Mice V4. 2 is currently the latest version. No nonsense, first look at the backend, the admin back-end home page with a login IP, the use of this vulnerability can be IP modify any of the
Characters, including the HTML and JS. Yes, so that you can cross out the administrator password.
The front Desk to register a user.
To log and capture.
The modified packet forgery X-Forwarded-For what,not? See my previous article.
In the package, add the phrase:
X-Forwarded-For: <script>alert(/sub - ↘meter/)</script>' where username = 'admin'#
In this case administrator access to the background page, the malicious code is executed, a dialog box POPs up, as shown in Figure
But the need to manage online at the same time, if the new login is invalid, probably everyone will think this is too tasteless, the administrator with your
Online at the same time the possibility of too small, it doesn't matter, and then carefully think about it, just we executed SQL statement is
update XXX set loginip = 'malicious' where username = 'admin', specify modify the admin IP,
If this is the submitted update XXX set loginip = 'malicious code', The where back are removed, cancel the user limit, then the
Malicious code will be added to all registered users. At this time all online users will be affected, hacking hanging horse, adultery captivity, the
Do whatever they want with it.