Simple login to browse once, found to be a login registration change password application
Review the Code
The Username,password of the landing page uses an escape
The parameters of the registration page are also escaped
But in the modified Password page, directly from the session to get the username
So there is a problem, username is created at registration, although escaped, but no restrictions on the input characters
Take a look at the SQL statement that changed the password
$sql = "UPDATE users SET password= ' $pass ' where username= ' $username ' and password= ' $curr _pass '";
If Username=admin ' #就会构成, #号后面的变成了注释, then we change the password of admin
UPDATE SET PASSWORD='$pass'where username='admin ' # ' and password='$curr _pass'
Let's test it.
Registration is successful, and the corresponding data is added to the database.
You can also log in normally.
Then we'll change the password.
To facilitate observation, output the SQL statement
Prompt for password modification success
So we'll change the admin password to 123456.
You can confirm it in the database.
"Sqli-labs" Less24 post-second Order injections *real treat*-stored injections (two injections)