文章来源:EDI安全
https://redacted.com/user/activation/xxx/1325589 1325589
https://redacted.com/user/resendactivation/xxx/1325589/?smsg=green
https : //redacted.com/resend/activation/1325589'
我重定向到:
https : //redacted.com/signup_page/xxx
7.现在,我尝试编辑请求并添加-+-和类似的响应:
响应被转换为默认请求,因此我可以确认其为SQL Inejction:
8. 现在,我尝试编辑响应并添加“ order + by + 5”,如下所示:
响应变为“ False”条件,因此该列未达到
9.尝试“ order + by + 4”→仍然为假
10.尝试“ order + by + 3”→True!
11.所以现在我尝试这样“选择”:
如果看到响应,我将重定向到:
https://www.redacted.com/user/resendactivation/xxx/3/?smsg=green
得到了数字3
12.现在,尝试对3号注入一个sql查询,如下所示:
推荐文章++++