admin/wxvl
1
0
Fork 0
mirror of https://github.com/gelusus/wxvl.git synced 2025-07-29 14:04:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
wxvl/doc/记录日常挖掘漏洞.md

62 lines
3.6 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 记录日常挖掘漏洞
实战安全研究 2024-11-19 01:02
> 记录在日常挖掘漏洞发现过程,没有多少技术含量,分享出来就当作记录自己学习经历
## 越权漏洞
一般这种就是一个登录页面,但是有注册功能,我们直接注册用户,不然就一个登录页面很难发现什么漏洞的,有账户
多功能点测试
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvP8gEfJvm6NhIW2rboqYpiaRVKEz0QrcQdAqBHFX9OjwM2wV1w1UD6Y3w/640?wx_fmt=png&from=appmsg "")
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPRpGk8oSJHjPQTLg5XZmmRPNZ6Oq3rlZUicVCUxDd53jNyNlt517PkicA/640?wx_fmt=png&from=appmsg "")
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPe8kGw0EG77B5FnuQ5o7ajazHVETJxDJFSSGf02bicxbpfTaW3uPL02Q/640?wx_fmt=png&from=appmsg "")
注册成功后登录完善个人信息过程并观察yakit数据量流量在一条数据包中发现了query参数后面的数字我们简单使用yakit fuzz功能![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPM4KOwPnlEdyIc7LFPlqJWRVBaqQQta3fzOXp1orwwzlMRmu0UzIicUg/640?wx_fmt=png&from=appmsg "")
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPVMgUv7qmPPWfJhUyNkEo24pibLhorr4ljTibV4d8L3h4VKWClBI3GibYw/640?wx_fmt=png&from=appmsg "")
可以看到遍历1000个id请求返回了数据
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPibJ5qTMxRU0y6jVBP8PSXknwpLa8LquKcQ0cw5O0ib3IviaR60392f3pw/640?wx_fmt=png&from=appmsg "")
## sql注入
这个漏洞发现也是观察数据包,通过弱口令登录后台,在页面中点点,对数据包中的参数测试
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPQu9QicsiaakkHsGxFEg9Ipt08dUUKbl1IqwJI6mdm9tnJy1xqVq8xhSw/640?wx_fmt=png&from=appmsg "")
## wsdl接口测试发现sql注入
通过字典扫描出来 Service1.svc?wsdl并使用BURP插件Wsdler 获取接口的参数测试
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPiaeWk6u6JMUJMywxib19xO8bEttOBIg9MaJqvjoicHClNshaVArjGv7tg/640?wx_fmt=png&from=appmsg "")
使用Wsdler插件获取接口
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPcAv1z1ryA5icCYQTy1PQ7yNqGu6xRwF8otgSz6VjdSuaKJrPzIPJnvA/640?wx_fmt=png&from=appmsg "")
获取到接口,我们对每个接口单个进行测试
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPiaic9cbYkrcadNZKSrhHsPxGRswGr6mKliatGg5cjYAicQkIEZciaehpKgw/640?wx_fmt=png&from=appmsg "")
通过单引号来测试 1',发现加 ' 和不加  ' 返回页面不一样
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPoZBAlhKwD0JOXfkichg7LMmSw8Bv8NoDcSibUMQg7vYK6cFFmYLQzdPg/640?wx_fmt=png&from=appmsg "")
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPSWzyRzibYBW7n9wDsSaZ726icjfubsOVQkRqMiac7IpUXzibdy4VDFRmFA/640?wx_fmt=png&from=appmsg "")
直接将数据包放到sqlmap跑。
![](https://mmbiz.qpic.cn/sz_mmbiz_png/vOGOib9z4Wz7MIGicInJgySA74JBahDDvPRpia9Iv5pZXlJYF8TWOia31hR1J2IW5dBceceVqSJia88W697IaatlKyg/640?wx_fmt=png&from=appmsg "")
附上微信群,交流技术和划水聊天等,可回复 加群  或者扫描下面二维码,添加我好友拉进群。
![](https://mmbiz.qpic.cn/sz_mmbiz_jpg/vOGOib9z4Wz6AFk7e7MxpFibX5XlQNPicd50DlW0g9xdzpQm1Vf8fVYyEDbzGaomiaIT5ya2Ntafia8Vwr2WpImciafg/640?wx_fmt=other&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1 "")
Reference in New Issue View Git Blame Copy Permalink