Sqli-LABS通关笔录-18-审计SQL注入2

Posted 可我浪费着我寒冷的年华

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Sqli-LABS通关笔录-18-审计SQL注入2相关的知识,希望对你有一定的参考价值。

 在此关卡我学习到了

1.只要跟数据库交互的多观察几遍。特别是对于http头这种类型的注入方式。

2.

  1 <?php
  2 //including the mysql connect parameters.
  3 include("../sql-connections/sql-connect.php");
  4 error_reporting(0);
  5     
  6 function check_input($value)
  7     {
  8     if(!empty($value))
  9         {
 10         // truncation (see comments)
 11         $value = substr($value,0,20);
 12         }
 13 
 14         // Stripslashes if magic quotes enabled
 15         if (get_magic_quotes_gpc())
 16             {
 17             $value = stripslashes($value);
 18             }
 19 
 20         // Quote if not a number
 21         if (!ctype_digit($value))
 22             {
 23             $value = "\'" . mysql_real_escape_string($value) . "\'";
 24             }
 25         
 26     else
 27         {
 28         $value = intval($value);
 29         }
 30     return $value;
 31     }
 32 
 33 
 34 
 35     $uagent = $_SERVER[\'HTTP_USER_AGENT\'];   #$_SERVER[\'HTTP_USER_AGENT\']的意思是当前请求的 User_Agent: 头部的内容。 更多$_SERVER详解:http://www.cnblogs.com/xishaonian/p/6160893.html
 36     $IP = $_SERVER[\'REMOTE_ADDR\']; #当前用户的IP
 37     echo "<br>";
 38     echo \'Your IP ADDRESS is: \' .$IP;
 39     echo "<br>";
 40     //echo \'Your User Agent is: \' .$uagent;
 41 // take the variables
 42 if(isset($_POST[\'uname\']) && isset($_POST[\'passwd\'])) #判断uname和passwd是否输入了
 43 
 44     {
 45     $uname = check_input($_POST[\'uname\']);  #使用check_inpuut函数对传过来的uname进行过滤
 46     $passwd = check_input($_POST[\'passwd\']); #使用check_input函数对传过来的passwd进行过滤
 47     
 48     
 49     echo \'Your Your User name:\'. $uname;
 50     echo "<br>";
 51     echo \'Your Password:\'. $passwd;
 52     echo "<br>";
 53     echo \'Your User Agent String:\'. $uagent;
 54     echo "<br>";
 55     echo \'Your User Agent String:\'. $IP;
 56     
 57 
 58     //logging the connection parameters to a file for analysis.    
 59     $fp=fopen(\'result.txt\',\'a\');
 60     fwrite($fp,\'User Agent:\'.$uname."\\n");
 61     
 62     fclose($fp);
 63     
 64     
 65     
 66     $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
 67     $result1 = mysql_query($sql);  #执行$sql这一条sql语句。mysql_query是执行mysql的意思。
 68     $row1 = mysql_fetch_array($result1);
 69         if($row1)     #如果$row1为真
 70             {
 71             echo \'<font color= "#FFFF00" font size = 3 >\';
 72             $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES (\'$uagent\', \'$IP\', $uname)";
 73             mysql_query($insert);
 74             //echo \'Your IP ADDRESS is: \' .$IP;
 75             echo "</font>";
 76             //echo "<br>";
 77             echo \'<font color= "#0000ff" font size = 3 >\';            
 78             echo \'Your User Agent is: \' .$uagent;
 79             echo "</font>";
 80             echo "<br>";
 81             print_r(mysql_error());            
 82             echo "<br><br>";
 83             echo \'<img src="../images/flag.jpg"  />\';
 84             echo "<br>";
 85             
 86             }
 87         else
 88             {
 89             echo \'<font color= "#0000ff" font size="3">\';
 90             //echo "Try again looser";
 91             print_r(mysql_error());
 92             echo "</br>";            
 93             echo "</br>";
 94             echo \'<img src="../images/slap.jpg"   />\';    
 95             echo "</font>";  
 96             }
 97 
 98     }
 99 
100 ?>

 请注意72行。未对传过来的$uagent和$ip做处理就带入了数据库。

 

 

 

 

 

THE END

 

以上是关于Sqli-LABS通关笔录-18-审计SQL注入2的主要内容,如果未能解决你的问题,请参考以下文章

Sqli-LABS通关笔录-4

Sqli-LABS通关笔录-3

Sqli-LABS通关笔录-2

Sqli-LABS通关笔录-7[文件写入函数Outfile]

Sqli-LABS通关笔录-12

Sqli-LABS通关笔录-16