如何验证 appscan扫描出的sql盲注?

2011-05-30  赵祥方 

appscan扫描结果:
SQL 盲注
严重性: 高
测试类型: 应用程序
有漏洞的URL: [url]http://www.xxxx.com.cn/bhbank/admin/main[/url] (参数 = submit1)
修复任务: 过滤掉用户输入中的危险字符
1 的变体 1 [ID=17667]
以下更改已应用到原始请求:
• 已将参数“submit1”的值设置为“%27+%2B+%27%27+%2B+%27%E6%8F%90%E4%BA%A4”
请求/响应:
POST /bhbank/admin/main?transName=saveReporterInfo HTTP/1.0
Cookie: JSESSIONID=0000xDwE_zAUiZNX_TWsogX6O9D:-1
Content-Length: 198
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: [url]www.xxxx.com.cn[/url]
Content-Type: application/x-www-form-urlencoded
Referer: [url]http://www.xxxx.com.cn/bhbank/S101/iframeFile/meitizhongxin_1.htm[/url]
corporation=1234&name=&telephone=555-555-5555&mobile=1234&email=abc123%40acmehackme.
com&address=753+Main+Street&introduction=1234&submit1=%27+%2B+%27%27+%2B+%27%
E6%8F%90%E4%BA%A4&sex=%E7%94%841%A47
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=0000QIHg2zYmEqAw_LYigEMF27z:-1; path=/
Content-Length: 653
Date: Sun, 28 Nov 2010 17:43:27 GMT
Server: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix)
Last-Modified: Thu, 16 Aug 2007 08:23:14 GMT
Keep-Alive: timeout=10, max=2000
Xonnection: Xeep-Alive
Content-Type: text/html
Content-Language: zh-CN
<html >
<script language="javascript" type="text/javascript"
src="/bhbank/bloveoct.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
// parent.tt();
var ifr=parent.document.getElementById("iframe1");
ifr.height=200;
//-->
</SCRIPT>
<head>
<title>xxxx-错误提示页面</title>
<style type="text/css">
<!--
body {
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
}
-->
</style>
<style type="text/css">
<!--
.STYLE1 {
color: #4EA0FC;
font-weight: bold;
}
-->
</style>
</head>
<body style="background:#F7F7F7;" >
<span class="STYLE1">您的信息已提交,感谢您对xxxx的关注与支持!

</body>
</html>
POST /bhbank/admin/main?transName=saveReporterInfo HTTP/1.0
Cookie: JSESSIONID=0000xDwE_zAUiZNX_TWsogX6O9D:-1
Content-Length: 195
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: [url]www.xxxx.com.cn[/url]
Content-Type: application/x-www-form-urlencoded
Referer: [url]http://www.xxxx.com.cn/bhbank/S101/iframeFile/meitizhongxin_1.htm[/url]
corporation=1234&name=&telephone=555-555-5555&mobile=1234&email=abc123%40acmehackme.
com&address=753+Main+Street&introduction=1234&submit1=%27+%2B+%27+%2B+%27%E6%
8F%90%E4%BA%A4&sex=%E7%94%841%A47
HTTP/1.1 404 Not Found
<HTML><HEAD><title>JSP ????</title><style type="text/css">#mybox{padding:
0.5em;border: noborder; border-width: thin; width: 100%;}</style><style
type="text/css">h2 { text-align: justify;color:#5555FF;font-size:15pt;font-family:
Verdana, Helvitica, sans-serif;font-weight:bold}</style></HEAD><BODY><h2>JSP ????
</h2><TABLE BORDER=2 BGCOLOR="#DDDDFF"><TR VALIGN="BOTTOM"><TD BGCOLOR="#C2B0D6"
><B><FONT FACE="Verdana, Helvitica, sans-serif" COLOR="black" SIZE="4PT">HTTP ?????
&nbsp;&nbsp;&nbsp;404</B><BR><BR></TD></TR><TR><TD><B>?????</B><div
id="mybox"><PRE>JSPG0036E: ?????? /admin/error.jsp<BR></PRE>
</TD></TR><TR><TD>
<B>?????</B><div id="mybox"><PRE>java.io.FileNotFoundException:
JSPG0036E: ?????? /admin/error.jsp<BR> at
com.ibm.ws.jsp.webcontainerext.JSPExtensionProcessor.findWrapper
(JSPExtensionProcessor.java(Compiled Code))<BR> at
com.ibm.ws.jsp.webcontainerext.JSPExtensionProcessor.handleRequest
(JSPExtensionProcessor.java(Compiled Code))<BR> at
com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward
(WebAppRequestDispatcher.java(Compiled Code))<BR> at
com.csii.ebank.core.MainServlet.doPost(MainServlet.java(Compiled Code))<BR> at
javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))<BR> at
javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))<BR> at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java(Compiled
Code))<BR> at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest
(ServletWrapper.java(Compiled Code))<BR> at
com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest
(CacheServletWrapper.java(Compiled Code))<BR> at
com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java(Compiled Code))
<BR> at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java
(Compiled Code))<BR> at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination
(HttpInboundLink.java(Compiled Code))<BR> at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation
(HttpInboundLink.java(Compiled Code))<BR> at
com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete
(HttpICLReadCallback.java(Compiled Code))<BR> at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java
(Compiled Code))<BR> at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO
(WorkQueueManager.java(Compiled Code))<BR> at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java
(Compiled Code))<BR> at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run
(WorkQueueManager.java(Compiled Code))<BR> at com.ibm.ws.util.Th...
不适用
推理:
此测试会将条件选项附加到参数值后面,以验证其是否嵌入到后端的SQL 查询中。已发
送三(或四)个测试请求:最后一个在逻辑上等同于原始请求,并且倒数第二个请求是不
同的(其他请求用于控制用途)。最后两个测试响应与原始测试响应的比较可确认附加的
值确实已添加到了SQL 查询中。

怎样验证 这个sql盲注?
875°/8746 人阅读/1 条评论 发表评论

赵祥方  2011-05-31

求助...


登录 后发表评论
赵祥方
访客 20164