Principle of wide byte injection
Wide byte injection is also a special injection type of MYSQL. It uses the principle of %df%5c in the url in the database to form a word. %5c is a backslash automatically added by the addslashes function, so Using this principle, the single quote %27 escaped.
Vulnerability display
Digital
<?php
$id = intval($_GET['id']);
$conn = mysql_connect('localhost','root','root');
mysql_select_db('admin',$conn);
$sql = "SELECT * FROM user WHERE id =$id";
$result = mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($result)){
echo "ID" .$row['id']."<br>";
echo "USERNAME".$row['username']."<br>";
echo "PASSWORD".$row['password']."<br>";
echo "EMAIL".$row['email']."<br>";
}
mysql_close($conn);
echo "<hr>";
echo $sql;
?>
As you can see, when we add an intval function to force the variable id, 1'will be forced to 1, so there will be no error
Character type
<?php
$id = addslashes($_GET['id']);
$conn = mysql_connect('localhost','root','root');
mysql_select_db('admin',$conn);
mysql_query("SET NAMES 'GBK'");
$sql = "SELECT * FROM user WHERE id ='$id'";
$result = mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($result)){
echo "ID" .$row['id']."<br>";
echo "USERNAME".$row['username']."<br>";
echo "PASSWORD".$row['password']."<br>";
echo "EMAIL".$row['email']."<br>";
}
mysql_close($conn);
echo "<hr>";
echo $sql;
?>
An addslashes function is added here, this function is used to prevent the most basic SQL injection. It will escape the single quotation mark passed by the user with a backslash (that is, the single quotation mark is gone), so that the database can get a normal SQL query statement.
Therefore, we use the GBK code set above to escape the single quotation mark. Then complete a series of injections
Repair plan
- Use mysql_set_charset (GBK) to specify the character set
- Use mysql_real_escape_string to escape
Principle of Secondary Injection
The condition for the second injection is that the user inserts malicious statements into the database and the database is very at ease with the data it stores, and directly fetches the malicious data to the user. The secondary injection cannot be found by the scanner, and it can only be judged whether there is a secondary injection vulnerability based on experience and back-end principles.
The injection point cannot trigger SQL injection vulnerabilities because of filtering, such as the addslashes function, which escapes characters such as single quotes into \'. However, after it is stored in the database, the data is restored. When the database takes out the malicious statement and assigns it to the SQL statement for execution without filtering, the secondary injection vulnerability occurs.
Vulnerability display
Create two php files, one for registering and storing information in the database, and one for querying database information.
reg.php
<?php
header("content-type:text/html;charset=utf-8");
if(!empty($_POST['submit'])){
$id = addslashes($_POST['id']);
$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);
$email = addslashes($_POST['email']);
$conn = mysql_connect("localhost","root","root");
mysql_select_db("admin",$conn);
$sql = "INSERT INTO USER (id,username,password,email)VALUES ('$id','$username','$password','$email');";
$result = mysql_query($sql) or die("执行语句失败:".mysql_error());
if($result){
echo "注册成功";
}else{
echo "注册失败";
}
}else{
echo "NOT POST";
}
?>
<form action="reg.php" method="post">
id:<input type="text" name="id"><br />
username:<input type="text" name="username"><br />
password:<input type="password" name="password"><br />
email:<input type="text" name="email">
<input type="submit" name="submit" value="点击提交">
</form>
search.php
<?php
header("content-type:text/html;charset=utf-8");
if(!empty($_POST['submit'])){
$id = $_POST['id'];
$conn = mysql_connect("localhost","root","root");
mysql_select_db("admin",$conn);
$sql = "SELECT * FROM USER WHERE id='$id'";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)){
$username = $row['username'];
$sql = "SELECT * FROM USER WHERE username='$username'";
$result = mysql_query($sql) or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo 'ID:'.$row['id']."<br>";
echo 'USERNAME:'.$row['username']."<br>";
echo 'PASSWORD:'.$row['password']."<br>";
echo 'EMAIL:'.$row['email'];
}
}
}
?>
<form action="search.php" method="post">
search ID:<input type="text" name="id"><br />
<input type="submit" name="submit" value="点击查询">
</form>
Fill in the user name ' union select 1,2,3,4 #, the database shows that the registration is successful.
From here, we can see that the information is restored to single quotes when entering the database, so we can use this vulnerability to query the required information.
We can enter in the username column ' union select 1,database(),user(),4 #, and then query the corresponding id number on the search.php page
