sqli-labs_17 sqli-labs_19

  1. 前言
  2. 正文

前言

今天早上通关了sqli-labs-17-19关,感觉审计代码变得熟练了一点。懂的东西也慢慢变多了起来
t0130839d05078ff56a.jpg

正文

首先看第17关的代码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-17 Update Query- Error based - String</title>
</head>

<body bgcolor="#000000">

<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"><font color="#FFFF00"> [PASSWORD RESET] </br></font>&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br></div>

<div  align="center" style="margin:20px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">

<div style="padding-top:10px; font-size:15px;">


<!--Form to post the contents -->
<form action="" name="form1" method="post">

  <div style="margin-top:15px; height:30px;">User Name &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: &nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text"  name="uname" value=""/>  </div>

  <div> New Password : &nbsp; &nbsp;
    <input type="text" name="passwd" value=""/></div></br>
    <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>
</form>
</div>
</div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="6" color="#FFFF00">



<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); /*包含了sql-connect.php*/
error_reporting(0); /*报错级别设置为0*/

function check_input($value)
    {
    if(!empty($value)) /*判断$value是否存在*/
        {
        // truncation (see comments)
        $value = substr($value,0,15); /*取$value字符串从0的位置开始获取字符串,长度为15*/
        }

        // Stripslashes if magic quotes enabled
        if (get_magic_quotes_gpc()) /*返回当前 magic_quotes_gpc 配置选项的设置,为 GPC (Get/Post/Cookie) 操作设置 magic_quotes 状态。 当 magic_quotes 为 on,所有的 ' (单引号)、" (双引号)、\(反斜杠)和 NUL's 被一个反斜杠自动转义。*/
            {
            $value = stripslashes($value);
            }

        // Quote if not a number
        if (!ctype_digit($value)) /*检测字符串是否为数字*/
            {
            $value = "'" . mysql_real_escape_string($value) . "'";
            }

    else
        {
        $value = intval($value); /*intval — 获取变量的整数值*/
        }
    return $value;
    }

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd'])) /*检测当前变量是否已设置并且不为null*/

{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);   /*调用check_input检查name*/

$passwd=$_POST['passwd'];


//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);


// connectivity 
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
echo $sql;

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
    if($row)
    {
          //echo '<font color= "#0000ff">';    
        $row1 = $row['username'];      
        //echo 'Your Login name:'. $row1;
        $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
        mysql_query($update);
          echo "<br>";



        if (mysql_error())
        {
            echo '<font color= "#FFFF00" font size = 3 >';
            print_r(mysql_error());
            echo "</br></br>";
            echo "</font>";
        }
        else
        {
            echo '<font color= "#FFFF00" font size = 3 >';
            //echo " You password has been successfully updated " ;        
            echo "<br>";
            echo "</font>";
        }

        echo '<img src="../images/flag1.jpg"   />';    
        //echo 'Your Password:' .$row['password'];
          echo "</font>";



      }
    else  
    {
        echo '<font size="4.5" color="#FFFF00">';
        //echo "Bug off you Silly Dumb hacker";
        echo "</br>";
        echo '<img src="../images/slap1.jpg"   />';

        echo "</font>";  
    }
}

?>


</font>
</div>
</body>
</html>

从代码中可以看到对uname做了很好的过滤,单是对passwd没有做好对应的过滤以至于可以被人从passwd下手注入。

FxU1fO.md.png

在passwd注入语句:

admin' and updatexml(1,concat(0x7e,(select user()),0x7e),1) #

FxUG1e.md.png

第十八关:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-18 Header Injection- Error Based- string</title>
</head>

<body bgcolor="#000000">

<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br></div>
<div  align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;">
<div style="padding-top:10px; font-size:15px;">


<!--Form to post the contents -->
<form action="" name="form1" method="post">

  <div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;
    <input type="text"  name="uname" value=""/>  </div>

  <div> Password : &nbsp; &nbsp;
    <input type="text" name="passwd" value=""/></div></br>
    <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>
</form>
</div>
</div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="3" color="#FFFF00">



<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

function check_input($value)
    {
    if(!empty($value)) /*判断变量值是否为空*/
        {
        // truncation (see comments)
        $value = substr($value,0,20); /*从0的位置开始读取,长度为20*/
        }

        // Stripslashes if magic quotes enabled
        if (get_magic_quotes_gpc())  /*返回当前 magic_quotes_gpc 配置选项的设置,为 GPC (Get/Post/Cookie) 操作设置 magic_quotes 状态。 当 magic_quotes 为 on,所有的 ' (单引号)、" (双引号)、\(反斜杠)和 NUL's 被一个反斜杠自动转义。*/
            {
            $value = stripslashes($value); /*去除单个反斜线,如果有两个反斜线则被替换为一个反斜线*/
            }

        // Quote if not a number
        if (!ctype_digit($value)) /*纯数字检测*/
            {
            $value = "'" . mysql_real_escape_string($value) . "'";
            }

    else
        {
        $value = intval($value); /*取整数的值*/
        }
    return $value;
    }



    $uagent = $_SERVER['HTTP_USER_AGENT']; /*获取来访者的user-agent*/
    $IP = $_SERVER['REMOTE_ADDR']; /*浏览当前页面用户的IP*/
    echo "<br>";
    echo 'Your IP ADDRESS is: ' .$IP;
    echo "<br>";
    //echo 'Your User Agent is: ' .$uagent;
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd'])) /*判断变量不为空并且值不为NULL*/

    {
    $uname = check_input($_POST['uname']); /*检测uname*/
    $passwd = check_input($_POST['passwd']); /*检测passwd*/

    echo 'Your Your User name:'. $uname;
    echo "<br>";
    echo 'Your Password:'. $passwd;
    echo "<br>";
    echo 'Your User Agent String:'. $uagent;
    echo "<br>";
    echo 'Your User Agent String:'. $IP;

    //logging the connection parameters to a file for analysis.    
    $fp=fopen('result.txt','a');
    fwrite($fp,'User Agent:'.$uname."\n");

    fclose($fp);



    $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    $result1 = mysql_query($sql);
    $row1 = mysql_fetch_array($result1);
        if($row1)
            {
            echo '<font color= "#FFFF00" font size = 3 >';
            $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)"; /*向数据库插入数据,记录user-agent,IP,uname*/
            mysql_query($insert);
            echo 'Your IP ADDRESS is: ' .$IP;
            echo "</font>";
            echo "<br>";
            echo '<font color= "#0000ff" font size = 3 >';            
            echo 'Your User Agent is: ' .$uagent;
            echo "</font>";
            echo "<br>";
            print_r(mysql_error());            
            echo "<br><br>";
            echo '<img src="../images/flag.jpg"  />';
            echo "<br>";

            }
        else
            {
            echo '<font color= "#0000ff" font size="3">';
            //echo "Try again looser";
            print_r(mysql_error());
            echo "</br>";            
            echo "</br>";
            echo '<img src="../images/slap.jpg"   />';    
            echo "</font>";  
            }

    }

?>


</font>
</div>
</body>
</html>

对uname和passwd做了严格的过滤,但是由于将浏览当前页面的IP,user-agent插入数据库中,user-agent头没有做好对应的过滤,引发注入

FxUwAP.png

FxUBh8.png

第十九关

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-19 Header Injection- Referer- Error Based- string</title>
</head>

<body bgcolor="#000000">

<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br></div>
<div  align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;">
<div style="padding-top:10px; font-size:15px;">


<!--Form to post the contents -->
<form action="" name="form1" method="post">

  <div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;
    <input type="text"  name="uname" value=""/>  </div>

  <div> Password : &nbsp; &nbsp;
    <input type="text" name="passwd" value=""/></div></br>
    <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>
</form>
</div>
</div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="3" color="#FFFF00">



<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

function check_input($value)
    {
    if(!empty($value)) /*判断变量的值是否为空*/
        {
        // truncation (see comments)
        $value = substr($value,0,20); /*从0的位置开始读取,长度为20*/
        }

        // Stripslashes if magic quotes enabled
        if (get_magic_quotes_gpc())
            {
            $value = stripslashes($value); /*返回当前 magic_quotes_gpc 配置选项的设置,为 GPC (Get/Post/Cookie) 操作设置 magic_quotes 状态。 当 magic_quotes 为 on,所有的 ' (单引号)、" (双引号)、\(反斜杠)和 NUL's 被一个反斜杠自动转义。*/
            }

        // Quote if not a number
        if (!ctype_digit($value)) /*检测字符串是否为数字*/
            {
            $value = "'" . mysql_real_escape_string($value) . "'";
            }

    else
        {
        $value = intval($value);
        }
    return $value;
    }



    $uagent = $_SERVER['HTTP_REFERER']; /*获取浏览器当前页面的referer头*/
    $IP = $_SERVER['REMOTE_ADDR']; /*获取浏览当前页面的IP*/
    echo "<br>";
    echo 'Your IP ADDRESS is: ' .$IP;
    echo "<br>";
    //echo 'Your User Agent is: ' .$uagent;
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd'])) /*检查变量是否不为空而且不是null*/

    {
    $uname = check_input($_POST['uname']); /*调用check_input函数检查*/
    $passwd = check_input($_POST['passwd']); /*调用check_input函数检查*/

    /*
    echo 'Your Your User name:'. $uname;
    echo "<br>";
    echo 'Your Password:'. $passwd;
    echo "<br>";
    echo 'Your User Agent String:'. $uagent;
    echo "<br>";
    echo 'Your User Agent String:'. $IP;
    */

    //logging the connection parameters to a file for analysis.    
    $fp=fopen('result.txt','a');
    fwrite($fp,'Referer:'.$uname."\n");

    fclose($fp);



    $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    $result1 = mysql_query($sql);
    $row1 = mysql_fetch_array($result1);
        if($row1)
            {
            echo '<font color= "#FFFF00" font size = 3 >';
            $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')"; /*将数据插入数据库,引发注入*/
            mysql_query($insert);
            //echo 'Your IP ADDRESS is: ' .$IP;
            echo "</font>";
            //echo "<br>";
            echo '<font color= "#0000ff" font size = 3 >';            
            echo 'Your Referer is: ' .$uagent;
            echo "</font>";
            echo "<br>";
            print_r(mysql_error());            
            echo "<br><br>";
            echo '<img src="../images/flag.jpg" />';
            echo "<br>";

            }
        else
            {
            echo '<font color= "#0000ff" font size="3">';
            //echo "Try again looser";
            print_r(mysql_error());
            echo "</br>";            
            echo "</br>";
            echo '<img src="../images/slap.jpg"  />';    
            echo "</font>";  
            }

    }

?>


</font>
</div>
</body>
</html>

对uname和passwd做了严格的过滤,没对要插入数据库的referer做过滤,导致注入

FxUr9S.md.png

转载请声明:转自422926799.github.io


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:sqli-labs_17 sqli-labs_19

本文作者:九世

发布时间:2019-01-14, 12:20:57

最后更新:2019-04-19, 20:36:16

原始链接:http://422926799.github.io/posts/789227f7.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录