当前位置:网站首页>Tianmu MVC audit II
Tianmu MVC audit II
2022-07-06 09:51:00 【XRSec】
This article is edited by Er Nong Xi Zhu
Audit controller
After auditing the entry file and figuring out the routing rules in the previous article , We begin to formally audit the controller .
Home Catalog
from app/home/index.php
Start audit , There is nothing to say ahead , But notice here , Although it is judgment, it is not PC Execute when logging in , But we can see the query method it calls , I feel very familiar with , More like think The query method defined in , We recall the last audit , The filtering mechanism of audit , Let's search the whole picture where(
, Check one by one , See if there is where The condition is two parameters , perhaps int type .
backstage SQL Inject
Everything comes to him who waits , Here we are , Find out $sid Not wrapped in single quotation marks , And has not been cast int type . The catalogue is admin\controller\special.php, We try to reproduce . Good one SQL Inject holes .
The front desk SQL Inject
Just when I thought there was no front desk SQL At the time of Injection , All of a sudden , I found a location . Suddenly remembered a sentence : edge , Too wonderful for words .
Look for . have a look $sid How did it get in , Is it controllable
Search this globally get_category_list()
, Found in home/controller/special.php
in ,category()
In this method , adopt GET Incoming sid This value , Although this method is right $sid Protected by single quotation marks , But in calling get_category_list()
Time is running naked , well , Repeat it
Completely ok. The audit is completed when the front desk arrives here
The front desk XSS
stay home\controller\articles.php
,articles Method this position htmlspecialchars_decode
, This function decodes the materialized symbols , It suddenly caught my attention , Because we have audited , It will change the passed in value html Materialized coding , And then put it in the database . In this position, it decodes the data again , Vegetable chicken intuition tells me , There must be something wrong , Let's look for it $data Where does this variable come from
In this 32 OK, we can see that it is queried from this database .
Let's find out how to write , There is too much content here , Use the debug Look at the query statement :"SELECT * FROM
temmoku_articleAS
AINNER JOIN
temmoku_contentAS
BON A.aid =B.aid WHERE A.aid=3 ORDER BY A.aid DESC LIMIT 1"
In retrospect, I made a very uncomfortable mistake , I'll search jab.'content
, No search for , Doubt life ing, however , I remembered later , Search for jab."content
To position , Uncomfortable .
ad locum ,admin\public_class\article.php in , Find write jab.content database . Keep going back
Find out user\controller\articles.php
Call occurs , Look up ,add Method .
Register an account and open the permission to send articles .
Storage type XSS It's a success
边栏推荐
- [Yu Yue education] reference materials of power electronics technology of Jiangxi University of science and technology
- Elk project monitoring platform deployment + deployment of detailed use (II)
- Why data Tiering
- Can I learn PLC at the age of 33
- [flask] crud addition and query operation of data
- [deep learning] semantic segmentation: paper reading: (2021-12) mask2former
- June brush question 02 - string
- MapReduce instance (IV): natural sorting
- Sqlmap installation tutorial and problem explanation under Windows Environment -- "sqlmap installation | CSDN creation punch in"
- Nc17 longest palindrome substring
猜你喜欢
Summary of May training - from a Guang
MapReduce instance (x): chainmapreduce
MapReduce instance (VII): single table join
Listen to my advice and learn according to this embedded curriculum content and curriculum system
CANoe的数据回放(Replay Block),还是要结合CAPL脚本才能说的明白
Programmation défensive en langage C dans le développement intégré
单片机实现模块化编程:思维+实例+系统教程(实用程度令人发指)
在CANoe中通過Panel面板控制Test Module 運行(初級)
DCDC power ripple test
Hero League rotation chart manual rotation
随机推荐
【深度學習】語義分割-源代碼匯總
[Chongqing Guangdong education] reference materials for nine lectures on the essence of Marxist Philosophy in Wuhan University
Programmation défensive en langage C dans le développement intégré
Redis distributed lock implementation redison 15 questions
竞赛vscode配置指南
Workflow - activiti7 environment setup
数据建模有哪些模型
June brush question 01 - array
软件负载均衡和硬件负载均衡的选择
Cap theory
leetcode-14. Longest common prefix JS longitudinal scanning method
Mapreduce实例(八):Map端join
Contrôle de l'exécution du module d'essai par panneau dans Canoe (primaire)
嵌入式开发比单片机要难很多?谈谈单片机和嵌入式开发设计经历
[untitled]
Why is 51+ assembly in college SCM class? Why not come directly to STM32
Summary of May training - from a Guang
Publish and subscribe to redis
[flask] crud addition and query operation of data
How does the single chip microcomputer execute the main function from power on reset?