img linxhome


发表于2004/9/26 17:27:00  669人阅读

分类: Security


$query ="SELECT *FROM user where user ='".$_REQUEST ['user'] .."'";
...sql injection is impossible.However,if the value is being placed in a non-delimited
portion of the query,such as a numeric value,table or column name:
$query ="SELECT *FROM user order by ".$_REQUEST ['user']; or
$query ="SELECT *FROM user where max_connections =".$_REQUEST ['user'];
...then SQL injection is still possible。

$query ="SELECT *FROM user where user =($_REQUEST ['user'])

If we want to return other useful data – apart from the ''user'table – we can use the
'UNION'statement to combine two resultsets.Since the 'UNION'statement comes after
the 'WHERE'clause in a select statement,we can choose any data we like,within the
following restrictions:
•Our select statement must return the same number of fields as the original (31 if you
count them,or do a 'describe user').
•The data types of our fields must match,or it must be possible to implicitly convert
between the two
•If our data contains text fields,they will be truncated to the length of the
corresponding text field in the first query
Let's say we want to return the '@@version'string.We would request something like:
We can select arbitrary fields from tables in other tables using union select.For example,
suppose we wanted to retrieve the 'name'and 'dl'fields from the 'func'table:
Using 'UNION',an attacker can effectively access all of the data that the calling
application can access.
LOAD_FILE function
The LOAD_FILE function returns a string containing the contents of a file,specified by
it's path.So,for example on a windows box,the query
select load_file('c:/boot.ini');
...will retrieve the contents of the boot.ini file.
Obviously if the target host is running PHP and has magic_quotes turned on,we need to
express the string 'c:/boot.ini'without using single quotes.Fortunately,MySQL accepts
hex-encoded strings as a substitute for string literals.
For example,the following two select statements are equivalent:
select 'c:/boot.ini'
select 0x633a2f626f6f742e696e69
So if we request...
...we get something that looks like:
[boot loader ] timeout==30 default=multi(0)disk(0)rdisk(0)pa 1 1 N N N N N N N N N N N N N N N N N N N N N 1 1 1 1 1 1
In other words,we got the first few bytes of c:/boot.ini,because the 'union'truncates the
string to the length of the first field of the user table – which is 60 characters..
We can address this by using the 'substring'function:
This will select the next 60 characters from 'boot.ini'.In this manner,we can iterate
through the whole file,returning all the data.LOAD_FILE works on binary files,and
SUBSTRING allows you to skip nulls,so the attacker can also use this technique to read
arbitrary binary files.

0 0


取 消