Sqli-labs Clearance Transcript -17-Audit SQL injection

This level is starting to look like a new area of knowledge, and the first few are the ones that give us a deeper impression of the blinds. The next is new knowledge! Pikachu, Get it!

The code is deducted from the 17th level of the sql-libs.

The page effects are as follows:

The PHP face complete code looks like this:

1<?PHP2Include".. /sql-connections/sql-connect.php");3Error_reporting (0);4 5 function Check_input ($value) #定义一个函数为check_input with a parameter of $value. 6     {7     if(!empty ($value)) #当参数不为空的时候8         {9         //truncation (see comments)Ten$value = substr ($value,0, the); #参数如果的话执行该条语句, use the SUBSTR function to intercept the data from No. 0 to 15th bits of the parameter.  One         } A  -         //stripslashes if Magic quotes enabled -         if(GET_MAGIC_QUOTES_GPC ()) #判断php the. INI has a magic reference turned on.  the             { -$value =stripslashes ($value); #如果开启了对魔术引用进行反转. This means that you don't need to remove the magic reference. -             } -  +         //Quote If not a number -         if(!ctype_digit ($value)) #ctype_digit: The detection is a number, negative and fractional are not, that is, if not a number, negative or fractional execution of 22 lines of code.  +             { A$value ="'". Mysql_real_escape_string ($value)."'"; #关于mysql_real_escape_string () function for more explanations: http://www.w3school.com.cn/php/func_mysql_real_escape_string.asp  at             } -          -     Else -         { -$value =intval ($value); an integer #获取 $value -         } in     return$value; -     } to  + //Take the variables - if(Isset ($_post['uname']) && Isset ($_post['passwd'])) #判断user和passwd有没有设置 the  * { $ //making sure uname is not injectablePanax Notoginseng$uname =check_input ($_post['uname']); #使用check_input函数对传过来的uname参数进行过滤 -  the$PASSWD =$_post['passwd']; #过滤的很好, but the password is not filtered. The key to the problem lies here!  +  A  the //Logging The connection parameters to a file for analysis. +$FP =fopen ('Result.txt','a'); -Fwrite ($FP,'User Name:'. $uname."\ n"); $Fwrite ($FP,'New Password:'. $passwd."\ n"); $ fclose ($fp); -  -  the //Connectivity -@ $sql ="SELECT username, password from users WHERE username= $uname LIMIT 0,1";Wuyi  the$result =mysql_query ($sql); -$row =mysql_fetch_array ($result); Wu //echo $row; -     if($row) About     { $           //Echo ' <font color= ' #0000ff > ';  -$row 1 = $row ['username'];  -         //Echo ' Your Login name: '. $row 1; -$update ="UPDATE users SET password = ' $passwd ' WHERE username= ' $row 1 '"; A mysql_query ($update); +Echo"<br>"; the      -      $      the         if(Mysql_error ()) the         { theEcho'<font color= "#FFFF00" Font size = 3 >'; the Print_r (Mysql_error ()); -Echo"</br></br>"; inEcho"</font>"; the         } the         Else About         { theEcho'<font color= "#FFFF00" Font size = 3 >'; the             //echo "You password have been successfully updated";  theEcho"<br>"; +Echo"</font>"; -         } the     BayiEcho'';  the         //Echo ' Your Password: '. $row [' Password ']; theEcho"</font>"; -      -  the  the       } the     Else   the     { -Echo'<font size= "4.5" color= "#FFFF00" >'; the         //echo "Bug off you Silly Dumb hacker"; theEcho"</br>"; theEcho'';94      theEcho"</font>";  the     } the }98  About?>

See line 39, misaligned for filtering and resulting in SQL injection

The END

Sqli-labs Clearance Transcript -17-Audit SQL injection