码码字,通俗易懂的说说php审计sql宽字节注入
<div style="color: black; text-align: left; margin-bottom: 10px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">昨个介绍的那四位<span style="color: black;">导致</span>宽字节注入的屌丝,不知兄弟们<span style="color: black;">是不是</span>还记得。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438e0000897ad14278c1~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=ewheCJsdlFAbE9fdFNyr4Jy3WaI%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">啥?忘了?我感觉有必要把昨天的再温馨一边,发射-------></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;"><strong style="color: blue;">PHP代码审计之SQL注入-第二回</strong></a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">兄弟们都看不下去了,码的教程既然是mysql开头函数的教程,这难道是在说1995年的技术吗,别介,吾觉得是<span style="color: black;">能够</span>做参考的,至于2017年的技术,别急,咱<span style="color: black;">必定</span>要码全了码<span style="color: black;">仔细</span>了,先回顾下之前mysql开头的<span style="color: black;">哪些</span>函数的辉煌时代。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">----------------------------------华丽的分割线--------------------你是体会不到我到底有多美</p>----------------------------------------
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">addslashes这个函数昨天<span style="color: black;">已然</span>干掉了,今的闯关任务<span style="color: black;">便是</span>搞定mysql_real_escape_string,<span style="color: black;">而后</span>就<span style="color: black;">能够</span>成功晋级了哈。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438e00009b41e59fff10~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=f7HAZ4HrU0Qp1SIMeVTz%2BAwIcqI%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">mysql_real_escape_string他会去转义sql语句中的特殊字符,并要去<span style="color: black;">思虑</span>当前的字符集(这句话要<span style="color: black;">晓得</span>,他会去<span style="color: black;">思虑</span><span style="color: black;">咱们</span>设置的字符编码了)</strong>
</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">,这么厉害吗?官方说了,<span style="color: black;">能够</span>安全用于mysql_query<span style="color: black;">查找</span>。呦呵,碾压addslashes了,好,翠花,上例子:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438e00014c46b6ce4173~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=abwdtKXDey2HyzTQN7uhabxUeq0%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">和昨天的那个例子比较,只是把addslashes函数替换<span style="color: black;">成为了</span>mysql_real_escape_string,那结果呢,翠花,上结果:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438d0001603c23285223~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=37CMTsGM5QeNIDxZITXZcuqsboM%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">根据</span>昨天的老<span style="color: black;">办法</span><span style="color: black;">为何</span>注入成功了,难道官方骗了<span style="color: black;">咱们</span>,接着看:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">代码中<span style="color: black;">运用</span>了set name设置了字符集,但官方说了<span style="color: black;">举荐</span><span style="color: black;">咱们</span>用mysql_set_charset。<span style="color: black;">因此</span><span style="color: black;">咱们</span><span style="color: black;">首要</span>要明白的是<span style="color: black;">她们</span>之间区别在哪?set name<span style="color: black;">功效</span>是什么,它会告诉服务器我用的字符编码是谁谁谁,我<span style="color: black;">期盼</span>你返回我的结果字符编码和我一致。<span style="color: black;">那样</span>,mysql_set_charset呢,他是设置我连接数据库时的编码(<span style="color: black;">便是</span>说mysql_set_charset没设置,mysql_real_escape_string是没生效的),且他不仅<span style="color: black;">持有</span>set name的能力,还多出来一个功能,多出来的那个功能是什么?往下看:</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">上文中所了,mysql_set_charset会去<span style="color: black;">思虑</span><span style="color: black;">咱们</span>设置的字符集,没错,这<span style="color: black;">便是</span>多出来的一个功能,他会<span style="color: black;">按照</span><span style="color: black;">咱们</span>的字符集采用<span style="color: black;">区别</span>的策略。</strong>瞬间<span style="color: black;">高挑</span>上了有木有。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438d0000eed120230f23~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=%2FORuTIX8KDUA2VUF1m%2BgkRwj0ok%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">说这么多,代码怎么改,好,让翠花给<span style="color: black;">咱们</span>展示一下修改后的代码:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438d00016154ca48ae58~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=0SJ9Ah087daNfnQA%2BkuGPJwT1DI%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">so easy了,<strong style="color: blue;">只加个mysq_set_charset<span style="color: black;">就可</span>,<span style="color: black;">第1</span>个参数是字符集,第二个参数是链接。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">翠花的下一道菜,相信<span style="color: black;">大众</span>都<span style="color: black;">晓得</span>了,请看:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438c00017b41cc12120d~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=x6f%2FNbbHiqfOG9HymDJC0RyJ0kI%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查找</span>成功了。<strong style="color: blue;">那宽字节注入<span style="color: black;">第1</span>个防御<span style="color: black;">办法</span>就诞生了:<span style="color: black;">运用</span>mysql_set_charset(gbk)设置编码,<span style="color: black;">而后</span><span style="color: black;">运用</span>mysql_real_escape_string()函数进行参数过滤。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">但,还有一个<span style="color: black;">广泛</span>的问题。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438e00018673305bf9ee~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=G6y0gv9i0zDoLGRIx0em2NmuJm8%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在很久很久以前,<span style="color: black;">大众</span>写的cms有<span style="color: black;">非常多</span>都有用到addslashes这个函数,那岂不是来一个什么%df%27就<span style="color: black;">容易</span>拿下了吗,是的,但<span style="color: black;">咱们</span>要修复是不可能把addslashes都修改成mysql_real_escape_string,有人说<span style="color: black;">所有</span>搜索替换呗,这个<span style="color: black;">办法</span>不可能一帆风顺的,那<span style="color: black;">怎样</span><span style="color: black;">处理</span>?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">很简单:将character_set_client设置为binary二进制<span style="color: black;">就可</span>。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">咱们</span>只需要做一个动作,<span style="color: black;">便是</span>在sql语句前指定一下连接的形式是二进制:mysql_query("SET character_set_connection=gbk,character_set_results=gbk,character_set_client=binary",$conn);</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这个动作什么意思?一句话:mysql接受到客户端数据后,会认为其编码是character_set_client,<span style="color: black;">而后</span>会将其转化为character_set_connection的编码,<span style="color: black;">查找</span>结果后会以character_set_results的编码返回客户端。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ok,宽字节第二个防御<span style="color: black;">办法</span>诞生了:character_set_client设置成binary,所有数据以二进制形式传递,都是0101那种了,敢问还会存在宽字节注入问题吗。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">码字好累,先来装个逼<span style="color: black;">休憩</span>下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://p3-sign.toutiaoimg.com/438d0001a807687c6dbe~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839122&x-signature=m%2F1RXKri9b%2F6fPljRL%2FTtObXtnQ%3D" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">四大屌丝(并非天王)搞定两个了,mysql_real_escape_string<span style="color: black;">是不是</span>有实力,<span style="color: black;">咱们</span>还要看mysql_set_charset有<span style="color: black;">无</span>设置,<span style="color: black;">无</span>的话就直接ko了。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">代码审计<span style="color: black;">办法</span>请参考上篇的结尾处。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">相信到这兄弟们都基本<span style="color: black;">认识</span>宽字节注入了,下回了再<span style="color: black;">一起</span>唠唠pdo和其他两个天王。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">-----------------------------------------你敢说我的这个分割线不美?</p>------------------------------------------------------------------------
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ok,<span style="color: black;">倘若</span><span style="color: black;">大众</span><span style="color: black;">爱好</span>网络三毛,欢迎wx关注网络三毛,不<span style="color: black;">定时</span><span style="color: black;">发布</span>关于审计、攻防、安全、渗透方面的知识。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">--------------回见!</p>
</div>
论坛是一个舞台,让我们在这里尽情的释放自己。 认真阅读了楼主的帖子,非常有益。
页:
[1]