sqli-labs-Less-21 - sqli-labs-Less-24

Writing

创建时间:2019-01-19 16:33

阅读:

前言
正文

前言

秉承着要通过sqli-labs练习平台，然后今天继续刷关。再次做个记录

正文

sqli-labs第二十一关：
代码如下：

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Less-21 Cookie Injection- Error Based- complex - string</title>
</head>

<body bgcolor="#000000">
<?php
//including the Mysql connect parameters.
    include("../sql-connections/sql-connect.php");
if(!isset($_COOKIE['uname'])) /*如果不存在cookie*/
    {
    //including the Mysql connect parameters.
    include("../sql-connections/sql-connect.php");

    echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome&nbsp;&nbsp;&nbsp;<font color='#FF0000'> Dhakkan </font><br></div>";
    echo "<div  align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
    echo "<div style='padding-top:10px; font-size:15px;'>";


    echo "<!--Form to post the contents -->";
    echo '<form action=" " name="form1" method="post">';

    echo ' <div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;';
    echo '   <input type="text"  name="uname" value=""/>  </div>';

    echo ' <div> Password : &nbsp; &nbsp; &nbsp;';
    echo '   <input type="text" name="passwd" value=""/></div></br>';    
    echo '   <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';

    echo '</form>';
    echo '</div>';
    echo '</div>';
    echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
    echo '<font size="3" color="#FFFF00">';
    echo '<center><br><br><br>';
    echo '<img src="../images/Less-21.jpg" />';
    echo '</center>';






function check_input($value)
    {
    if(!empty($value)) /*判断$value不为空*/
        {
        $value = substr($value,0,20); // truncation (see comments) /*从0的位置开始取值，长度为20*/
        }
        if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled /*开启get_magic_quotes_gpc()*/
            {
            $value = stripslashes($value);
            }
        if (!ctype_digit($value))       // Quote if not a number /*判断是否为纯数字*/
            {
            $value = "'" . mysql_real_escape_string($value) . "'";
            }
    else
        {
        $value = intval($value); /*取整数类型*/
        }
    return $value;
    }



    echo "<br>";
    echo "<br>";

    if(isset($_POST['uname']) && isset($_POST['passwd'])) /*判断uname和passwd是否为空*/
        {

        $uname = check_input($_POST['uname']); /*过滤操作*/
        $passwd = check_input($_POST['passwd']);




        $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
        $result1 = mysql_query($sql);
        $row1 = mysql_fetch_array($result1);
            if($row1)
                {
                echo '<font color= "#FFFF00" font size = 3 >';
                setcookie('uname', base64_encode($row1['username']), time()+3600);    

                echo "I LOVE YOU COOKIES";
                echo "</font>";
                echo '<font color= "#0000ff" font size = 3 >';            
                //echo 'Your Cookie is: ' .$cookee;
                echo "</font>";
                echo "<br>";
                print_r(mysql_error());            
                echo "<br><br>";
                echo '<img src="../images/flag.jpg" />';
                echo "<br>";
                header ('Location: index.php');
                }
            else
                {
                echo '<font color= "#0000ff" font size="3">';
                //echo "Try again looser";
                print_r(mysql_error());
                echo "</br>";            
                echo "</br>";
                echo '<img src="../images/slap.jpg" />';    
                echo "</font>";  
                }
            }

            echo "</font>";  
    echo '</font>';
    echo '</div>';

}
else
{



    if(!isset($_POST['submit']))
        {
            $cookee = $_COOKIE['uname'];
            $format = 'D d M Y - H:i:s';
            $timestamp = time() + 3600;
            echo "<center>";
            echo "<br><br><br><b>";
            echo '<img src="../images/Less-21.jpg" />';
            echo "<br><br><b>";
            echo '<br><font color= "red" font size="4">';    
            echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
            echo "</font><br>";    
            echo '<font color= "cyan" font size="4">';    
            echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];            
            echo "</font><br>";            
            echo '<font color= "#FFFF00" font size = 4 >';
            echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
            echo '<font color= "orange" font size = 5 >';            
            echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);

            $cookee = base64_decode($cookee);
            echo "<br></font>";
            $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
            $result=mysql_query($sql);
            if (!$result)
                  {
                  die('Issue with your mysql: ' . mysql_error());
                  }
            $row = mysql_fetch_array($result);
            if($row)
                {
                  echo '<font color= "pink" font size="5">';    
                  echo 'Your Login name:'. $row['username'];
                  echo "<br>";
                echo '<font color= "grey" font size="5">';      
                echo 'Your Password:' .$row['password'];
                  echo "</font></b>";
                echo "<br>";
                echo 'Your ID:' .$row['id'];
                  }
            else    
                {
                echo "<center>";
                echo '<br><br><br>';
                echo '<img src="../images/slap1.jpg" />';
                echo "<br><br><b>";
                //echo '<img src="../images/Less-20.jpg" />';
                }
            echo '<center>';
            echo '<form action="" method="post">';
            echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';
            echo '</form>';
            echo '</center>';
        }    
    else
        {
        echo '<center>';
        echo "<br>";
        echo "<br>";
        echo "<br>";
        echo "<br>";
        echo "<br>";
        echo "<br>";
        echo '<font color= "#FFFF00" font size = 6 >';
        echo " Your Cookie is deleted";
                setcookie('uname', base64_encode($row1['username']), time()-3600);
                header ('Location: index.php');
        echo '</font></center></br>';

        }        


            echo "<br>";
            echo "<br>";
            //header ('Location: main.php');
            echo "<br>";
            echo "<br>";

            //echo '<img src="../images/slap.jpg" /></center>';
            //logging the connection parameters to a file for analysis.    
        $fp=fopen('result.txt','a');
        fwrite($fp,'Cookie:'.$cookee."\n");

        fclose($fp);

}
?>

</body>
</html>

通过阅读对应的PHP代码后发现先将cookie的值进行base64加密然后在赋予cookie，然后到处理cookie的时候解密对应的base64编码，带入数据库查询。中途没有做任何过滤，那么就给了注入的机会。
解密cookie的值发现为admin，然后尝试带入‘，并且base64编码带入查询

报错注入带走

二十二关是一样的，只是将’改为了“
kCZrS1.md.png

第二十三关：
代码如下：

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-23 **Error Based- no comments**</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id']))
{
$id=$_GET['id'];

//filter the comments out so as to comments should not work
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id); /*正则替换*/
$id = preg_replace($reg1, $replace, $id);
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 


$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)
    {
      echo '<font color= "#0000ff">';    
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
      }
    else 
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}

?>
</font> </div></br></br></br><center>
<img src="../images/Less-23.jpg" /></center>
</body>
</html>

阅读代码后发现，注释符都给过滤掉了。那么只能手动闭合了
and ‘1’=’1

第二十四关：
代码过多，这里就不放出来了。就指出关键在哪吧

图中的所指的没有做任何过滤就带入数据库更新
那么可能是修改密码处，出现了问题。尝试一下

注册了三个账号，一个叫haq520 密码为：haq520
一个叫：haq520' 密码为：haq520!
一个叫：haq520'# 密码为：haq5201314!

第一个登陆成功
kCmK8s.md.png
尝试修改密码没有任何问题

第二个
kCmBKx.md.png
尝试修改密码，出现异常

第三个

尝试修改密码

密码更新成功

尝试登陆第一个账号，发现密码已经被改成admin了
kCm7dS.md.png

kCmLGj.md.png

通过这个例子我们逆向猜测出，现实可能也有这种情况。
所以在挖洞的时候可以进行一定的测试

世界上所有的不利，都是由当事人的能力不足所造成《金木研》

转载请声明：转自422926799.github.io

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。