Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of wide byte injection in mysql. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Preface

In mysql, functions such as addslashes,mysql_real_escape_string,mysql_escape_string are used for escape, and in another case, magic_quote_gpc, but the higher version of PHP will remove this feature.

First of all, wide byte injection has nothing to do with HTML page encoding, and the author has seen

Give up trying, this is a misunderstanding, SQL injection is not XSS. Although the causes of their codes are similar, they occur in different places.

A lot of materials on the Internet say that the program uses wide bytes to process the program, but do not specify what the program is. This paper introduces the principle and simple utilization of specific vulnerabilities. The language we limit here is PHP5.4, the database MYSQL5.6.

Some of the concepts involved

Characters, character sets and character order

Characters (character) are the basic units that make up the character set (character set). Assign a numeric value (encoding) to the character to determine its position in the character set.

Character order (collation) refers to the comparison rules between characters in the same character set.

UTF8

Because ASCII represents only 128characters, the norm in the network world is to use UNICODE encoding, but it is not efficient to use UNICODE for characters represented in ASCII. As a result, there is an intermediate format character set, known as the universal conversion format, and UTF (Universal Transformation Format).

Wide byte

GB2312, GBK, GB18030, BIG5, Shift_JIS and so on are all commonly referred to as wide bytes, but there are actually only two bytes. The security problem caused by wide bytes is mainly the phenomenon of eating ASCII characters (one byte).

Character set conversion process of MYSQL

1. MySQL Server converts the request data from character_set_client to character_set_connection when it receives the request

two。 To convert the request data from character_set_connection to internal operation character set before internal operation, the determination method is as follows:

Use the CHARACTER SET of each data field to set the value

If the above value does not exist, the DEFAULT CHARACTER SET setting value of the corresponding data table is used (MySQL extension, non-SQL standard)

If the above value does not exist, the DEFAULT CHARACTER SET of the corresponding database is used to set the value

If the above value does not exist, use character_set_server to set the value.

Converts the result of the operation from the internal operation character set to character_set_results.

Important: the place where wide byte injection occurs is when the character set is encoded once with the character_set_client setting when PHP sends the request to MYSQL.

PHP test code:

Http://localhost/xl.php?sql=root%df%27%20or%201=1%23

It can be executed successfully!

URL Decoding sql=root ú'or 1mm

Parsing process:

$_ GET ['sql'] is encoded by addslashes with'\'1, root%df%5C%27%20or%201=1%232, and gbk character set% df%5c-> mysql is used for processing.% 5c%27-> 'single quotation marks are successfully closed.

The inserted sql statement was executed.

How to eat:

GBK coding, whose coding range is 0 × 8140 ~ 0xFEFE (excluding xx7F), automatically splices% 5c when% df (ascii (223)) > ascii (128) is encountered, so eat'\', while characters of% 27 and% 20 less than ascii (128) are retained.

Add:

GB2312 is compatible with GBK, with a high range of 0xA1~0xF7 and a low range of 0xA1~0xFE (0x5C is not in this range), so you cannot use encoding to eat% 5c.

The analysis process is the same for other wide character sets. To eat% 5c, all you need is a normal 0x5c in the low order.

Safety filtering

The above code uses mysql_query ("set names gbk") to set the encoding. In fact, mysql_set_charset ("gbk") is recommended in mysql. The functions of the two functions are roughly similar, except that the latter modifies the mysql- > charset attribute in the mysql object to the set character set.

At the same time, the matching filter function is mysql_real_escape_string (). Several filtering functions are listed in the above code, and the difference between them is that mysql_real_escape_string () treats the incoming string based on the mysql- > charset attribute in the mysql object, so it can filter based on the current character set.

For specific differences, please refer to: http://www.laruence.com/2010/04/12/1396.html

It can be obtained in the same way

The wide byte injection available above is formed by transcoding, and the transcoding function has also become the cause of the vulnerability.

Transcoding function

Mb_convert_encoding ()

Iconv ()

The following is demonstrated with iconv () to modify the above code:

Http://localhost/xl.php?sql=root%e5%27or%201=1%23

It can also be executed successfully, and the process of code parsing remains the same.

Summarize the causes of the vulnerability:

Code one

1. Unsafe character set setting function and filtering function are used.

2. The vulnerability occurs when PHP requests mysql to transcode using the character_set_ client value.

Code two

1. Use the recommended setting function and filter function.

2. The parsing error occurs when the iconv () function transcodes, GBK turns to UTF8 and eats "\"

3. Transcoding is safe when PHP requests mysql.

In addition:

$user = iconv ('UTF-8',' gbk',$user) when the encoding direction is changed

You can comment out single quotes by entering a\ by visiting http://localhost/xl.php?sql=root%e9%8c%a6.

In this case, two parameters are required to match the injection.

For example:

Http://localhost/xl.php?sql=root%e9%8c%a6 =% 20or%201=1%23, this is the end of the article on "sample analysis of wide byte injection in mysql". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.