SQL injection labs exercises

Less 17

This update is off injection.

update statement: update users (table) set passwd (field) = $ _POST [ 'the passwd'] (Closed unknown) where uname (field) = $ _POST [ 'the uname'] (Closed unknown);

For update statements can be injected in the User Name and New Password two, but the success will not return useful information can not be used in conjunction injection, can be considered an error injection, injection delay, you can not use Boolean injection.

The first step, determining the closed mode

After adding uname = admin1 'failed

In passwd = admin1 added after 'successful, thereby determining the closed mode is a closed single quotes. Closed way to determine general is quite troublesome, but the principle is simple not too much talk about it.

Question: Why can inject here New Password and User Name can not inject it?

By looking at the source code off 17 we can see that the authors used check_input ($ _ POST [ 'uname']); and stressed that this does not make uname injection

We first learn about this function

Two important conditions mysql implantation does not occur is the escape 1. Inject statement is not injected into the filter 2. Statement

In this check_input () function by first substr () function limits the maximum password length is 15, will be taken over discarded, and then determines whether the escape opening (i.e., when the escape opening get_magic_quotes_gpc () = on get_magic_quotes_gpc () Returns 1,

While () function is removed by a backslash stripslashes. Then crype_digit () function check is not a decimal number, it returns true, false if not, can be seen in the case where the input is not a decimal, will function was filtered through mysql_real_escape_string ().