-
Notifications
You must be signed in to change notification settings - Fork 10
/
sentinel-sql6.php
57 lines (44 loc) · 1.38 KB
/
sentinel-sql6.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<?php
$myname = "sentinel-sql6.php";
$var_title = "SQL6";
$var_description = "Boolean SQL attack";
$var_paramname = "vulnparam";
$var_paramtype = "get";
$var_paramcontent = "string which gets inserted into SQL statement. Wrong users will not produce error. No SQL errors. Advanced statement. Random output";
$var_output = "";
function issueRequest() {
global $myname;
global $var_paramname;
$var_value = "root";
$url = "http" . (!empty($_SERVER['HTTPS']) ? "s" : "") . "://" . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'];
$destination = $url . "?" . $var_paramname . "=" . urlencode($var_value);
header( 'Location: ' . $destination );
exit();
}
//ini_seto('display_errors', 'On');
//error_reporting(E_ALL);
$isStart = $_GET['start'];
if ($isStart == "true") {
issueRequest();
} else {
include 'base-header.php';
$var_param = urldecode($_GET['vulnparam']);
try {
$file_db = new PDO('sqlite:db/testdb.sqlite');
$file_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$result = $file_db->query("SELECT id FROM users WHERE name='" . $var_param . "'");
foreach($result as $row) {
$var_output = "Username ID: <b>" . $row['id'] . "</b>";
}
} catch(PDOException $e) {
}
$rrr = "";
$r = rand(1, 101);
for($rr=0; $rr<$r; $rr++) {
$rrr .= " a";
}
$var_output .= "<br>Random: " . $rrr;
include 'base-content.php';
include 'base-footer.php';
}
?>