sqli-labs————less 20

Less-20

这里做一个简单的测试：

username：admin

password：aaa

从上面的显示结果中，我们看到了user-agent、COOKIE的内容，我们这里查看一下源代码看看，到底是怎么回事：

 Welcome    Dhakkan 

"; echo "

"; echo "

"; echo ""; echo '

'; echo '

Username :    '; echo '

'; echo '

Password :      '; echo '

'; echo '

'; echo '

'; echo '

'; echo '

'; echo '

'; echo ''; echo '


'; echo ''; echo ''; function check_input($value) { if(!empty($value)) { $value = substr($value,0,20); // truncation (see comments) } if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled { $value = stripslashes($value); } if (!ctype_digit($value)) // Quote if not a number { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return $value; } echo "
"; echo "
"; if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); $cookee = $row1['username']; if($row1) { echo ''; setcookie('uname', $cookee, time()+3600); header ('Location: index.php'); echo "I LOVE YOU COOKIES"; echo ""; echo ''; //echo 'Your Cookie is: ' .$cookee; echo ""; echo "
"; print_r(mysql_error()); echo "

"; echo ''; echo "
"; } else { echo ''; //echo "Try again looser"; print_r(mysql_error()); echo "
"; echo "
"; echo ''; echo ""; } } echo ""; echo ''; echo '

'; } else { if(!isset($_POST['submit'])) { $cookee = $_COOKIE['uname']; $format = 'D d M Y - H:i:s'; $timestamp = time() + 3600; echo ""; echo '


'; echo ''; echo "

"; echo '
'; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT']; echo "
"; echo ''; echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "
"; echo ''; echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
"; echo ''; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp); echo "
"; $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1"; $result=mysql_query($sql); if (!$result) { die('Issue with your mysql: ' . mysql_error()); } $row = mysql_fetch_array($result); if($row) { echo ''; echo 'Your Login name:'. $row['username']; echo "
"; echo ''; echo 'Your Password:' .$row['password']; echo ""; echo "
"; echo 'Your ID:' .$row['id']; } else { echo ""; echo '


'; echo ''; echo "

"; //echo ''; } echo ''; echo '

'; echo ''; echo '

'; echo ''; } else { echo ''; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo ''; echo " Your Cookie is deleted"; setcookie('uname', $row1['username'], time()-3600); header ('Location: index.php'); echo '
'; } echo "
"; echo "
"; //header ('Location: main.php'); echo "
"; echo "
"; //echo ''; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'Cookie:'.$cookee."\n"); fclose($fp); } ?> 从源代码中我们可以看到COOKIE从username中获得值后，当再次刷新时，会从COOKIE中读取username，然后进行查询。

登录成功之后，我们可以修改cookie,当再次刷新的时候，这时候sql语句就会被修改，我们使用tamper data进行演示：

cookie:

uname=admin1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e))#

从上面的截图中我们可以看到爆出了mysql的路径。