sqli-labs————Less-55

Less -55

sqli-labs————Less-55_第1张图片

源代码:





Less-55:Challenge-2



Welcome    Dhakkan
You have reset the Challenge
\n"; echo "Redirecting you to main challenge page..........\n"; header( "refresh:4;url=../sql-connections/setup-db-challenge.php?id=$pag" ); //echo "cookie expired"; } else { // Checking the cookie on the page and populate the table with random value. if(isset($_COOKIE['challenge'])) { $sessid=$_COOKIE['challenge']; //echo "Cookie value: ".$sessid; } else { $expire = time()+60*60*24*30; $hash = data($table,$col); setcookie("challenge", $hash, $expire); } echo "
\n"; // take the variables if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); //update the counter in database next_tryy(); //Display attempts on screen. $tryyy = view_attempts(); echo "You have made : ". $tryyy ." of $times attempts"; echo "


\n"; //Reset the Database if you exceed allowed attempts. if($tryyy >=($times+1)) { setcookie('challenge', ' ', time() - 3600000); echo "You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset
\n"; echo "Redirecting you to challenge page..........\n"; echo "
\n"; header( "refresh:4;url=../sql-connections/setup-db-challenge.php?id=$pag" ); } // Querry DB to get the correct output $sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo ''; echo 'Your Login name:'. $row['username']; echo "
"; echo 'Your Password:' .$row['password']; echo "
"; } else { echo ''; // print_r(mysql_error()); echo ""; } } else { echo "Please input the ID as parameter with numeric value as done in Lab excercises\n

\n"; echo "The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than $times attempts
"; echo "For fun, with every reset, the challenge spawns random table name, column name, table data. Keeping it fresh at all times.
" ; } } ?>






Submit Secret Key:
'; $key = addslashes($_POST['key']); $key = mysql_real_escape_string($key); //echo $key; //Query table to verify your result $sql="SELECT 1 FROM $table WHERE $col1= '$key'"; //echo "$sql"; $result=mysql_query($sql)or die("error in submittion of Key Solution".mysql_error()); $row = mysql_fetch_array($result); if($row) { echo ''; echo "\n


"; echo ''; echo "
"; header( "refresh:4;url=../sql-connections/setup-db-challenge.php?id=$pag" ); } else { echo ''; echo "\n


"; echo ''; header( "refresh:3;url=index.php" ); //print_r(mysql_error()); echo "
"; } } ?>
sql执行语句:
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

根据该sql语句与之前的理论基础,我们直接给出payload:

sqli-labs————Less-55_第2张图片

后续的过程不再多说了,读者自我构建,在上一节已经演示了一波了哈!

你可能感兴趣的:(【信息安全】,【渗透测试实战1】,———Sqli-labs实战)