PHP代码审计入门之路(渗透测试补全篇)
<div style="color: black; text-align: left; margin-bottom: 10px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x01 前言</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">虽然市面上的代码审计的<span style="color: black;">文案</span><span style="color: black;">已然</span>一<span style="color: black;">许多</span>了,<span style="color: black;">然则</span>还是决定重复造轮子,打算<span style="color: black;">做为</span>一个系列来写的,近年越来越多的安全<span style="color: black;">科研</span>人员投入到php应用的漏洞挖掘,相对应的代码安全问题<span style="color: black;">亦</span>被<span style="color: black;">海量</span>的暴露出来,身处这个时代,我很高兴身边的白帽子<span style="color: black;">先辈</span><span style="color: black;">持续</span>寻求突破并丰富和完善了代码审计这个概念,学到今日,笔者<span style="color: black;">亦</span>想总结自己的一套审计的经验只谈,<span style="color: black;">期盼</span><span style="color: black;">能够</span><span style="color: black;">帮忙</span>新人更加友好的入门这个<span style="color: black;">行业</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x02 准备</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">技术准备:PHP<span style="color: black;">基本</span>,MySql</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>工具:Visual Studio</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">服务器环境:xampp</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">举荐</span><span style="color: black;">运用</span>:phpStudy</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x03 脑图</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15209365045381195c6480b~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=gi4s2AplxWyTTuPEzeHJiI2geyE%3D" style="width: 50%; margin-bottom: 20px;"></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">脑图<span style="color: black;">重点</span>总结了sql注入、xss跨站脚本攻击、csrf、xsrf、文件操作<span style="color: black;">关联</span>得漏洞、代码&&命令执行、设计缺陷以及SSRF七种<span style="color: black;">平常</span>漏洞,每种漏洞都有<span style="color: black;">非常多</span>种的<span style="color: black;">状况</span>与案例,后面的<span style="color: black;">文案</span>会<span style="color: black;">持续</span>把这些做成案例分享给<span style="color: black;">大众</span>。这篇<span style="color: black;">首要</span>介绍一下SQL注入漏洞,csrf与xsrf我分为了一种。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x04 SQL注入入门</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">注入的<span style="color: black;">重点</span><span style="color: black;">原由</span>是程序员在写sql语句的时候<span style="color: black;">无</span><span style="color: black;">按照</span><span style="color: black;">运用</span>的场景进行过滤<span style="color: black;">引起</span>的<span style="color: black;">外边</span><span style="color: black;">能够</span>任意操作执行的sql,<span style="color: black;">另一</span>SQL语句有Select、Insert、Update和Delete四种类型,注入<span style="color: black;">亦</span>是对这四种基本操作的拼接产生的。接下来笔者将以Select为例引导新手初步<span style="color: black;">认识</span>SQL注入。Select是数据库的<span style="color: black;">查找</span>操作,<span style="color: black;">因此</span>常常出<span style="color: black;">此刻</span>一个网站的查看列表,详情,搜索这些<span style="color: black;">地区</span>,缺陷代码如下</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1520936504618a2c30ee0ca~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=a0AiegphAAn25yp%2BNCyeGOfZKMQ%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">浏览器输入:</p>http://127.0.0.1/test/test.php?id=1
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15209365047637ac2895996~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=prlmBxsAYQ%2BwlHaOlLwE4FZ82N4%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>在浏览器输入:</p>http://127.0.0.1/test/test.php?id=1
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/152093650482286be80857d~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=NluBSrLhcMxQuz3TQxUl4N9%2Birk%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在次在浏览器输入:</p>http://127.0.0.1/test/test.php?id=1 and 1=2
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1520936504782cf0824cc08~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=u5m4LhY0MnmKUJHulE5Oh%2B%2BqsuA%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这次<span style="color: black;">能够</span><span style="color: black;">发掘</span><span style="color: black;">无</span>数据输出了 <span style="color: black;">由于</span><span style="color: black;">咱们</span>执行的语句中 goods_id 不止需要 等于1 并且还需要 string(1) = string(2) 才返回真 <span style="color: black;">然则</span> string(1)永远不可能等于string(2) <span style="color: black;">因此</span><span style="color: black;">要求</span>不满足不返回数据, 从<span style="color: black;">这儿</span><span style="color: black;">咱们</span><span style="color: black;">能够</span><span style="color: black;">晓得</span>,<span style="color: black;">咱们</span><span style="color: black;">外边</span>带入的语句被成功的带入数据库并且<span style="color: black;">查找</span>了,<span style="color: black;">因此</span><span style="color: black;">能够</span>判断有sql注入。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Mysql注释:</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">从‘-- ’序列到行尾。请<span style="color: black;">重视</span>‘--’的后面有个空格,注释风格<span style="color: black;">需求</span>第2个破折号后面<span style="color: black;">最少</span>跟一个字符(例如空格、tab、换行符、字符串等等)。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">从‘#’字符从行尾。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">从/*序列到后面的*/序列。结束序列不<span style="color: black;">必定</span>在同一行中,<span style="color: black;">因此呢</span>该语法<span style="color: black;">准许</span>注释跨越多行。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下面的例子<span style="color: black;">表示</span>了3种风格的注释:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysql>SELECT 1+1; #</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysql>SELECT 1+1; --</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysql>SELECT 1 /* xxxxxx */ + 1;</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">获取表字段数:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15209365048322eda57ab55~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=CsceVE5fgFqSrZDWAbzTHXENS6w%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">能够</span>看到页面<span style="color: black;">此刻</span>返回的是 正常的说明这表列数大于1,自己加大直到爆错</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1520936504805d024df75e0~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=5fgi7s7%2BIDhWsZwxN2q8cRhoO3g%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">始终</span>输到8页面爆错了,说明<span style="color: black;">咱们</span>这个表的字段数<span style="color: black;">少于</span>8,<span style="color: black;">那样</span><span style="color: black;">便是</span>说此表的字段为7</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15209365048774704fd31c4~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=rWLOn1mpmFaoem5xllFLsGrkTbo%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">页面输出了1,2,3,4,5,6,7 这些都是输出点</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1520936504983b99bd4a28d~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=lgMK5%2BsdmqEAZsj1N1844GdQZE0%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">分别输出了当前连接的用户,数据, 服务器版本</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15209365050227c53644b4b~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=LoeO0jcrJYgMHcW8Wn3EAesosWo%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">获取<span style="color: black;">所有</span>的库</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/152093650497208590014ae~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=GJ8LNiofcS2hXREx2JPuH6u2A8g%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">获取test库的所有表</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">获取16进制:</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">SELECT hex(test);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">结果74657374</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">加上0x+74657374</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">16进制:0x74657374</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://127.0.0.1/test/test.php?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x74657374</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">table_schema === 库名16进制编码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">table_name === 表名16进制编码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15209365050857abe4b10bf~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=AGOYsFHFGxaz3Jobdu%2BPfDPcakU%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">获取 tdb_admin 表的所有字段</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15209365050785f4d882497~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839606&x-signature=vGFPvCgNgc79J05jMoj0A%2FZv%2Bsg%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">获取 tdb_admin 表数据</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x05 修复<span style="color: black;">办法</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">$id=@intval($_GET);</p>
</div>
seo常来的论坛,希望我的网站快点收录。 你的留言真是温暖如春,让我感受到了无尽的支持与鼓励。 楼主听话,多发外链好处多,快到碗里来!外链论坛 http://www.fok120.com/
页:
[1]