Generally, injection points are in the form of /list/asp?id=Num, but with the proliferation of injection technology, people with a little security awareness have filtered out obvious injection points, let alone hacking sites. I remember that there seems to be one of the animation tutorials in 77169. is about injecting Chaoyang.com. I remember that it seems to be a download page, character injection, and the injection page is similar to /list/asp?id=Num&ppath=undefined. To confirm that I tried it, the page I tested was /?id=2026&ppath=undefined, and added a "'" after the download page.
It seems that it has been filtered, and giving up is not my style. I accidentally saw the words "click to download". OK, see what its address looks like, maybe this is the breakthrough. There are two ways to know the address. One is to look at the source file, which is more convenient. It is OK to know a little HTML language.
Another way is to use download tools such as FlashGet. Here, please note that the FTP address is displayed in the "Website" column of FlashGet, and the real turn page is in the "Reference". The displayed address is /?downid=1&id=2012.
Let’s see if there are any injection vulnerabilities, add single quotes and return error messages.
After adding a semicolon, a download prompt appears; adding "and 1=1" and "and 1=2" returns are similar, and it can basically be confirmed that there is an injection vulnerability. Although there are loopholes, if we inject it manually, it will still return to the normal page (that is, the download prompt). Wouldn't this be very troublesome? I like to use tools for this dish, which is convenient. Of course, the injection is made with Xiaozhu's NBSI2. I tried it. If you directly add the URL of the injection page, it will show "No injection vulnerability has been detected yet".
So the most critical step we need to do is to add "id" to the "feature characters" of NBSI2 (note the case). At this time, the character box becomes a writable state, and then press "Redetection". Note that you must detect it once before adding feature characters. At this time, NBSI showed ASC half-fold analysis, and then an exciting scene appeared.
Everyone can do the following operations, right? I don’t show off my skills in this group, but it’s really unimaginable that a very large website actually uses the Access database; a very large website was published and there were still loopholes, which is really unimaginable. A very large website can’t find the administrator mailbox even if it’s a very large website…
It seems that it has been filtered, and giving up is not my style. I accidentally saw the words "click to download". OK, see what its address looks like, maybe this is the breakthrough. There are two ways to know the address. One is to look at the source file, which is more convenient. It is OK to know a little HTML language.
Another way is to use download tools such as FlashGet. Here, please note that the FTP address is displayed in the "Website" column of FlashGet, and the real turn page is in the "Reference". The displayed address is /?downid=1&id=2012.
Let’s see if there are any injection vulnerabilities, add single quotes and return error messages.
After adding a semicolon, a download prompt appears; adding "and 1=1" and "and 1=2" returns are similar, and it can basically be confirmed that there is an injection vulnerability. Although there are loopholes, if we inject it manually, it will still return to the normal page (that is, the download prompt). Wouldn't this be very troublesome? I like to use tools for this dish, which is convenient. Of course, the injection is made with Xiaozhu's NBSI2. I tried it. If you directly add the URL of the injection page, it will show "No injection vulnerability has been detected yet".
So the most critical step we need to do is to add "id" to the "feature characters" of NBSI2 (note the case). At this time, the character box becomes a writable state, and then press "Redetection". Note that you must detect it once before adding feature characters. At this time, NBSI showed ASC half-fold analysis, and then an exciting scene appeared.
Everyone can do the following operations, right? I don’t show off my skills in this group, but it’s really unimaginable that a very large website actually uses the Access database; a very large website was published and there were still loopholes, which is really unimaginable. A very large website can’t find the administrator mailbox even if it’s a very large website…