Walks

网络安全爱好者

深入理解宽字节注入

前言:

今天看一本PHP书籍的时候,看到里面提到了数据库的字符集,让我想到了宽字节注入,自己好像对此也是一知半解。查了点资料,特此做个笔记。

产生注入原因:

宽字节注入,相信大家都知道是什么东西,利用GBK编码的问题通过%df把\给吃掉,从而使'逃离出来,这里说得是gbk,但并不一定就只 有gbk,只要字符通过转码,就有可能出现这类问题。

那么gbk转码到底是从哪里来的呢?

《深入理解宽字节注入》

我们看下这张图,原来就是从client到connection这里,会有一个gbk转码

再看下下面的代码,来个案例

<?php
//连接数据库部分,注意使用了gbk编码
$conn = mysql_connect('localhost', 'root', 'root') or die('bad!');
mysql_query("SET NAMES 'gbk'");
mysql_select_db('test', $conn) OR emMsg("连接数据库失败,未找到您填写的数据库");
//执行sql语句
$uid = isset($_GET['uid']) ? addslashes($_GET['uid']) : 1;
echo addslashes($_GET['uid'])."<br>";
$sql = "SELECT * FROM admin WHERE uid='{$uid}'";
echo $sql."<br>";
$result = mysql_query($sql, $conn) or die(mysql_error());
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="gbk" />
<title>新闻</title>
</head>
<body>
<?php
$row = mysql_fetch_array($result, MYSQL_ASSOC);
echo "<h2>{$row['name']}</h2><p>{$row['uid']}<p>\n";
mysql_free_result($result);
?>
</body>
</html>

首先set names gbk 等同于character_set_client=gbk,character_set_connection=gbk,character_set_results=gbk

然后我们看下代码,对GET来的uid先addslashes过滤一下,然后执行到数据库,我们注意,在这里set names gbk就起作用了,在传输到数据库的时候,会把代码gbk编码一下,就是在这里产生了注入,当我们输入%df'

经过addslashes变成%df\',然后gbk编码,%df\会变成一个汉字,从而使'逃逸出来,产生了注入


理解:

1:少用iconv,可能产生编码问题

2:用mysql_set_charset代替set names,因为mysql_set-charset会修改mysql->charset为设定的字符集

3:用mysql_real_escape_string()代替addslashes,因为前者会根据当前字符集进行过滤


参考地址:

http://www.freebuf.com/articles/web/31537.html

http://www.91ri.org/8611.html

http://www.laruence.com/2008/01/05/12.html


点赞
  1. lulu说道:

    能转载一下吗

    1. walks说道:

      可以,注明原处就好

  2. golden goose说道:

    I intended to compose you a tiny remark so as to thank you so much the moment again for your personal awesome strategies you have documented here. This has been quite tremendously generous of you in giving openly what some people could have made available for an e-book to help make some dough for themselves, even more so since you could possibly have tried it in case you decided. The good tips likewise worked to be the fantastic way to recognize that many people have a similar interest just as my personal own to realize way more when considering this matter. I am certain there are thousands of more fun instances ahead for individuals that see your site.

  3. nike shox说道:

    I not to mention my guys were found to be checking the best secrets and techniques from the website then the sudden I had a terrible feeling I had not thanked the web site owner for those techniques. My guys had been for that reason thrilled to read all of them and now have surely been tapping into these things. Thank you for genuinely simply kind and for opting for certain fantastic subject areas millions of individuals are really desirous to be informed on. Our own sincere apologies for not expressing gratitude to you earlier.

  4. yeezy 500 blush说道:

    I want to show my appreciation to you for bailing me out of this type of condition. Because of surfing throughout the the web and getting solutions which are not pleasant, I figured my entire life was over. Existing without the presence of solutions to the issues you have sorted out as a result of your main article content is a crucial case, and those that might have in a negative way damaged my entire career if I hadn't come across your site. Your actual ability and kindness in dealing with a lot of things was vital. I am not sure what I would've done if I hadn't discovered such a point like this. I'm able to now look forward to my future. Thanks a lot very much for this specialized and amazing help. I won't think twice to endorse your web page to any person who ought to have support about this matter.

  5. adidas nmd说道:

    I intended to send you one little bit of observation in order to thank you so much yet again considering the remarkable knowledge you've discussed in this article. This has been certainly seriously open-handed with people like you giving unhampered what exactly most people could have advertised for an e book to earn some bucks for themselves, mostly considering the fact that you might well have done it if you wanted. Those inspiring ideas in addition acted to be the easy way to fully grasp most people have a similar passion like my own to know whole lot more in regard to this issue. Certainly there are many more enjoyable periods ahead for individuals who examine your blog.

  6. curry 4说道:

    I needed to create you that bit of observation so as to give many thanks once again about the lovely methods you have documented in this case. It was so tremendously generous with people like you to grant extensively all a number of people could possibly have advertised for an e-book to help with making some bucks for themselves, notably considering that you might have done it in case you desired. These strategies additionally served as the good way to fully grasp that many people have the same dream much like my own to find out more concerning this issue. I'm sure there are millions of more pleasant times in the future for individuals who see your blog post.

发表评论

电子邮件地址不会被公开。 必填项已用*标注