注入点
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_affected_rows();
echo '<font size="3" color="#FFFF00">';
echo '<center>';
if($row==1)
{
echo "Password successfully updated";
}
else
{
header('Location: failed.php');
//echo 'You tried to be smart, Try harder!!!! :( ';
}
}$username= $_SESSION["username"];
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
对已经注册的用户的username没有转义特殊字符
思路
1,注册一个新用户admin'#虽然转义了,但特殊字符一起写进了数据库
2,用该用户更换密码,你更换的密码就是admin用户的密码
sql语句变为
$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass' ";
说以你去更新的是admin的密码
![<span style='color:red;'>Sqli</span>-labs靶场<span style='color:red;'>第</span><span style='color:red;'>25</span><span style='color:red;'>关</span>[<span style='color:red;'>Sqli</span>-labs-less-<span style='color:red;'>25</span>]自动化<span style='color:red;'>注入</span>-SQLmap工具<span style='color:red;'>注入</span>](https://img-blog.csdnimg.cn/img_convert/e6b8d6d419504b24b0056ab07fb84e80.png)
