Good Loan network many sub-stations SQL injection (bypass filtering)
SQL Injection
Many substations share the same injection point
Inject data packets:
GET /s4-10x12-0x0x9999/?cpid=968*&p=5 HTTP/1.1Host: wenzhou.haodai.comProxy-Connection: keep-aliveAccept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Referer: http://wenzhou.haodai.com/s4-10x12-0x0x9999/Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie:
The GET parameter cpid is injected.
Although this is the domain name,
wenzhou.haodai.com
This is the sub-station of Wenzhou loan, and other sub-stations in other cities also have the same problem, all of which are injected.
Sqlmap can only prove to be an injection, but it is filtered and cannot completely run out of data.
Run the python script to verify the configuration.
Done ! DB User : [email protected]
Done ! DB User : [email protected]
Solution:
Filter