阅读:2788回复:0
SQL Injection via DNS
原文:https://blog.skullsecurity.org/2014/plaidctf-writeup-for-web-300-whatscat-sql-injection-via-dns
建议先看:http://drops.wooyun.org/papers/3133 ◆0 分析 Whatscat是一个可以上传猫咪的照片并且可以评论的php应用,地址: https://blogdata.skullsecurity.org/whatscat.tar.bz2 漏洞代码存在于login.php的密码重置模块,如下: #!php elseif (isset($_POST["reset"])) { $q = mysql_query(sprintf("select username,email,id from users where username='%s'", mysql_real_escape_string($_POST["name"]))); $res = mysql_fetch_object($q); $pwnew = "cat".bin2hex(openssl_random_pseudo_bytes(8)); if ($res) { echo sprintf("Don't worry %s, we're emailing you a new password at %s ", $res->username,$res->email); echo sprintf("If you are not %s, we'll tell them something fishy is going on! ", $res->username); $message = |
|