"Sqli-labs" Less24 post-second Order injections *real treat*-stored injections (two injections)

Simple login to browse once, found to be a login registration change password application

Review the Code

The Username,password of the landing page uses an escape

The parameters of the registration page are also escaped

But in the modified Password page, directly from the session to get the username

So there is a problem, username is created at registration, although escaped, but no restrictions on the input characters

Take a look at the SQL statement that changed the password

$sql = "UPDATE users SET password= ' $pass ' where username= ' $username ' and password= ' $curr _pass '";

If Username=admin ' #就会构成, #号后面的变成了注释, then we change the password of admin

UPDATE SET PASSWORD='$pass'where username='admin ' # '  and password='$curr _pass'

Let's test it.

Registration is successful, and the corresponding data is added to the database.

You can also log in normally.

Then we'll change the password.

To facilitate observation, output the SQL statement

Prompt for password modification success

So we'll change the admin password to 123456.

You can confirm it in the database.

"Sqli-labs" Less24 post-second Order injections *real treat*-stored injections (two injections)