PHP代码审计之SQL注入-第二回
<div style="color: black; text-align: left; margin-bottom: 10px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">嗨喽,我知众君期待已久,今日特此再现美文一篇,来来,欢呼声在哪里?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438700021a836bd0a06e~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=Bi1OPiV9Kj36d7oMBgtMHkZlOzo%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">OK,收。回归正传了啊,说起<span style="color: black;">第1</span>回的基本sql注入,等等是谁在喊:<span style="color: black;">第1</span>回的sql注入<span style="color: black;">已然</span>分分钟搞定了。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">那行,今日要说的是sql注入中的宽字节注入,帅哥美女们请收起<span style="color: black;">大众</span>的疑惑,坐好小板凳,听我细细说来:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">首要</span>,<span style="color: black;">必定</span>要明白何为宽字节,通俗点说:<strong style="color: blue;">一个汉字用gbk占两个字节,用utf8占三个字节,<span style="color: black;">所说</span>宽字节注入就理解成利用字节<span style="color: black;">区别</span><span style="color: black;">引起</span>的问题就ok了</strong><strong style="color: blue;">。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">接下来,我要为你们介绍几位大名鼎鼎的<span style="color: black;">名人</span>了,哈,<span style="color: black;">她们</span>分别是<strong style="color: blue;">addslashes、mysql_real_escape_string、mysql_escape_string、magic_quote_gpc</strong>,这是啥?四大天王吗?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">nonono,它们<strong style="color: blue;">为了防止sql注入,会将<span style="color: black;">有些</span>什么单引号了,双引号了<span style="color: black;">哪些</span>对sql有影响的特殊符号进行实体转义,<span style="color: black;">便是</span>加了一个斜杠</strong>,这些函数<span style="color: black;">详细</span>转移<span style="color: black;">那些</span>符号,哥们们<span style="color: black;">能够</span>去搜一下,码字很辛苦,此处我就省了。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438b00001ea37545e12a~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=bl29NoCymHPbpbxoD%2F10bthg5VI%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">平白无故<span style="color: black;">为何</span>要介绍<span style="color: black;">她们</span>呢,有<span style="color: black;">无</span><span style="color: black;">发掘</span>,<span style="color: black;">第1</span>回说的那个基本sql注入已经被这四大屌丝(并非天王)<span style="color: black;">容易</span>搞定了。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">咱<span style="color: black;">第1</span>回的成功就<span style="color: black;">这般</span>被搞定了?来,看例子:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438600022609f3bbe03e~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=HwozJo%2BbgfPMdgXrp4iR1Ji8fgs%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这代码<span style="color: black;">大众</span>很<span style="color: black;">熟练</span>了,在<span style="color: black;">第1</span>回的代码<span style="color: black;">基本</span>上加了个addslashes函数,<span style="color: black;">那样</span>效果<span style="color: black;">怎样</span>,请看:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438b00002e4a23597d47~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=ki0AFGYX8of%2FUssUzvmXMq%2FT%2Fd4%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我勒个去,那个单引号给我加了个斜杠,转义了。那接下来怎么搞?两个<span style="color: black;">办法</span>:<strong style="color: blue;">1,斜杠前加斜杠,相当于转义斜杠,单引号生效。2,去掉斜杠,单引号生效。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我去,好办法,当然实践前必须要明白个道理,这个道理很重要,我通俗的说,<span style="color: black;">大众</span>多读几遍,否则原理就<span style="color: black;">欠好</span>理解了。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">其宽字节是利用mysql的特性,mysql它在用gbk编码的时候,它会认为两个字符是一个汉字,且前一个字符的ascii码要大于128。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438600024d29495f263a~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=bUUV0Gy%2BjCe3Q1aJDie86%2FRZ3E0%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">不睬</span>解?不急,那我再多码点字来解释下,必须要明白ascii码<span style="color: black;">为么</span>要大于128,这个编码大于128会<span style="color: black;">怎么样</span>,先看张图:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438700021fd2f0d1b7c3~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=WeEs6q0n4jkSTnBnac2i0a2Q168%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">这是ascii表的最后一条数据,最后一个是127,<span style="color: black;">亦</span><span style="color: black;">便是</span>前127个都是字符,超过127怎么办,那<span style="color: black;">欠好</span>意思,我就<span style="color: black;">不可</span>把你当字符了,那当什么,把你当成汉字。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">还是刚才那个例子,这次我不输入单引号了,我输入了一个<strong style="color: blue;">%df%27</strong>,输入了个啥?别急,先看下代码:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438800025984a3692c2f~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=bqwyPJT483OOttKTjEtDqR9AB4c%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">重视</span>我加的那个mysql_query("set names gbk");,它会设置字符为gbk,它是<span style="color: black;">导致</span>宽字节的始作俑者</strong>。看下结果:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438700022abb8e540957~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=hIpei1UxRZs761PfaH2BfKRcsNo%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">斜杠没了,这个单引号此时是生效的。<span style="color: black;">为何</span>,结合刚才让<span style="color: black;">大众</span>多读几遍的那个原理来看:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">首要</span>,要明白,咱<span style="color: black;">拜访</span>的url中经常都是一堆%什么的特殊字符,<span style="color: black;">非常多</span>很长的网址,那都是url编码将字符转换的结果。其次%df的ascii的编码是大于128的,非要用%df吗,非<span style="color: black;">亦</span>,只要ascii大于128<span style="color: black;">就可</span>。<span style="color: black;">那样</span>,就变<span style="color: black;">成为了</span>%df\%27了,<span style="color: black;">此时</span>候mysql就把%27\当作汉字了,<span style="color: black;">便是</span>那个繁体字,而单引号就生效了,在url编码中%27是单引号。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">那,宽字节是不是有概念了呢,相信兄弟们都懂了。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438900026589f894c577~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=iOY2zB21EzTkq33lVjFiU%2FFEC6U%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">四大屌丝才说了一个addslashes函数,码字<span style="color: black;">亦</span>码累了,<span style="color: black;">瞧瞧</span>时间<span style="color: black;">亦</span>快下班了,在码一会,其它屌丝下回接着码。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">此时此刻,相比<span style="color: black;">非常多</span>人心中都有疑问了,<span style="color: black;">咱们</span>写程序都是utf8啊,谁还用gbk,你的程序要是用的utf8编码,那这个宽字节注入<span style="color: black;">能够</span>忽略,要是gbk,嘿嘿,危险了。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438a0000f3b5d97ed63b~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=OINeJxg0RsnFIp1ZEsLfps3P8ao%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">其实宽字节注入很普遍,<span style="color: black;">大众</span>会<span style="color: black;">发掘</span><span style="color: black;">非常多</span>cms系统都有两个版本,一个是gbk,一个是utf8,有的是为了照顾以前的用户,<span style="color: black;">因此</span><span style="color: black;">始终</span>在用gbk,有的是专门就弄自己的gbk编码。<span style="color: black;">因此</span>,这个在各大cms中经<span style="color: black;">平常</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">当然,有攻便有防,至于防御,在咱们把所有的类型<span style="color: black;">所有</span>码完之后,再来个大大的总结。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">那针对咱们今天说的这个addslashes函数怎么做审计呢?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/4386000284e595fb6dd8~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839109&x-signature=hC1RQUZWe89S0A5jy3CdbAX7Vn0%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ok,认真了,干货来了:<strong style="color: blue;">其实非常简单,项目全局搜索以下几个关键字:1,SET NAMES. 2,character_set_client=gbk. 3,mysql_set_chatset(gbk). 从字面就<span style="color: black;">晓得</span>,<span style="color: black;">她们</span>呢都是用来设置字符编码的。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">来一条华丽的分割线:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">最后,<span style="color: black;">倘若</span><span style="color: black;">大众</span>喜欢网络三毛,欢迎wx关注,不<span style="color: black;">定时</span><span style="color: black;">发布</span>关于审计、攻防、安全、渗透方面的知识。</p>
</div>
页:
[1]