可我浪费着我寒冷的年华

Sqli-LABS通关笔录-18-审计SQL注入2-HTTP头注入

 在此关卡我学习到了

1.只要跟数据库交互的多观察几遍。特别是对于http头这种类型的注入方式。

2.

  1 <?php
  2 //including the Mysql connect parameters.
  3 include("../sql-connections/sql-connect.php");
  4 error_reporting(0);
  5     
  6 function check_input($value)
  7     {
  8     if(!empty($value))
  9         {
 10         // truncation (see comments)
 11         $value = substr($value,0,20);
 12         }
 13 
 14         // Stripslashes if magic quotes enabled
 15         if (get_magic_quotes_gpc())
 16             {
 17             $value = stripslashes($value);
 18             }
 19 
 20         // Quote if not a number
 21         if (!ctype_digit($value))
 22             {
 23             $value = "'" . mysql_real_escape_string($value) . "'";
 24             }
 25         
 26     else
 27         {
 28         $value = intval($value);
 29         }
 30     return $value;
 31     }
 32 
 33 
 34 
 35     $uagent = $_SERVER['HTTP_USER_AGENT'];   #$_SERVER['HTTP_USER_AGENT']的意思是当前请求的 User_Agent: 头部的内容。 更多$_SERVER详解:http://www.cnblogs.com/xishaonian/p/6160893.html
 36     $IP = $_SERVER['REMOTE_ADDR']; #当前用户的IP
 37     echo "<br>";
 38     echo 'Your IP ADDRESS is: ' .$IP;
 39     echo "<br>";
 40     //echo 'Your User Agent is: ' .$uagent;
 41 // take the variables
 42 if(isset($_POST['uname']) && isset($_POST['passwd'])) #判断uname和passwd是否输入了
 43 
 44     {
 45     $uname = check_input($_POST['uname']);  #使用check_inpuut函数对传过来的uname进行过滤
 46     $passwd = check_input($_POST['passwd']); #使用check_input函数对传过来的passwd进行过滤
 47     
 48     
 49     echo 'Your Your User name:'. $uname;
 50     echo "<br>";
 51     echo 'Your Password:'. $passwd;
 52     echo "<br>";
 53     echo 'Your User Agent String:'. $uagent;
 54     echo "<br>";
 55     echo 'Your User Agent String:'. $IP;
 56     
 57 
 58     //logging the connection parameters to a file for analysis.    
 59     $fp=fopen('result.txt','a');
 60     fwrite($fp,'User Agent:'.$uname."\n");
 61     
 62     fclose($fp);
 63     
 64     
 65     
 66     $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
 67     $result1 = mysql_query($sql);  #执行$sql这一条sql语句。mysql_query是执行mysql的意思。
 68     $row1 = mysql_fetch_array($result1);
 69         if($row1)     #如果$row1为真
 70             {
 71             echo '<font color= "#FFFF00" font size = 3 >';
 72             $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
 73             mysql_query($insert);
 74             //echo 'Your IP ADDRESS is: ' .$IP;
 75             echo "</font>";
 76             //echo "<br>";
 77             echo '<font color= "#0000ff" font size = 3 >';            
 78             echo 'Your User Agent is: ' .$uagent;
 79             echo "</font>";
 80             echo "<br>";
 81             print_r(mysql_error());            
 82             echo "<br><br>";
 83             echo '<img src="../images/flag.jpg"  />';
 84             echo "<br>";
 85             
 86             }
 87         else
 88             {
 89             echo '<font color= "#0000ff" font size="3">';
 90             //echo "Try again looser";
 91             print_r(mysql_error());
 92             echo "</br>";            
 93             echo "</br>";
 94             echo '<img src="../images/slap.jpg"   />';    
 95             echo "</font>";  
 96             }
 97 
 98     }
 99 
100 ?>

 请注意72行。未对传过来的$uagent和$ip做处理就带入了数据库。

 

 

 

 

 

THE END


 

posted @ 2016-12-11 23:33  珍惜少年时  阅读(534)  评论(0编辑  收藏  举报
可我浪费着我寒冷的年华