sqli-labs————less 21

Less-21

做一个简单测试：
username：admin
password：aaa

这里的界面和上一关的内容差不多，唯一的区别就是cookie使用了base64进行了加密，这里我们贴出该关的代码：

 Welcome    Dhakkan 

"; echo "

"; echo "

"; echo ""; echo '

'; echo '

Username :    '; echo '

'; echo '

Password :      '; echo '

'; echo '

'; echo '

'; echo '

'; echo '

'; echo '

'; echo ''; echo '


'; echo ''; echo ''; function check_input($value) { if(!empty($value)) { $value = substr($value,0,20); // truncation (see comments) } if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled { $value = stripslashes($value); } if (!ctype_digit($value)) // Quote if not a number { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return $value; } echo "
"; echo "
"; if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if($row1) { echo ''; setcookie('uname', base64_encode($row1['username']), time()+3600); echo "I LOVE YOU COOKIES"; echo ""; echo ''; //echo 'Your Cookie is: ' .$cookee; echo ""; echo "
"; print_r(mysql_error()); echo "

"; echo ''; echo "
"; header ('Location: index.php'); } else { echo ''; //echo "Try again looser"; print_r(mysql_error()); echo "
"; echo "
"; echo ''; echo ""; } } echo ""; echo ''; echo '

'; } else { if(!isset($_POST['submit'])) { $cookee = $_COOKIE['uname']; $format = 'D d M Y - H:i:s'; $timestamp = time() + 3600; echo ""; echo "


"; echo ''; echo "

"; echo '
'; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT']; echo "
"; echo ''; echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "
"; echo ''; echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
"; echo ''; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp); $cookee = base64_decode($cookee); echo "
"; $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1"; $result=mysql_query($sql); if (!$result) { die('Issue with your mysql: ' . mysql_error()); } $row = mysql_fetch_array($result); if($row) { echo ''; echo 'Your Login name:'. $row['username']; echo "
"; echo ''; echo 'Your Password:' .$row['password']; echo ""; echo "
"; echo 'Your ID:' .$row['id']; } else { echo ""; echo '


'; echo ''; echo "

"; //echo ''; } echo ''; echo '

'; echo ''; echo '

'; echo ''; } else { echo ''; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo "
"; echo ''; echo " Your Cookie is deleted"; setcookie('uname', base64_encode($row1['username']), time()-3600); header ('Location: index.php'); echo '
'; } echo "
"; echo "
"; //header ('Location: main.php'); echo "
"; echo "
"; //echo ''; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'Cookie:'.$cookee."\n"); fclose($fp); } ?>

我们这里与上一关一样，修改cookie即可，唯一的附加内容就是将cookie进行base64加密：

cookie值为：

YWRtaW4xJylhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQGJhc2VkaXIpLDB4N2UpKSM=

这里开启了了print-r(mysql_error)所以，可以使用报错注入获取你所想要的各种信息，这里就不再多做介绍了。