sqli第24关二次注入

注入点

# Validating the user input........
	$username= $_SESSION["username"];
	$curr_pass= mysql_real_escape_string($_POST['current_password']);
	$pass= mysql_real_escape_string($_POST['password']);
	$re_pass= mysql_real_escape_string($_POST['re_password']);
	
	if($pass==$re_pass)
	{	
		$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
		$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
		$row = mysql_affected_rows();
		echo '<font size="3" color="#FFFF00">';
		echo '<center>';
		if($row==1)
		{
			echo "Password successfully updated";
	
		}
		else
		{
			header('Location: failed.php');
			//echo 'You tried to be smart, Try harder!!!! :( ';
		}
	}

$username= $_SESSION["username"];

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

对已经注册的用户的username没有转义特殊字符

思路

1，注册一个新用户admin'#虽然转义了，但特殊字符一起写进了数据库

2，用该用户更换密码，你更换的密码就是admin用户的密码 

sql语句变为

$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass' ";

说以你去更新的是admin的密码