression can be used to replace simple ifelse in a simple scenario. Only by paying attention to indentation, conditional order and logical integrity can we write clear and stable judgment codes.

PHP 8 Installation Guide PHP 8 Installation Guide Jul 16, 2025 am 03:41 AM

The steps to install PHP8 on Ubuntu are: 1. Update the software package list; 2. Install PHP8 and basic components; 3. Check the version to confirm that the installation is successful; 4. Install additional modules as needed. Windows users can download and decompress the ZIP package, then modify the configuration file, enable extensions, and add the path to environment variables. macOS users recommend using Homebrew to install, and perform steps such as adding tap, installing PHP8, setting the default version and verifying the version. Although the installation methods are different under different systems, the process is clear, so you can choose the right method according to the purpose.

What is PHP and What is it Used For? What is PHP and What is it Used For? Jul 16, 2025 am 03:45 AM

PHPisaserver-sidescriptinglanguageusedforwebdevelopment,especiallyfordynamicwebsitesandCMSplatformslikeWordPress.Itrunsontheserver,processesdata,interactswithdatabases,andsendsHTMLtobrowsers.Commonusesincludeuserauthentication,e-commerceplatforms,for

Your First PHP Script: A Practical Introduction Your First PHP Script: A Practical Introduction Jul 16, 2025 am 03:42 AM

How to start writing your first PHP script? First, set up the local development environment, install XAMPP/MAMP/LAMP, and use a text editor to understand the server's running principle. Secondly, create a file called hello.php, enter the basic code and run the test. Third, learn to use PHP and HTML to achieve dynamic content output. Finally, pay attention to common errors such as missing semicolons, citation issues, and file extension errors, and enable error reports for debugging.

See all articles