Catalog

One 、sqqyw（ Indifferent point icon system ）

Global search keywords

Search for select

Select regular and case insensitive

View with variables id File contents of

To define ID Of ywX Function to perform a global search

Look at the pictures with ywX File content of function

see /php/v144.php page

Conduct full-text search on the obtained text

Yes sohuquan Full text tracking

Yes domain Full text tracking

Modify the source address

id=1

Continue searching for text

Go around

Judge the echo through time blind injection

adopt sqlmap Just inject the tool

Two 、74cms Loophole recurrence

Enter the membership Center

Sign in / register

Create a new resume

Turn on mysql monitor

Break down 、 to update

Save and listen

Continue to save and listen

Or save and listen

Or continue to save and monitor

Resume management

sqqyw（ Indifferent point icon system ）

Global search keywords

Search for select

Find out select, But it's not sql Statement select, This is in the label select

Select regular and case insensitive

View with variables id File contents of

If there is garbled code, change the coding format , Can be replaced by GBK and UTF-8

To define ID Of ywX Function to perform a global search

Look at the pictures with ywX File content of function

see /php/v144.php page

Conduct full-text search on the obtained text

see domain Whether in sohuquan Inside

Yes sohuquan Full text tracking

Get the address of your website

Yes domain Full text tracking

Modify the source address

id=1

Continue searching for text

Give Way api==ok, And u,p,id It's not empty.

Go around

Statement executed

Judge the echo through time blind injection

Because in the statement sleep(3) Was executed three times , So delay 9s

So here is the injection point

adopt sqlmap Just inject the tool

python sqlmap.py -u "http://localhost/sqqyw/php/v144.php?api=ok&u=1&p=1&id=1" --batch -p "id" --current-db

74cms Loophole recurrence

Using the conditions of secondary injection ：

insert update

Variable control

Enter the membership Center

Sign in / register

Create a new resume

Turn on mysql monitor

Break down 、 to update

Save and listen

update The statement in is not related to the statement we inserted ,update We didn't write it ourselves , It is the updated number of the corresponding field matched by the system , So you can't use .

Continue to save and listen

insert The data in is our choice , It's not what we inserted , So you can't use .

Or save and listen

This makes it direct update The updated , No insertion , So it doesn't work .

Or continue to save and monitor

There is insert and update, And the variables are controllable

So we can check the user name through secondary injection

insert Filtering has little effect when inserting , as long as update Just don't filter when updating .

Resume management