Less-16
源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Less-16- Blind- Time Based- Double quotes- String</title> </head> <body bgcolor="#000000"> <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div> <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"> <div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--> <form action="" name="form1" method="post"> <div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/> </div> <div> Password : <input type="text" name="passwd" value=""/> </div></br> <div style=" margin-top:9px;margin-left:90px;"> <input type="submit" name="submit" value="Submit" /> </div> </form> </div></div> <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"> <font size="6" color="#FFFF00"> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname=$_POST['uname']; $passwd=$_POST['passwd']; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname."\n"); fwrite($fp,'Password:'.$passwd."\n"); fclose($fp); // connectivity $uname='"'.$uname.'"'; $passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { //echo '<font color= "#0000ff">'; echo "<br>"; echo '<font color= "#FFFF00" font size = 4>'; //echo " You Have successfully logged in " ; echo '<font size="3" color="#0000ff">'; echo "<br>"; //echo 'Your Login name:'. $row['username']; echo "<br>"; //echo 'Your Password:' .$row['password']; echo "<br>"; echo "</font>"; echo "<br>"; echo "<br>"; echo '<img src="../images/flag.jpg" />'; echo "</font>"; } else { echo '<font color= "#0000ff" font size="3">'; echo "</br>"; echo "</br>"; //echo "Try again looser"; //print_r(mysql_error()); echo "</br>"; echo "</br>"; echo "</br>"; echo '<img src="../images/slap.jpg" />'; echo "</font>"; } } ?> </font> </div> </body> </html>
从源代码中我们可以发现这是一个盲注,而且报错注入不可以用,那么就剩下布尔注入以及延迟注入了!
在注入的过程中我们需要闭合双引号、括号
布尔注入:
username:admin") and left(version(),1)=5 #
password:aaa
其余部分的利用就不再多说了哈!
延时注入:
其余的不再多说了哈!