sqli-Labs————less-37

FLy_鵬程萬里發表於2018-05-20

Less-37

檢視一下原始碼：

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	<title>Less-37- MySQL_real_escape_string</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome  <font color="#FF0000"> Dhakkan </font><br></div>

<div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">

<div style="padding-top:10px; font-size:15px;">
 
<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
	<div style="margin-top:15px; height:30px;">Username :    
	    <input type="text"  name="uname" value=""/>
	</div>  
	<div> Password  :    
	   <input type="text" name="passwd" value=""/>
	</div></br>
	<div style=" margin-top:9px;margin-left:90px;">
	    <input type="submit" name="submit" value="Submit" />
	</div>
</form>

</div>
</div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="3" color="#FFFF00">
<center>
<br>
<br>
<br>
<img src="../images/Less-37.jpg" />
</center>

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");


// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
	$uname1=$_POST['uname'];
	$passwd1=$_POST['passwd'];

        //echo "username before addslashes is :".$uname1 ."<br>";
        //echo "Input password before addslashes is : ".$passwd1. "<br>";
        
	//logging the connection parameters to a file for analysis.
	$fp=fopen('result.txt','a');
	fwrite($fp,'User Name:'.$uname1);
	fwrite($fp,'Password:'.$passwd1."\n");
	fclose($fp);
        
        $uname = mysql_real_escape_string($uname1);
        $passwd= mysql_real_escape_string($passwd1);
        
        //echo "username after addslashes is :".$uname ."<br>";
        //echo "Input password after addslashes is : ".$passwd;    

	// connectivity 
	mysql_query("SET NAMES gbk");
	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in\n\n " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		echo 'Your Login name:'. $row['username'];
		echo "<br>";
		echo 'Your Password:' .$row['password'];
		echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"  />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg" />';	
		echo "</font>";  
	}
}

?>

</br>
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
 
echo "Hint: The Username you input is escaped as : ".$uname ."<br>";
echo "Hint: The Password you input is escaped as : ".$passwd ."<br>";
?>

</font>
</div>
</body>
</html>

過濾函式：

  $uname = mysql_real_escape_string($uname1);
  $passwd= mysql_real_escape_string($passwd1);

sql語句：

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

根據以上過濾函式以及SQL語句，我們直接使用之前所用過的萬能密碼來突破一下：

username：�' or 1=1#

password：aaa

小結：對於過濾'\常用的三種方式是replace、addslashes、mysql_real_escape_string（）。但是這三種方式僅僅依靠一個函式是不能完全防禦的，我們在編寫程式碼的時候需要更加的嚴謹。

less-12 in sqli-labs
2020-12-17
SQL
sqli-labs(54-65)
2020-10-27
SQL
sqli-labs————Less-52
2018-05-22
SQL
sqli-labs————Less-53
2018-05-22
SQL
sqli-labs————Less-55
2018-05-22
SQL
sqli-labs————Less-56
2018-05-22
SQL
sqli-labs————Less-57
2018-05-22
SQL
sqli-labs————Less-58
2018-05-22
SQL
sqli-labs————Less-59
2018-05-22
SQL
sqli-labs————Less-28
2018-05-16
SQL
sqli-labs————less-28a
2018-05-16
SQL
sqli-labs————Less-29
2018-05-19
SQL
sqli-labs————Less-30
2018-05-19
SQL
sqli-labs————Less-31
2018-05-19
SQL
sqli-labs————Less-32
2018-05-19
SQL
sqli-labs————Less-33
2018-05-19
SQL
sqli-Labs————less-35
2018-05-20
SQL
sqli-Labs————less-36
2018-05-20
SQL
sqli-Labs————less-38
2018-05-20
SQL
sqli-Labs————less-39
2018-05-20
SQL
sqli-Labs————less-40
2018-05-20
SQL
sqli-Labs————less-41
2018-05-20
SQL
sqli-Labs————less-42
2018-05-21
SQL
sqli-Labs————less-43
2018-05-21
SQL
sqli-Labs————less-44
2018-05-21
SQL
sqli-Labs————less-45
2018-05-21
SQL
sqli-labs————Less-48
2018-05-21
SQL
sqli-labs————Less-49
2018-05-21
SQL
sqli-labs————Less-51
2018-05-21
SQL
Sqli-labs 部落格目錄
2018-07-26
SQL
sqli-labs————Less-60-65
2018-05-22
SQL
sqli-labs ————less -26a
2018-05-16
SQL
Sqli-Labs：Less2-Less4
2018-07-24
SQL
玩一玩sqli-labs靶場
2022-02-17
SQL
sqli-labs第二關詳解
2020-10-05
SQL
Sqli-labs之Less1-10
2017-04-14
SQL
sqli-labs 第25關（過濾or和AND ）
2020-12-25
SQL
sqli-labs————Less-26（繞空格、/*、#等）
2018-05-16
SQL

sqli-Labs————less-37

Less-37

相關文章