SQL Injection via DNS

原文：https://blog.skullsecurity.org/2014/plaidctf-writeup-for-web-300-whatscat-sql-injection-via-dns

建议先看：http://drops.wooyun.org/papers/3133

◆0 分析



Whatscat是一个可以上传猫咪的照片并且可以评论的php应用，地址：

https://blogdata.skullsecurity.org/whatscat.tar.bz2

漏洞代码存在于login.php的密码重置模块，如下：


#!php
elseif (isset($_POST["reset"])) { $q = mysql_query(sprintf("select username,email,id from users where username='%s'", mysql_real_escape_string($_POST["name"]))); $res = mysql_fetch_object($q); $pwnew = "cat".bin2hex(openssl_random_pseudo_bytes(8)); if ($res) { echo sprintf("Don't worry %s, we're emailing you a new password at %s
", $res->username,$res->email); echo sprintf("If you are not %s, we'll tell them something fishy is going on!
", $res->username);
$message =