本文介绍了一种通过在用户名中插入特殊字符序列使日志记录显示为成功登录的技术。这种技术可以误导管理员,使其误以为特定账号已成功登录。
The grey area below represents what is going to be logged in the web server's log file.
* Your goal is to make it like a username "admin" has succeeded into logging in.
* Elevate your attack by adding a script to the log file.
灰色框框的部分是日志输出部分,日志的记录是Login failed for username:输入的username
但是当输入的username是smith%0D%0ALogin Succeeded for username admin,如下图所示,会误认为admin账户登录成功了。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
