I. Introduction
On an ordinary Wednesday, Xiao Lei received another task to test the xx system of a school.II. Characteristic blind note
With the account password given by Party A's father, directly log in to the school's one-card system, and after some searching, click on the "lost card query" function point.
There is only one function point in it to see if it is to query the lost card.
Direct single quotation marks, query.
Huh? There is a saying, look at two single quotes.
Yes, 90% of them are injected. Grab a bag and see what happens.
wtf? ? ? get off work
Just kidding, it's impossible to get off work. Although Xiao Lei doesn't know much about js reverse, Xiao Lei is proficient in SQL injection. Didn't there be an error report before, and the data was directly injected with this feature of error report?
According to the error just reported, Lei has confirmed that it is closed with single quotation marks, and constructed payload.
1'and 1=1/1 and'1'='1Normal and error-free
1'and 1=1/0 and'1'='1Report an error
This is because in some databases (such as some versions of oracle), 0 cannot be used as the denominator.
According to this feature, the user name length of the current database user is directly injected.
1'and 1=1/(n-length(user)) and'1'='1
Try the value of n from 1 to 10 until an error is reported.
Finally, it is determined that the length of the username is 6
Off work!
Good, you have successfully caught my attention, Xiao Lei.
Three.js reverse engineering
I was going to be low-key, but now, no more pretense, actually I, xiaolei, am good at JavaScript reverse engineering.' master Wang, help me!'
Master Wang is online, and then I, Ah Wang, will proceed with the JavaScript reverse engineering.First, Master Wang uses this interface to search for 123456, then capture the data, which is the encrypted form of the data we submitted
Check the path of the captured packagexxxx/InvokFront
Click on 'Sources' -> 'XHR/fetch Breakpoints' and click the plus sign next to it
评论已关闭