First, open the site to be this way
Find a login box, there is injection vulnerability
3. We can change the input usernames:
admin' or 1=1 --
4. The error message Invalid Password , so we should also try to construct a password to login. After several attempts, I finally succeeded by using the payload, as follows:
admin' union select '123' as password --
And log in as the Administrator user using Pass 123.
Back home, we can see a hyperlink, the hyperlink is linked to a private page, and showing the first signs.
The second flag
1. Let's create the same as in Micro-CMS v1 in a new page.
2. The contents of the text area XSS still exists (the same payload), but we can not get the flag.
3. Return this CMS, we already know that the new version has been upgraded to version control. But we have not tested edit API. Since we are forged administrator login and access to the edit API, so let's check to see if it gets proper authorization.
4, we can send this API to BurpSuite Repeater, and delete paragraph Cookie request header. See what happened? Yes, we won the second flag!
The third flag
1. This is very confusing. I stayed in there for a few days. Finally, I decided to get the default administrator username and password and use it to log in.
2. So let us look at the error message.
“从管理员那里选择用户名= \'%s \''%request.form ['username']。replace('%','%%')的密码
而且我们还知道,在构造了一些sqli有效载荷之后,存在两种不同类型的错误。一个是“未知用户”,另一个是“无效密码”。
根据以上信息,我们可以使用SQL注入技术来获取所需的信息。
3.尝试这样的有效负载:
' or length(password)=1 --
响应显示“未知用户”。
使用BurpSuite入侵者模块进行自动破解。
现在我们知道密码长度为6。
4.我们可以继续猜测密码中的每个字符。这是有效载荷:
' or password like 'a%'
最后我们可以得到的密码是
joette
4,我们还可以通过使用有效载荷来获取用户名的长度,如下所示:
' or password='joette' and length(username)=1 --
我们也知道账户也是6位
然后我们将有效载荷更改为
' or password='joette' and username like 'a%'
我们知道用户名是
marlin
5.使用用户名“ marlin”和密码“ joette”登录CMS。然后...